272a4744d9ce5815c21791cbf1a108773c3df81acf8adba5f033bd6308f42181

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
Size

447KB
MD5

68054e80e8a0b0c5be8a4dbc436516d0
SHA1

486b5204fbcef0a30f3b7a3bb31d8094fde6f10f
SHA256

272a4744d9ce5815c21791cbf1a108773c3df81acf8adba5f033bd6308f42181
SHA512

12c44e75b0b11a05fe03088562a9a08cdf2ece12a096135e2315001bb80552cc8750ec1e470be0e8ea6a119d192e0e83db9b73d61a69afdf2cbf22cb222c7f0b
SSDEEP

768:CpQNwC3BESe4Vqth+0V5vKPyLylze70wi3BEm1:CeT7BVwxfvLFwjR1

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
280	backup.exe
1708	backup.exe
1168	backup.exe
2704	backup.exe
2224	backup.exe
2364	backup.exe
2744	backup.exe
2640	backup.exe
2572	backup.exe
1684	backup.exe
2520	backup.exe
756	backup.exe
1640	backup.exe
2016	backup.exe
1512	backup.exe
2360	backup.exe
1824	update.exe
2776	data.exe
1380	backup.exe
908	backup.exe
2424	backup.exe
2220	backup.exe
1516	backup.exe
1332	update.exe
2240	backup.exe
2496	backup.exe
1724	backup.exe
2088	backup.exe
1948	backup.exe
2716	backup.exe
2836	backup.exe
2856	backup.exe
2584	backup.exe
2800	backup.exe
2576	backup.exe
2628	backup.exe
2888	backup.exe
1752	backup.exe
1652	backup.exe
1736	backup.exe
1864	backup.exe
576	backup.exe
772	backup.exe
572	backup.exe
1596	backup.exe
1728	backup.exe
1572	backup.exe
1732	backup.exe
1524	backup.exe
2340	backup.exe
544	backup.exe
1148	backup.exe
112	backup.exe
1676	backup.exe
1656	System Restore.exe
1560	System Restore.exe
2524	backup.exe
1696	backup.exe
1068	backup.exe
1660	backup.exe
628	backup.exe
1760	backup.exe
1308	backup.exe
1944	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
2640	backup.exe
2640	backup.exe
2572	backup.exe
2572	backup.exe
2640	backup.exe
2640	backup.exe
2520	backup.exe
2520	backup.exe
756	backup.exe
756	backup.exe
2520	backup.exe
2520	backup.exe
2016	backup.exe
2016	backup.exe
1512	backup.exe
1512	backup.exe
1512	backup.exe
1824	update.exe
1824	update.exe
1824	update.exe
1824	update.exe
1824	update.exe
2776	data.exe
2776	data.exe
2776	data.exe
1824	update.exe
1824	update.exe
1380	backup.exe
1380	backup.exe
1380	backup.exe
1824	update.exe
1824	update.exe
908	backup.exe
908	backup.exe
908	backup.exe
1824	update.exe
1824	update.exe
2424	backup.exe
2424	backup.exe
2424	backup.exe
2640	backup.exe
2640	backup.exe
1824	update.exe
2220	backup.exe
1824	update.exe
1516	backup.exe
1516	backup.exe
1516	backup.exe
1332	update.exe
1332	update.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1956-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000014f1a-5.dat	upx
behavioral1/files/0x0008000000014f1a-9.dat	upx
behavioral1/files/0x0008000000014f1a-12.dat	upx
behavioral1/files/0x0008000000014f1a-7.dat	upx
behavioral1/memory/280-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015611-17.dat	upx
behavioral1/files/0x0008000000015611-19.dat	upx
behavioral1/files/0x0008000000015611-23.dat	upx
behavioral1/memory/1708-29-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015c14-27.dat	upx
behavioral1/files/0x0007000000015c14-30.dat	upx
behavioral1/files/0x0007000000015c14-34.dat	upx
behavioral1/files/0x000800000001565c-45.dat	upx
behavioral1/files/0x000800000001565c-41.dat	upx
behavioral1/memory/1956-40-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000800000001565c-38.dat	upx
behavioral1/files/0x0009000000015c4d-53.dat	upx
behavioral1/memory/2704-50-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0009000000015c4d-51.dat	upx
behavioral1/memory/1956-59-0x0000000000280000-0x000000000029C000-memory.dmp	upx
behavioral1/memory/280-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2224-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0009000000015c4d-57.dat	upx
behavioral1/memory/2224-72-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015c95-71.dat	upx
behavioral1/files/0x0006000000015c95-67.dat	upx
behavioral1/files/0x0006000000015c95-65.dat	upx
behavioral1/memory/2364-76-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015ca2-77.dat	upx
behavioral1/files/0x0006000000015ca2-79.dat	upx
behavioral1/files/0x0008000000014f1a-86.dat	upx
behavioral1/memory/1168-85-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015ca2-84.dat	upx
behavioral1/files/0x000b000000015011-94.dat	upx
behavioral1/memory/2744-98-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015ce0-103.dat	upx
behavioral1/files/0x000b000000015011-101.dat	upx
behavioral1/files/0x0006000000015ce0-105.dat	upx
behavioral1/files/0x0006000000015ce0-109.dat	upx
behavioral1/files/0x0006000000015ce0-112.dat	upx
behavioral1/files/0x0006000000015dcb-114.dat	upx
behavioral1/files/0x0006000000015dcb-121.dat	upx
behavioral1/files/0x0006000000015dcb-116.dat	upx
behavioral1/files/0x0006000000015e41-125.dat	upx
behavioral1/files/0x0006000000015e41-128.dat	upx
behavioral1/files/0x0006000000015e41-134.dat	upx
behavioral1/memory/1684-133-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2572-132-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015e41-139.dat	upx
behavioral1/files/0x0007000000015e0c-141.dat	upx
behavioral1/files/0x0007000000015e0c-148.dat	upx
behavioral1/memory/2640-147-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015e0c-143.dat	upx
behavioral1/memory/756-157-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015e0c-165.dat	upx
behavioral1/files/0x0008000000015cad-167.dat	upx
behavioral1/files/0x0008000000015cad-174.dat	upx
behavioral1/files/0x0008000000015cad-169.dat	upx
behavioral1/files/0x000700000001605c-186.dat	upx
behavioral1/memory/756-185-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000700000001605c-181.dat	upx
behavioral1/memory/1640-179-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000700000001605c-178.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	update.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe	update.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Defender\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Journal\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
280	backup.exe
1708	backup.exe
1168	backup.exe
2704	backup.exe
2224	backup.exe
2364	backup.exe
2744	backup.exe
2640	backup.exe
2572	backup.exe
1684	backup.exe
2520	backup.exe
756	backup.exe
1640	backup.exe
2016	backup.exe
1512	backup.exe
2360	backup.exe
1824	update.exe
2776	data.exe
1380	backup.exe
908	backup.exe
2424	backup.exe
2220	backup.exe
1516	backup.exe
1332	update.exe
2240	backup.exe
1724	backup.exe
2496	backup.exe
1948	backup.exe
2088	backup.exe
2716	backup.exe
2856	backup.exe
2836	backup.exe
2584	backup.exe
2800	backup.exe
2576	backup.exe
2628	backup.exe
2888	backup.exe
1752	backup.exe
1652	backup.exe
1736	backup.exe
1864	backup.exe
576	backup.exe
1596	backup.exe
772	backup.exe
572	backup.exe
1572	backup.exe
1732	backup.exe
