3897d7e9a7e6803e6aa62c38cb1fa2120545ef6ced882bed1af3ccada11a0d22

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01-11-2023 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0c7673911c7ee55ce65875a06530d150.exe
Size

88KB
MD5

0c7673911c7ee55ce65875a06530d150
SHA1

7121c0896d562cbba761f0f814a481b8612df300
SHA256

3897d7e9a7e6803e6aa62c38cb1fa2120545ef6ced882bed1af3ccada11a0d22
SHA512

99b9aff28c5db117dda245bd02a3c7d97ae4e49118ab0d99b473f68a9a775c73bbfd3f541622f5cdda540d8a8434be3551d848527b867f4731c3016e213d0dab
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmr:BeT7BVwxfvEFwjRr

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 59 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.0c7673911c7ee55ce65875a06530d150.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe

Executes dropped EXE 64 IoCs

pid	Process
2340	backup.exe
2300	backup.exe
268	backup.exe
1656	update.exe
1780	backup.exe
2820	backup.exe
2996	backup.exe
1212	backup.exe
2656	backup.exe
2652	backup.exe
1352	backup.exe
2136	backup.exe
1980	backup.exe
2232	backup.exe
1916	backup.exe
760	backup.exe
2588	backup.exe
2496	backup.exe
2944	backup.exe
1808	backup.exe
1948	backup.exe
2940	backup.exe
2224	backup.exe
2640	System Restore.exe
2284	backup.exe
1616	backup.exe
2304	update.exe
2584	backup.exe
564	System Restore.exe
568	backup.exe
836	backup.exe
2328	backup.exe
2864	backup.exe
2776	backup.exe
2872	backup.exe
3032	backup.exe
2804	backup.exe
2388	backup.exe
1752	backup.exe
3004	backup.exe
2544	backup.exe
1724	backup.exe
1984	backup.exe
1536	backup.exe
2136	backup.exe
1160	backup.exe
1096	backup.exe
2008	backup.exe
2244	data.exe
1108	backup.exe
1484	backup.exe
1584	backup.exe
868	data.exe
1544	backup.exe
2932	update.exe
1808	backup.exe
1012	backup.exe
1788	backup.exe
2920	backup.exe
2936	backup.exe
2432	backup.exe
2376	backup.exe
2948	backup.exe
1624	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
1656	update.exe
1656	update.exe
1656	update.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
1212	backup.exe
1212	backup.exe
2656	backup.exe
2656	backup.exe
1212	backup.exe
1212	backup.exe
1352	backup.exe
1352	backup.exe
2136	backup.exe
2136	backup.exe
1352	backup.exe
1352	backup.exe
2232	backup.exe
2232	backup.exe
1916	backup.exe
1916	backup.exe
1916	backup.exe
1916	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2588	backup.exe
2304	update.exe
2304	update.exe
2304	update.exe
2588	backup.exe
2588	backup.exe
1212	backup.exe
1212	backup.exe
2588	backup.exe
2588	backup.exe
1352	backup.exe
1352	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0009000000015c69-5.dat	upx
behavioral1/files/0x0009000000015c69-7.dat	upx
behavioral1/files/0x0009000000015c69-9.dat	upx
behavioral1/files/0x0009000000015c69-12.dat	upx
behavioral1/memory/2340-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015db5-17.dat	upx
behavioral1/files/0x0007000000015db5-23.dat	upx
behavioral1/files/0x0007000000015db5-19.dat	upx
behavioral1/memory/2176-24-0x00000000005B0000-0x00000000005CC000-memory.dmp	upx
behavioral1/files/0x0007000000015e30-28.dat	upx
behavioral1/memory/2300-34-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015e30-30.dat	upx
behavioral1/files/0x0007000000015e30-36.dat	upx
behavioral1/files/0x0008000000015de1-41.dat	upx
behavioral1/files/0x0008000000015de1-44.dat	upx
behavioral1/files/0x0008000000015de1-46.dat	upx
behavioral1/memory/2176-45-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015de1-48.dat	upx
behavioral1/files/0x0008000000015de1-47.dat	upx
behavioral1/files/0x0008000000015de1-49.dat	upx
behavioral1/files/0x00060000000162e9-53.dat	upx
behavioral1/files/0x00060000000162e9-56.dat	upx
behavioral1/memory/1656-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00060000000162e9-60.dat	upx
behavioral1/memory/2340-55-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1780-65-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000b000000015eb0-66.dat	upx
behavioral1/files/0x000b000000015eb0-72.dat	upx
behavioral1/files/0x000b000000015eb0-68.dat	upx
behavioral1/memory/268-75-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016466-78.dat	upx
behavioral1/memory/2820-85-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016466-86.dat	upx
behavioral1/files/0x0006000000016466-80.dat	upx
behavioral1/memory/2996-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0009000000015c69-91.dat	upx
behavioral1/files/0x000600000001659d-99.dat	upx
behavioral1/files/0x000600000001659d-103.dat	upx
behavioral1/files/0x00060000000167f4-105.dat	upx
behavioral1/files/0x00060000000167f4-107.dat	upx
behavioral1/files/0x00060000000167f4-112.dat	upx
behavioral1/files/0x00060000000167f4-116.dat	upx