1728	backup.exe
1524	backup.exe
544	backup.exe
2340	backup.exe
1148	backup.exe
1676	backup.exe
112	backup.exe
1656	System Restore.exe
1560	System Restore.exe
628	backup.exe
2524	backup.exe
1696	backup.exe
1068	backup.exe
2956	backup.exe
1308	backup.exe
1660	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 280	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	28
PID 1956 wrote to memory of 280	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	28
PID 1956 wrote to memory of 280	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	28
PID 1956 wrote to memory of 280	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	28
PID 1956 wrote to memory of 1708	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	29
PID 1956 wrote to memory of 1708	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	29
PID 1956 wrote to memory of 1708	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	29
PID 1956 wrote to memory of 1708	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	29
PID 1956 wrote to memory of 1168	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	30
PID 1956 wrote to memory of 1168	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	30
PID 1956 wrote to memory of 1168	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	30
PID 1956 wrote to memory of 1168	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	30
PID 1956 wrote to memory of 2704	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	31
PID 1956 wrote to memory of 2704	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	31
PID 1956 wrote to memory of 2704	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	31
PID 1956 wrote to memory of 2704	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	31
PID 1956 wrote to memory of 2224	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	32
PID 1956 wrote to memory of 2224	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	32
PID 1956 wrote to memory of 2224	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	32
PID 1956 wrote to memory of 2224	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	32
PID 1956 wrote to memory of 2364	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	33
PID 1956 wrote to memory of 2364	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	33
PID 1956 wrote to memory of 2364	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	33
PID 1956 wrote to memory of 2364	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	33
PID 1956 wrote to memory of 2744	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	34
PID 1956 wrote to memory of 2744	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	34
PID 1956 wrote to memory of 2744	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	34
PID 1956 wrote to memory of 2744	1956	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe	34
PID 280 wrote to memory of 2640	280	backup.exe	35
PID 280 wrote to memory of 2640	280	backup.exe	35
PID 280 wrote to memory of 2640	280	backup.exe	35
PID 280 wrote to memory of 2640	280	backup.exe	35
PID 2640 wrote to memory of 2572	2640	backup.exe	36
PID 2640 wrote to memory of 2572	2640	backup.exe	36
PID 2640 wrote to memory of 2572	2640	backup.exe	36
PID 2640 wrote to memory of 2572	2640	backup.exe	36
PID 2572 wrote to memory of 1684	2572	backup.exe	37
PID 2572 wrote to memory of 1684	2572	backup.exe	37
PID 2572 wrote to memory of 1684	2572	backup.exe	37
PID 2572 wrote to memory of 1684	2572	backup.exe	37
PID 2640 wrote to memory of 2520	2640	backup.exe	38
PID 2640 wrote to memory of 2520	2640	backup.exe	38
PID 2640 wrote to memory of 2520	2640	backup.exe	38
PID 2640 wrote to memory of 2520	2640	backup.exe	38
PID 2520 wrote to memory of 756	2520	backup.exe	39
PID 2520 wrote to memory of 756	2520	backup.exe	39
PID 2520 wrote to memory of 756	2520	backup.exe	39
PID 2520 wrote to memory of 756	2520	backup.exe	39
PID 756 wrote to memory of 1640	756	backup.exe	40
PID 756 wrote to memory of 1640	756	backup.exe	40
PID 756 wrote to memory of 1640	756	backup.exe	40
PID 756 wrote to memory of 1640	756	backup.exe	40
PID 2520 wrote to memory of 2016	2520	backup.exe	41
PID 2520 wrote to memory of 2016	2520	backup.exe	41
PID 2520 wrote to memory of 2016	2520	backup.exe	41
PID 2520 wrote to memory of 2016	2520	backup.exe	41
PID 2016 wrote to memory of 1512	2016	backup.exe	42
PID 2016 wrote to memory of 1512	2016	backup.exe	42
PID 2016 wrote to memory of 1512	2016	backup.exe	42
PID 2016 wrote to memory of 1512	2016	backup.exe	42
PID 1512 wrote to memory of 2360	1512	backup.exe	43
PID 1512 wrote to memory of 2360	1512	backup.exe	43
PID 1512 wrote to memory of 2360	1512	backup.exe	43
PID 1512 wrote to memory of 2360	1512	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.68054e80e8a0b0c5be8a4dbc436516d0_JC.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1956
- C:\Users\Admin\AppData\Local\Temp\2702952396\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2702952396\backup.exe C:\Users\Admin\AppData\Local\Temp\2702952396\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:280
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2572
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1684
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:756
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1640
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2016
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2424
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1864
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:2528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2204
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:2548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:2432
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1248
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2856
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2628
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2716
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2732
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2876
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:940
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2488
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2976
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2784
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2524
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:2180
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2904
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:908
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2052
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:536
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2848
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1060
        
        C:\Program Files\Common Files\System\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\es-ES\data.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2036
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1492
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2560
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2988
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1608
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1952
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2240
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1724
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2716
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2576
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1652
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:572
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1760
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2256
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
      - C:\Program Files\Google\Chrome\System Restore.exe
        
        "C:\Program Files\Google\Chrome\System Restore.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:2780
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2012
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2188
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1680
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1288
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2500
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2992
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2420
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1720
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2800
    - - C:\Program Files\Windows Journal\backup.exe
        
        "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
        5⤵
        
        PID:2492
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2220
    - - C:\Program Files (x86)\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\update.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1332
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1308
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:2748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1380
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1488
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1572
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:112
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1660
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:2688
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2360
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2808
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1764
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1928
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2832
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:792
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2776
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2948
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1752
    - - C:\Program Files (x86)\Microsoft Analysis Services\data.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\data.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1868
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1800
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2576
    - - C:\Program Files (x86)\Microsoft Sync Framework\data.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\data.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1528
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1700
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2620
    - - C:\Program Files (x86)\Microsoft.NET\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft.NET\System Restore.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2676
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:2032
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1728
    - - C:\Users\Admin\System Restore.exe
        
        "C:\Users\Admin\System Restore.exe" C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1560
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Executes dropped EXE
        
        PID:1944
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2744
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:772
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2072
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2700
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1536
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1116
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2564
      - C:\Users\Admin\Saved Games\update.exe
        
        "C:\Users\Admin\Saved Games\update.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1524
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2940
      - C:\Users\Admin\Videos\data.exe
        
        C:\Users\Admin\Videos\data.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:2968
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2708
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2668
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
447KB

MD5
1913dedabb6e5280563239efb515cd89

SHA1
11c982325e868fffb71fca3ebee8595a11aad3cd

SHA256
a8e2da15c62d61fa4f715a92f4b4a47a94f7eedf838102878ff908a90f110de4

SHA512
eb87f23b3050b63283f1c71aafbf42eef461f7b1e972aa63f5dc4912be538fe51354c817c5b6f948d4ce6e28cb307139199973ef005158bada5f860a1d783aa2

Download Submit
C:\PerfLogs\backup.exe

Filesize
447KB

MD5
d8c2bb5c4c240c4058d15f6587f712bd

SHA1
e998b515d2cba602b8475a464e957882bb2fed16

SHA256
35b9262d6167e5758e017ac645fb1fd330cc637959448e68b68450a8000d1761

SHA512
a82385a9f04dda5da2f3b3280c4770261fb16c11bed01c7c3e7bd623bea5ee8e6fec85dbcff37fa0e142e617fc54a71ca95a9a85699f3b65de16e1b528207b8d