behavioral1/files/0x0006000000016ba8-126.dat	upx
behavioral1/files/0x0006000000016ba8-122.dat	upx
behavioral1/files/0x0006000000016ba8-120.dat	upx
behavioral1/memory/2652-142-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016c2a-149.dat	upx
behavioral1/files/0x0007000000016c2a-145.dat	upx
behavioral1/memory/2656-141-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016c2a-143.dat	upx
behavioral1/memory/1212-155-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016c2a-156.dat	upx
behavioral1/files/0x0007000000016ae2-158.dat	upx
behavioral1/files/0x0007000000016ae2-164.dat	upx
behavioral1/files/0x0007000000016ae2-160.dat	upx
behavioral1/memory/1352-166-0x0000000000370000-0x000000000038C000-memory.dmp	upx
behavioral1/files/0x0007000000016ae2-169.dat	upx
behavioral1/files/0x0006000000016ca2-177.dat	upx
behavioral1/files/0x0006000000016ca2-173.dat	upx
behavioral1/files/0x0006000000016ca2-171.dat	upx
behavioral1/memory/1980-182-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016cde-185.dat	upx
behavioral1/files/0x0006000000016cde-193.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\System Restore.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Windows Defender\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Reference Assemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe
2340	backup.exe
2300	backup.exe
268	backup.exe
1656	update.exe
1780	backup.exe
2820	backup.exe
2996	backup.exe
1212	backup.exe
2656	backup.exe
2652	backup.exe
1352	backup.exe
2136	backup.exe
1980	backup.exe
2232	backup.exe
1916	backup.exe
760	backup.exe
2588	backup.exe
2496	backup.exe
2944	backup.exe
1808	backup.exe
1948	backup.exe
2940	backup.exe
2224	backup.exe
2640	System Restore.exe
2284	backup.exe
1616	backup.exe
2304	update.exe
2584	backup.exe
564	System Restore.exe
568	backup.exe
836	backup.exe
2328	backup.exe
2864	backup.exe
2872	backup.exe
2804	backup.exe
2388	backup.exe
1752	backup.exe
3004	backup.exe
3032	backup.exe
2544	backup.exe
1724	backup.exe
1536	backup.exe
2136	backup.exe
1984	backup.exe
1160	backup.exe
2008	backup.exe
2244	data.exe
2776	backup.exe
1584	backup.exe
1108	backup.exe
1096	backup.exe
1544	backup.exe
1788	backup.exe
1808	backup.exe
2936	backup.exe
2376	backup.exe
1624	backup.exe
1484	backup.exe
2172	update.exe
3056	data.exe
868	data.exe
1000	backup.exe
2920	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2340	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	28
PID 2176 wrote to memory of 2340	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	28
PID 2176 wrote to memory of 2340	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	28
PID 2176 wrote to memory of 2340	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	28
PID 2176 wrote to memory of 2300	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	29
PID 2176 wrote to memory of 2300	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	29
PID 2176 wrote to memory of 2300	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	29
PID 2176 wrote to memory of 2300	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	29
PID 2176 wrote to memory of 268	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	30
PID 2176 wrote to memory of 268	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	30
PID 2176 wrote to memory of 268	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	30
PID 2176 wrote to memory of 268	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	30
PID 2176 wrote to memory of 1656	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	31
PID 2176 wrote to memory of 1656	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	31
PID 2176 wrote to memory of 1656	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	31
PID 2176 wrote to memory of 1656	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	31
PID 2176 wrote to memory of 1656	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	31
PID 2176 wrote to memory of 1656	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	31
PID 2176 wrote to memory of 1656	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	31
PID 2176 wrote to memory of 1780	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	32
PID 2176 wrote to memory of 1780	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	32
PID 2176 wrote to memory of 1780	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	32
PID 2176 wrote to memory of 1780	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	32
PID 2176 wrote to memory of 2820	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	33
PID 2176 wrote to memory of 2820	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	33
PID 2176 wrote to memory of 2820	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	33