Download Submit
C:\PerfLogs\backup.exe

Filesize
447KB

MD5
d8c2bb5c4c240c4058d15f6587f712bd

SHA1
e998b515d2cba602b8475a464e957882bb2fed16

SHA256
35b9262d6167e5758e017ac645fb1fd330cc637959448e68b68450a8000d1761

SHA512
a82385a9f04dda5da2f3b3280c4770261fb16c11bed01c7c3e7bd623bea5ee8e6fec85dbcff37fa0e142e617fc54a71ca95a9a85699f3b65de16e1b528207b8d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
81e3191f529aae35ba7a99c10bb45d15

SHA1
c349c9b78eadd6339f43cffabb9f906815f1d4a2

SHA256
e3870f0b2041928d9e0b16da34c92df1b1a87a3dbd44c369f13e5e2b21d06a34

SHA512
a15aeda51b1a797a15c164da2dbb4f73bc658e00ef07438346b01f810e8e3aa20aed09bed04b3de0875107d255263788fc36078251814c164dbc170ad5b643d4

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
447KB

MD5
ff2069fe81fe8e5bbbc49b8214720f51

SHA1
a1186730384f31aad9d5e809b548bf0041568f44

SHA256
247414284c0d482b05cad712db6d3220044008bdbdab3dccc96a0b84aa9f9e41

SHA512
c7012ed8419d9b5a28f749bc5aa7c209bf5972eab037044025e2a537b8472337018a5db9411329ff609d75178d20f31112cc95bdc72cf36aca76c1afb0c23f7d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
447KB

MD5
ff2069fe81fe8e5bbbc49b8214720f51

SHA1
a1186730384f31aad9d5e809b548bf0041568f44

SHA256
247414284c0d482b05cad712db6d3220044008bdbdab3dccc96a0b84aa9f9e41

SHA512
c7012ed8419d9b5a28f749bc5aa7c209bf5972eab037044025e2a537b8472337018a5db9411329ff609d75178d20f31112cc95bdc72cf36aca76c1afb0c23f7d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
447KB

MD5
646e1755fbd936f504301c76589d0bc9

SHA1
e3c70b6bd7223bedca56b46cb2cec60d0355475f

SHA256
acf63c57ef7a3a5a2ae15a71dcffe153edc0a51df608aa10a54ae85526fdfd03

SHA512
8737c9baf3b37c5fbfe87474db15a9e9883a9e8eb9baa700bb6458bc23e3b95f25bdbcd1000aa0404bbeeafe4ea7a5d04011ac7208e576d366191cb041aec8e8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
81e3191f529aae35ba7a99c10bb45d15

SHA1
c349c9b78eadd6339f43cffabb9f906815f1d4a2

SHA256
e3870f0b2041928d9e0b16da34c92df1b1a87a3dbd44c369f13e5e2b21d06a34

SHA512
a15aeda51b1a797a15c164da2dbb4f73bc658e00ef07438346b01f810e8e3aa20aed09bed04b3de0875107d255263788fc36078251814c164dbc170ad5b643d4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
81e3191f529aae35ba7a99c10bb45d15

SHA1
c349c9b78eadd6339f43cffabb9f906815f1d4a2

SHA256
e3870f0b2041928d9e0b16da34c92df1b1a87a3dbd44c369f13e5e2b21d06a34

SHA512
a15aeda51b1a797a15c164da2dbb4f73bc658e00ef07438346b01f810e8e3aa20aed09bed04b3de0875107d255263788fc36078251814c164dbc170ad5b643d4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
447KB

MD5
3e09218adc271d5a26460812cde3a310

SHA1
3d214f8cf43324c55c4349cb6101c3033dad002b

SHA256
20b2ceb1a1666720552d518edf37c6e4a9ac78796743e565df3971e1db897cdd

SHA512
f8c30c29375fa8f0a73defcec1f555023ae20428d882147c2ef2abf8f41de635b986be2ee6ec98ffa505673e494ced98a6f43eb1f787609b30c1f6bc5dad09b2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
447KB

MD5
3e09218adc271d5a26460812cde3a310

SHA1
3d214f8cf43324c55c4349cb6101c3033dad002b

SHA256
20b2ceb1a1666720552d518edf37c6e4a9ac78796743e565df3971e1db897cdd

SHA512
f8c30c29375fa8f0a73defcec1f555023ae20428d882147c2ef2abf8f41de635b986be2ee6ec98ffa505673e494ced98a6f43eb1f787609b30c1f6bc5dad09b2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
447KB

MD5
971efbe5cab1fc7852a0faff52c67625

SHA1
a95b13afa86661b7aad4a20b8f436da8b2f95264

SHA256
9ed19efe2f784f80e231d4699d422b1247347552b4221bba54c5b3e2017a887c

SHA512
07c03306cbc67f72454d13c552c49594c69789225fa7e70f0266363bcb6dc307d0378c7acf75b640f82edfecb3dbfc8e16e9956d378f72b4fcef5e5e45e6eea6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
447KB

MD5
971efbe5cab1fc7852a0faff52c67625

SHA1
a95b13afa86661b7aad4a20b8f436da8b2f95264

SHA256
9ed19efe2f784f80e231d4699d422b1247347552b4221bba54c5b3e2017a887c

SHA512
07c03306cbc67f72454d13c552c49594c69789225fa7e70f0266363bcb6dc307d0378c7acf75b640f82edfecb3dbfc8e16e9956d378f72b4fcef5e5e45e6eea6

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
ff2069fe81fe8e5bbbc49b8214720f51

SHA1
a1186730384f31aad9d5e809b548bf0041568f44

SHA256
247414284c0d482b05cad712db6d3220044008bdbdab3dccc96a0b84aa9f9e41

SHA512
c7012ed8419d9b5a28f749bc5aa7c209bf5972eab037044025e2a537b8472337018a5db9411329ff609d75178d20f31112cc95bdc72cf36aca76c1afb0c23f7d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
ff2069fe81fe8e5bbbc49b8214720f51

SHA1
a1186730384f31aad9d5e809b548bf0041568f44

SHA256
247414284c0d482b05cad712db6d3220044008bdbdab3dccc96a0b84aa9f9e41

SHA512
c7012ed8419d9b5a28f749bc5aa7c209bf5972eab037044025e2a537b8472337018a5db9411329ff609d75178d20f31112cc95bdc72cf36aca76c1afb0c23f7d

Download Submit
C:\Program Files\backup.exe

Filesize
447KB

MD5
d8c2bb5c4c240c4058d15f6587f712bd

SHA1
e998b515d2cba602b8475a464e957882bb2fed16

SHA256
35b9262d6167e5758e017ac645fb1fd330cc637959448e68b68450a8000d1761

SHA512
a82385a9f04dda5da2f3b3280c4770261fb16c11bed01c7c3e7bd623bea5ee8e6fec85dbcff37fa0e142e617fc54a71ca95a9a85699f3b65de16e1b528207b8d

Download Submit
C:\Program Files\backup.exe

Filesize
447KB

MD5
d8c2bb5c4c240c4058d15f6587f712bd

SHA1
e998b515d2cba602b8475a464e957882bb2fed16

SHA256
35b9262d6167e5758e017ac645fb1fd330cc637959448e68b68450a8000d1761

SHA512
a82385a9f04dda5da2f3b3280c4770261fb16c11bed01c7c3e7bd623bea5ee8e6fec85dbcff37fa0e142e617fc54a71ca95a9a85699f3b65de16e1b528207b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2702952396\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2702952396\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2702952396\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
447KB

MD5
f04f44af694b2e3256270e7250f3dbe5

SHA1
5f6481ecb3518ce156b2f151a90262b04d047239

SHA256
7e07562ef1aa37e4b5a9b9070bc5963d0c77c05f3741b4edb7146e78bb8543bc

SHA512
b31ba9b7a572190386e828410bac1f8efcf012b534e84af5106e3d04d3d51167cbe013b5e81ff1a1637073d60283cd5a9164db7f05bd0a60ee5247f3071007b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
447KB

MD5
f04f44af694b2e3256270e7250f3dbe5

SHA1
5f6481ecb3518ce156b2f151a90262b04d047239

SHA256
7e07562ef1aa37e4b5a9b9070bc5963d0c77c05f3741b4edb7146e78bb8543bc

SHA512
b31ba9b7a572190386e828410bac1f8efcf012b534e84af5106e3d04d3d51167cbe013b5e81ff1a1637073d60283cd5a9164db7f05bd0a60ee5247f3071007b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
31KB

MD5
0900b05e82289aca80fee39ee5fdcb13

SHA1
a98b8b5b80986edab9164c3153102ce946a8adf7

SHA256
d1b549cf1cbf092361c21ccad169209617f160557f4a96f862e0605cfe783bc4

SHA512
c2ea0ce1c5d14803fac4e8ca55fb5f3044b1695579f9189723cc12410fbb1ace243898878faead1b9ff9da173259e19cf42af9ea970578d9d9f4c62dc88205ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
447KB

MD5
10aa71b1ee3cba5246d2b8b26ba300db

SHA1
1b2281e9c56cb44bdafd4ed8d39ba0afe436326e

SHA256
ad06378baf56fc0890bb765b1103011750862b666af2dd794db38b6e84189c67

SHA512
7ad78cbb16f71be6dfd2ee510f69bf2fdb322e921716d9c30a83f6648ba7b3cc27e439a7f7eda695f8a91861ee43ce5f22bb383ae9266109ac0872d449e31811

Download Submit
C:\backup.exe

Filesize
447KB

MD5
10aa71b1ee3cba5246d2b8b26ba300db

SHA1
1b2281e9c56cb44bdafd4ed8d39ba0afe436326e

SHA256
ad06378baf56fc0890bb765b1103011750862b666af2dd794db38b6e84189c67

SHA512
7ad78cbb16f71be6dfd2ee510f69bf2fdb322e921716d9c30a83f6648ba7b3cc27e439a7f7eda695f8a91861ee43ce5f22bb383ae9266109ac0872d449e31811