PID 2176 wrote to memory of 2820	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	33
PID 2176 wrote to memory of 2996	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	34
PID 2176 wrote to memory of 2996	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	34
PID 2176 wrote to memory of 2996	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	34
PID 2176 wrote to memory of 2996	2176	NEAS.0c7673911c7ee55ce65875a06530d150.exe	34
PID 2340 wrote to memory of 1212	2340	backup.exe	35
PID 2340 wrote to memory of 1212	2340	backup.exe	35
PID 2340 wrote to memory of 1212	2340	backup.exe	35
PID 2340 wrote to memory of 1212	2340	backup.exe	35
PID 1212 wrote to memory of 2656	1212	backup.exe	36
PID 1212 wrote to memory of 2656	1212	backup.exe	36
PID 1212 wrote to memory of 2656	1212	backup.exe	36
PID 1212 wrote to memory of 2656	1212	backup.exe	36
PID 2656 wrote to memory of 2652	2656	backup.exe	37
PID 2656 wrote to memory of 2652	2656	backup.exe	37
PID 2656 wrote to memory of 2652	2656	backup.exe	37
PID 2656 wrote to memory of 2652	2656	backup.exe	37
PID 1212 wrote to memory of 1352	1212	backup.exe	38
PID 1212 wrote to memory of 1352	1212	backup.exe	38
PID 1212 wrote to memory of 1352	1212	backup.exe	38
PID 1212 wrote to memory of 1352	1212	backup.exe	38
PID 1352 wrote to memory of 2136	1352	backup.exe	39
PID 1352 wrote to memory of 2136	1352	backup.exe	39
PID 1352 wrote to memory of 2136	1352	backup.exe	39
PID 1352 wrote to memory of 2136	1352	backup.exe	39
PID 2136 wrote to memory of 1980	2136	backup.exe	40
PID 2136 wrote to memory of 1980	2136	backup.exe	40
PID 2136 wrote to memory of 1980	2136	backup.exe	40
PID 2136 wrote to memory of 1980	2136	backup.exe	40
PID 1352 wrote to memory of 2232	1352	backup.exe	41
PID 1352 wrote to memory of 2232	1352	backup.exe	41
PID 1352 wrote to memory of 2232	1352	backup.exe	41
PID 1352 wrote to memory of 2232	1352	backup.exe	41
PID 2232 wrote to memory of 1916	2232	backup.exe	42
PID 2232 wrote to memory of 1916	2232	backup.exe	42
PID 2232 wrote to memory of 1916	2232	backup.exe	42
PID 2232 wrote to memory of 1916	2232	backup.exe	42
PID 1916 wrote to memory of 760	1916	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.0c7673911c7ee55ce65875a06530d150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.0c7673911c7ee55ce65875a06530d150.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0c7673911c7ee55ce65875a06530d150.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176
- C:\Users\Admin\AppData\Local\Temp\1685968619\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1685968619\backup.exe C:\Users\Admin\AppData\Local\Temp\1685968619\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2340
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1212
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2656
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2652
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1352
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2136
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1980
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2232
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2224
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:2488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:3052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        
        PID:2596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:2192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:2892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2860
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3032
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3056
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:2848
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1404
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1108
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:2872
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2600
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2304
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2900
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2864
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2136
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1936
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2708
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2676
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2232
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:836
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2804
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
      - C:\Program Files\DVD Maker\es-ES\data.exe
        