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
447KB

MD5
1913dedabb6e5280563239efb515cd89

SHA1
11c982325e868fffb71fca3ebee8595a11aad3cd

SHA256
a8e2da15c62d61fa4f715a92f4b4a47a94f7eedf838102878ff908a90f110de4

SHA512
eb87f23b3050b63283f1c71aafbf42eef461f7b1e972aa63f5dc4912be538fe51354c817c5b6f948d4ce6e28cb307139199973ef005158bada5f860a1d783aa2

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
447KB

MD5
1913dedabb6e5280563239efb515cd89

SHA1
11c982325e868fffb71fca3ebee8595a11aad3cd

SHA256
a8e2da15c62d61fa4f715a92f4b4a47a94f7eedf838102878ff908a90f110de4

SHA512
eb87f23b3050b63283f1c71aafbf42eef461f7b1e972aa63f5dc4912be538fe51354c817c5b6f948d4ce6e28cb307139199973ef005158bada5f860a1d783aa2

Download Submit
\PerfLogs\backup.exe

Filesize
447KB

MD5
d8c2bb5c4c240c4058d15f6587f712bd

SHA1
e998b515d2cba602b8475a464e957882bb2fed16

SHA256
35b9262d6167e5758e017ac645fb1fd330cc637959448e68b68450a8000d1761

SHA512
a82385a9f04dda5da2f3b3280c4770261fb16c11bed01c7c3e7bd623bea5ee8e6fec85dbcff37fa0e142e617fc54a71ca95a9a85699f3b65de16e1b528207b8d

Download Submit
\PerfLogs\backup.exe

Filesize
447KB

MD5
d8c2bb5c4c240c4058d15f6587f712bd

SHA1
e998b515d2cba602b8475a464e957882bb2fed16

SHA256
35b9262d6167e5758e017ac645fb1fd330cc637959448e68b68450a8000d1761

SHA512
a82385a9f04dda5da2f3b3280c4770261fb16c11bed01c7c3e7bd623bea5ee8e6fec85dbcff37fa0e142e617fc54a71ca95a9a85699f3b65de16e1b528207b8d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
81e3191f529aae35ba7a99c10bb45d15

SHA1
c349c9b78eadd6339f43cffabb9f906815f1d4a2

SHA256
e3870f0b2041928d9e0b16da34c92df1b1a87a3dbd44c369f13e5e2b21d06a34

SHA512
a15aeda51b1a797a15c164da2dbb4f73bc658e00ef07438346b01f810e8e3aa20aed09bed04b3de0875107d255263788fc36078251814c164dbc170ad5b643d4

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
81e3191f529aae35ba7a99c10bb45d15

SHA1
c349c9b78eadd6339f43cffabb9f906815f1d4a2

SHA256
e3870f0b2041928d9e0b16da34c92df1b1a87a3dbd44c369f13e5e2b21d06a34

SHA512
a15aeda51b1a797a15c164da2dbb4f73bc658e00ef07438346b01f810e8e3aa20aed09bed04b3de0875107d255263788fc36078251814c164dbc170ad5b643d4

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
447KB

MD5
ff2069fe81fe8e5bbbc49b8214720f51

SHA1
a1186730384f31aad9d5e809b548bf0041568f44

SHA256
247414284c0d482b05cad712db6d3220044008bdbdab3dccc96a0b84aa9f9e41

SHA512
c7012ed8419d9b5a28f749bc5aa7c209bf5972eab037044025e2a537b8472337018a5db9411329ff609d75178d20f31112cc95bdc72cf36aca76c1afb0c23f7d

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
447KB

MD5
ff2069fe81fe8e5bbbc49b8214720f51

SHA1
a1186730384f31aad9d5e809b548bf0041568f44

SHA256
247414284c0d482b05cad712db6d3220044008bdbdab3dccc96a0b84aa9f9e41

SHA512
c7012ed8419d9b5a28f749bc5aa7c209bf5972eab037044025e2a537b8472337018a5db9411329ff609d75178d20f31112cc95bdc72cf36aca76c1afb0c23f7d

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
447KB

MD5
646e1755fbd936f504301c76589d0bc9

SHA1
e3c70b6bd7223bedca56b46cb2cec60d0355475f

SHA256
acf63c57ef7a3a5a2ae15a71dcffe153edc0a51df608aa10a54ae85526fdfd03

SHA512
8737c9baf3b37c5fbfe87474db15a9e9883a9e8eb9baa700bb6458bc23e3b95f25bdbcd1000aa0404bbeeafe4ea7a5d04011ac7208e576d366191cb041aec8e8

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
447KB

MD5
646e1755fbd936f504301c76589d0bc9

SHA1
e3c70b6bd7223bedca56b46cb2cec60d0355475f

SHA256
acf63c57ef7a3a5a2ae15a71dcffe153edc0a51df608aa10a54ae85526fdfd03

SHA512
8737c9baf3b37c5fbfe87474db15a9e9883a9e8eb9baa700bb6458bc23e3b95f25bdbcd1000aa0404bbeeafe4ea7a5d04011ac7208e576d366191cb041aec8e8