        "C:\Program Files\DVD Maker\es-ES\data.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2244
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2936
      - C:\Program Files\DVD Maker\it-IT\update.exe
        
        "C:\Program Files\DVD Maker\it-IT\update.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2172
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2756
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1736
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1724
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1160
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:2076
    - - C:\Program Files\Internet Explorer\update.exe
        
        "C:\Program Files\Internet Explorer\update.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:2932
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2720
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1472
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2132
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1268
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2836
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2724
    - - C:\Program Files\VideoLAN\System Restore.exe
        
        "C:\Program Files\VideoLAN\System Restore.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2080
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2260
  - - C:\Program Files (x86)\System Restore.exe
      "C:\Program Files (x86)\System Restore.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:564
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2376
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:888
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2828
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2020
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:472
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2672
    - - C:\Program Files (x86)\Microsoft Office\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\System Restore.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2196
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2412
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2928
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2700
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2556
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1752
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1984
      - C:\Users\Admin\Contacts\data.exe
        
        C:\Users\Admin\Contacts\data.exe C:\Users\Admin\Contacts\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:2948
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1000
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2064
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1700
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:776
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:988
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2664
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:940
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Executes dropped EXE
        
        PID:1012
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1544
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:268
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
88KB

MD5
5cc02d865e88d183872e7f352bc16fa7

SHA1
7b13a17b1bf228ded33b6dfd2106bcdbc29f2e70

SHA256
e934fd9ee6269798c8e5566ebf91be37d95538ce2a9ba191208d579d89937c57

SHA512
c23287e93af7a42b3deae76e299b58e58f309bb0df888940a554cc48e4c48810664b7ada010093d31506f3a1a7bec7cd38197a4a1ebbf23d19b62c3cda19f972

Download Submit
C:\PerfLogs\backup.exe

Filesize
88KB

MD5
3e75e1af08cf091cbe2a4d099db72855

SHA1
c9dd62883fca7d056f2eb861526158e9f8936716

SHA256
b92b5aa9fe8812c8cb4274fe543811759276e27ce99ab35960cd5b534c11c7ee

SHA512
739895151129e7bbeed67923dbccbbcbda716c7f122ffd299e7bf191df46446c6bf3be9f34ccfed4987f28b706d1f5c82b2f79eda7045f1b1f40af527bc8e83a

Download Submit
C:\PerfLogs\backup.exe

Filesize
88KB

MD5
3e75e1af08cf091cbe2a4d099db72855

SHA1
c9dd62883fca7d056f2eb861526158e9f8936716

SHA256
b92b5aa9fe8812c8cb4274fe543811759276e27ce99ab35960cd5b534c11c7ee

SHA512
739895151129e7bbeed67923dbccbbcbda716c7f122ffd299e7bf191df46446c6bf3be9f34ccfed4987f28b706d1f5c82b2f79eda7045f1b1f40af527bc8e83a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
88KB

MD5
70cf61e095af43ddc8e576eda7f4c4b8

SHA1
d11ecb46ac5521ca6bee46908fddd6e79ac58c6c

SHA256
a56260b24aa452dbaffac55db834692c321bbefde51b0c8ded9c2c0962f67ff1

SHA512
95b2ba94e157d50f4c5937bb590c443c56855f3d8194d6ef2bc30c26cadb02187b719375fd4f6448faa1d504a4c6c36c1494548bc95f44b78739fca4193c24b0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
5cc02d865e88d183872e7f352bc16fa7

SHA1
7b13a17b1bf228ded33b6dfd2106bcdbc29f2e70

SHA256
e934fd9ee6269798c8e5566ebf91be37d95538ce2a9ba191208d579d89937c57

SHA512
c23287e93af7a42b3deae76e299b58e58f309bb0df888940a554cc48e4c48810664b7ada010093d31506f3a1a7bec7cd38197a4a1ebbf23d19b62c3cda19f972

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
5cc02d865e88d183872e7f352bc16fa7

SHA1
7b13a17b1bf228ded33b6dfd2106bcdbc29f2e70

SHA256
e934fd9ee6269798c8e5566ebf91be37d95538ce2a9ba191208d579d89937c57

SHA512
c23287e93af7a42b3deae76e299b58e58f309bb0df888940a554cc48e4c48810664b7ada010093d31506f3a1a7bec7cd38197a4a1ebbf23d19b62c3cda19f972

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
88KB

MD5
7c78011a7815d9a6931accb070fff27b

SHA1
32446a259b2b93c357188ed9aa988db7b67d44cf

SHA256
3e4c125e01dfcd56d363eb4f1630ed589aba54059539460900abda43f5e8092c

SHA512
1650ae0174b9ba64d092f00b2ba6cdfde5395ab7e007aeda5682b542b462aacca7915e3e813a995a5823ab5860ec11aafc81624f962a8bd776808bb87fc3885d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
2ac85c8bff67fe6fcbf1fe5def43942e

SHA1
b10e2164ae84d9be36f89483f47dc38937269281

SHA256
617c95b754d9f27eccf705d84014883092929b0dbf31f7dad12d9c0c9bd98e0d

SHA512
949035da4cad864870da5282a56cedc6da61743764d5de686d048b436efa8253636d0ed60ff8e9d21bdf3e6945d84fbc195a7a09ad57b44fbecd363711c8570d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
2ac85c8bff67fe6fcbf1fe5def43942e

SHA1
b10e2164ae84d9be36f89483f47dc38937269281

SHA256
617c95b754d9f27eccf705d84014883092929b0dbf31f7dad12d9c0c9bd98e0d

SHA512
949035da4cad864870da5282a56cedc6da61743764d5de686d048b436efa8253636d0ed60ff8e9d21bdf3e6945d84fbc195a7a09ad57b44fbecd363711c8570d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
88KB

MD5
4d1d212feefb0d253056b8e96e932b42

SHA1
615536994658f9fb5d08e715f7e2f822d37adf99

SHA256
dd7388f754b7b2556772584f5bae7af72179effe8de9c97d78cc35a09c392872

SHA512
8d24399676ffac3a252aadcfc130eb3fe5fa43c01a41a8e175e034bfe8b59cff268fcc7adec1e1533c61533121735a91e0b75c8a0438c8ce1b525136a99a471b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
88KB

MD5
7c78011a7815d9a6931accb070fff27b

SHA1
32446a259b2b93c357188ed9aa988db7b67d44cf

SHA256
3e4c125e01dfcd56d363eb4f1630ed589aba54059539460900abda43f5e8092c

SHA512
1650ae0174b9ba64d092f00b2ba6cdfde5395ab7e007aeda5682b542b462aacca7915e3e813a995a5823ab5860ec11aafc81624f962a8bd776808bb87fc3885d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
88KB

MD5
7c78011a7815d9a6931accb070fff27b

SHA1
32446a259b2b93c357188ed9aa988db7b67d44cf

SHA256
3e4c125e01dfcd56d363eb4f1630ed589aba54059539460900abda43f5e8092c

SHA512
1650ae0174b9ba64d092f00b2ba6cdfde5395ab7e007aeda5682b542b462aacca7915e3e813a995a5823ab5860ec11aafc81624f962a8bd776808bb87fc3885d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
88KB

MD5
7f68f8e8bfcbbd88a717529b88b882a3

SHA1
29ee53af5984bc26f0ff8222b830c81687f91d07

SHA256
9e9b6a1b9b98a72aac3c807f715650c8ce03e36bede448152369fd5ff55ee473

SHA512
6c974f60e29bb04289f20ce8ded54e1af9bbd64df85f6845fde55610647340bab1e8b454be44919de905debb88b01d5adbbda2c94d26a50578351ca65f40946d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
88KB

MD5
7f68f8e8bfcbbd88a717529b88b882a3

SHA1
29ee53af5984bc26f0ff8222b830c81687f91d07

SHA256
9e9b6a1b9b98a72aac3c807f715650c8ce03e36bede448152369fd5ff55ee473

SHA512
6c974f60e29bb04289f20ce8ded54e1af9bbd64df85f6845fde55610647340bab1e8b454be44919de905debb88b01d5adbbda2c94d26a50578351ca65f40946d