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
81e3191f529aae35ba7a99c10bb45d15

SHA1
c349c9b78eadd6339f43cffabb9f906815f1d4a2

SHA256
e3870f0b2041928d9e0b16da34c92df1b1a87a3dbd44c369f13e5e2b21d06a34

SHA512
a15aeda51b1a797a15c164da2dbb4f73bc658e00ef07438346b01f810e8e3aa20aed09bed04b3de0875107d255263788fc36078251814c164dbc170ad5b643d4

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
81e3191f529aae35ba7a99c10bb45d15

SHA1
c349c9b78eadd6339f43cffabb9f906815f1d4a2

SHA256
e3870f0b2041928d9e0b16da34c92df1b1a87a3dbd44c369f13e5e2b21d06a34

SHA512
a15aeda51b1a797a15c164da2dbb4f73bc658e00ef07438346b01f810e8e3aa20aed09bed04b3de0875107d255263788fc36078251814c164dbc170ad5b643d4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
447KB

MD5
3e09218adc271d5a26460812cde3a310

SHA1
3d214f8cf43324c55c4349cb6101c3033dad002b

SHA256
20b2ceb1a1666720552d518edf37c6e4a9ac78796743e565df3971e1db897cdd

SHA512
f8c30c29375fa8f0a73defcec1f555023ae20428d882147c2ef2abf8f41de635b986be2ee6ec98ffa505673e494ced98a6f43eb1f787609b30c1f6bc5dad09b2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
447KB

MD5
3e09218adc271d5a26460812cde3a310

SHA1
3d214f8cf43324c55c4349cb6101c3033dad002b

SHA256
20b2ceb1a1666720552d518edf37c6e4a9ac78796743e565df3971e1db897cdd

SHA512
f8c30c29375fa8f0a73defcec1f555023ae20428d882147c2ef2abf8f41de635b986be2ee6ec98ffa505673e494ced98a6f43eb1f787609b30c1f6bc5dad09b2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
447KB

MD5
3e09218adc271d5a26460812cde3a310

SHA1
3d214f8cf43324c55c4349cb6101c3033dad002b

SHA256
20b2ceb1a1666720552d518edf37c6e4a9ac78796743e565df3971e1db897cdd

SHA512
f8c30c29375fa8f0a73defcec1f555023ae20428d882147c2ef2abf8f41de635b986be2ee6ec98ffa505673e494ced98a6f43eb1f787609b30c1f6bc5dad09b2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
447KB

MD5
971efbe5cab1fc7852a0faff52c67625

SHA1
a95b13afa86661b7aad4a20b8f436da8b2f95264

SHA256
9ed19efe2f784f80e231d4699d422b1247347552b4221bba54c5b3e2017a887c

SHA512
07c03306cbc67f72454d13c552c49594c69789225fa7e70f0266363bcb6dc307d0378c7acf75b640f82edfecb3dbfc8e16e9956d378f72b4fcef5e5e45e6eea6

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
447KB

MD5
971efbe5cab1fc7852a0faff52c67625

SHA1
a95b13afa86661b7aad4a20b8f436da8b2f95264

SHA256
9ed19efe2f784f80e231d4699d422b1247347552b4221bba54c5b3e2017a887c

SHA512
07c03306cbc67f72454d13c552c49594c69789225fa7e70f0266363bcb6dc307d0378c7acf75b640f82edfecb3dbfc8e16e9956d378f72b4fcef5e5e45e6eea6

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
447KB

MD5
971efbe5cab1fc7852a0faff52c67625

SHA1
a95b13afa86661b7aad4a20b8f436da8b2f95264

SHA256
9ed19efe2f784f80e231d4699d422b1247347552b4221bba54c5b3e2017a887c

SHA512
07c03306cbc67f72454d13c552c49594c69789225fa7e70f0266363bcb6dc307d0378c7acf75b640f82edfecb3dbfc8e16e9956d378f72b4fcef5e5e45e6eea6

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
447KB

MD5
971efbe5cab1fc7852a0faff52c67625

SHA1
a95b13afa86661b7aad4a20b8f436da8b2f95264

SHA256
9ed19efe2f784f80e231d4699d422b1247347552b4221bba54c5b3e2017a887c

SHA512
07c03306cbc67f72454d13c552c49594c69789225fa7e70f0266363bcb6dc307d0378c7acf75b640f82edfecb3dbfc8e16e9956d378f72b4fcef5e5e45e6eea6

Download Submit
\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
ff2069fe81fe8e5bbbc49b8214720f51

SHA1
a1186730384f31aad9d5e809b548bf0041568f44

SHA256
247414284c0d482b05cad712db6d3220044008bdbdab3dccc96a0b84aa9f9e41

SHA512
c7012ed8419d9b5a28f749bc5aa7c209bf5972eab037044025e2a537b8472337018a5db9411329ff609d75178d20f31112cc95bdc72cf36aca76c1afb0c23f7d

Download Submit
\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
ff2069fe81fe8e5bbbc49b8214720f51