Download Submit
C:\Program Files\backup.exe

Filesize
88KB

MD5
3e75e1af08cf091cbe2a4d099db72855

SHA1
c9dd62883fca7d056f2eb861526158e9f8936716

SHA256
b92b5aa9fe8812c8cb4274fe543811759276e27ce99ab35960cd5b534c11c7ee

SHA512
739895151129e7bbeed67923dbccbbcbda716c7f122ffd299e7bf191df46446c6bf3be9f34ccfed4987f28b706d1f5c82b2f79eda7045f1b1f40af527bc8e83a

Download Submit
C:\Program Files\backup.exe

Filesize
88KB

MD5
3e75e1af08cf091cbe2a4d099db72855

SHA1
c9dd62883fca7d056f2eb861526158e9f8936716

SHA256
b92b5aa9fe8812c8cb4274fe543811759276e27ce99ab35960cd5b534c11c7ee

SHA512
739895151129e7bbeed67923dbccbbcbda716c7f122ffd299e7bf191df46446c6bf3be9f34ccfed4987f28b706d1f5c82b2f79eda7045f1b1f40af527bc8e83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1685968619\backup.exe

Filesize
88KB

MD5
6521fd6fbc888aff4b8f2309d8e2afc6

SHA1
51b35b7e4122f3c41ee66c1155cea679c692cfc4

SHA256
d686d0967b04b7eb5a3ad40dfbc13708602968f13deffe0c7ffd260a06959721

SHA512
f18a9719f6cdaab11f2315f677cde5021081ece426d50ad234ab60ee5c27d25aa068144de432086ae9b4c3aab7beb545ef129603c98ab53505770cff578f115f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1685968619\backup.exe

Filesize
88KB

MD5
6521fd6fbc888aff4b8f2309d8e2afc6

SHA1
51b35b7e4122f3c41ee66c1155cea679c692cfc4

SHA256
d686d0967b04b7eb5a3ad40dfbc13708602968f13deffe0c7ffd260a06959721

SHA512
f18a9719f6cdaab11f2315f677cde5021081ece426d50ad234ab60ee5c27d25aa068144de432086ae9b4c3aab7beb545ef129603c98ab53505770cff578f115f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1685968619\backup.exe

Filesize
88KB

MD5
6521fd6fbc888aff4b8f2309d8e2afc6

SHA1
51b35b7e4122f3c41ee66c1155cea679c692cfc4

SHA256
d686d0967b04b7eb5a3ad40dfbc13708602968f13deffe0c7ffd260a06959721

SHA512
f18a9719f6cdaab11f2315f677cde5021081ece426d50ad234ab60ee5c27d25aa068144de432086ae9b4c3aab7beb545ef129603c98ab53505770cff578f115f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
722a84f0082953ca9e5fb9a4e4132693

SHA1
fead594a5d65df0d07f59b8fe0060ddc05388584

SHA256
68697de089e5624130f994e71069c681d49669d2dcc7c487175ce03d20f1c15d

SHA512
03452a6ce49f1d4d39353968407e0706558229dfdd5e0d7c658fb67873abd9bedee1aaf84f0a88e23a7e838e737336c97950c38892820f921f554a880513ff49

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
88KB

MD5
ae44a1787ea14a00def05de75235d06b

SHA1
6503255583f37afa6def1c4c96b183f7e58e1e4d

SHA256
11027921d3290f5d6502c2650326925c3f2fb8de293b538ba1d0c04f31dbc455

SHA512
576349135295060d3a0e9d3d7526d50b1e5f228a9dfa982f8549a3c20c39a5b2b272620436935613263750047f26881b60c4a972d7b4929dddf848fd1328af27

Download Submit
C:\backup.exe

Filesize
88KB

MD5
ae44a1787ea14a00def05de75235d06b

SHA1
6503255583f37afa6def1c4c96b183f7e58e1e4d

SHA256
11027921d3290f5d6502c2650326925c3f2fb8de293b538ba1d0c04f31dbc455

SHA512
576349135295060d3a0e9d3d7526d50b1e5f228a9dfa982f8549a3c20c39a5b2b272620436935613263750047f26881b60c4a972d7b4929dddf848fd1328af27

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
88