SHA1
a1186730384f31aad9d5e809b548bf0041568f44

SHA256
247414284c0d482b05cad712db6d3220044008bdbdab3dccc96a0b84aa9f9e41

SHA512
c7012ed8419d9b5a28f749bc5aa7c209bf5972eab037044025e2a537b8472337018a5db9411329ff609d75178d20f31112cc95bdc72cf36aca76c1afb0c23f7d

Download Submit
\Program Files\backup.exe

Filesize
447KB

MD5
d8c2bb5c4c240c4058d15f6587f712bd

SHA1
e998b515d2cba602b8475a464e957882bb2fed16

SHA256
35b9262d6167e5758e017ac645fb1fd330cc637959448e68b68450a8000d1761

SHA512
a82385a9f04dda5da2f3b3280c4770261fb16c11bed01c7c3e7bd623bea5ee8e6fec85dbcff37fa0e142e617fc54a71ca95a9a85699f3b65de16e1b528207b8d

Download Submit
\Program Files\backup.exe

Filesize
447KB

MD5
d8c2bb5c4c240c4058d15f6587f712bd

SHA1
e998b515d2cba602b8475a464e957882bb2fed16

SHA256
35b9262d6167e5758e017ac645fb1fd330cc637959448e68b68450a8000d1761

SHA512
a82385a9f04dda5da2f3b3280c4770261fb16c11bed01c7c3e7bd623bea5ee8e6fec85dbcff37fa0e142e617fc54a71ca95a9a85699f3b65de16e1b528207b8d

Download Submit
\Users\Admin\AppData\Local\Temp\2702952396\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\2702952396\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
447KB

MD5
f04f44af694b2e3256270e7250f3dbe5

SHA1
5f6481ecb3518ce156b2f151a90262b04d047239

SHA256
7e07562ef1aa37e4b5a9b9070bc5963d0c77c05f3741b4edb7146e78bb8543bc

SHA512
b31ba9b7a572190386e828410bac1f8efcf012b534e84af5106e3d04d3d51167cbe013b5e81ff1a1637073d60283cd5a9164db7f05bd0a60ee5247f3071007b9

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
447KB

MD5
f04f44af694b2e3256270e7250f3dbe5

SHA1
5f6481ecb3518ce156b2f151a90262b04d047239

SHA256
7e07562ef1aa37e4b5a9b9070bc5963d0c77c05f3741b4edb7146e78bb8543bc

SHA512
b31ba9b7a572190386e828410bac1f8efcf012b534e84af5106e3d04d3d51167cbe013b5e81ff1a1637073d60283cd5a9164db7f05bd0a60ee5247f3071007b9

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
86914c480d13d2c69c16cc69a5a3f6cf

SHA1
239c722b52b299647e1417db86bbc09f3025072b

SHA256
77d6417e4ae167503fd0e5547c58219be8b4f5030bc2fad16a58f2959c5f7739

SHA512
aead9907c8bbb7ceef0b0ce9d1f4e74bdeb472d24037897b17019625b7f085df97f41a0cdb8b2844ad1faf2b9174937a353610f833234c2f9d20ed97b2d9ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
447KB

MD5
f04f44af694b2e3256270e7250f3dbe5

SHA1
5f6481ecb3518ce156b2f151a90262b04d047239

SHA256
7e07562ef1aa37e4b5a9b9070bc5963d0c77c05f3741b4edb7146e78bb8543bc

SHA512
b31ba9b7a572190386e828410bac1f8efcf012b534e84af5106e3d04d3d51167cbe013b5e81ff1a1637073d60283cd5a9164db7f05bd0a60ee5247f3071007b9

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
447KB

MD5
f04f44af694b2e3256270e7250f3dbe5

SHA1
5f6481ecb3518ce156b2f151a90262b04d047239

SHA256
7e07562ef1aa37e4b5a9b9070bc5963d0c77c05f3741b4edb7146e78bb8543bc

SHA512
b31ba9b7a572190386e828410bac1f8efcf012b534e84af5106e3d04d3d51167cbe013b5e81ff1a1637073d60283cd5a9164db7f05bd0a60ee5247f3071007b9

Download Submit
memory/280-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/280-92-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/280-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/280-95-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/756-157-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/756-185-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/756-173-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/908-285-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/908-278-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/908-282-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1168-85-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1380-268-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1380-262-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1512-249-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1512-214-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/1512-243-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/1512-223-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/1512-269-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/1512-216-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/1640-179-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1684-133-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1708-29-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1824-283-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/1824-231-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1824-281-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/1824-291-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/1824-287-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/1824-270-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1824-276-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/1824-280-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1824-293-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/1956-61-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1956-11-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1956-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1956-149-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1956-59-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1956-127-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1956-47-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1956-272-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1956-40-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1956-209-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1956-83-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2016-199-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2016-200-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2016-240-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2224-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2224-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2360-221-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2364-76-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2424-296-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2424-292-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2520-230-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2520-151-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2520-208-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2520-201-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2572-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2572-120-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2640-197-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2640-147-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2704-50-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2744-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-247-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2776-257-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-251-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads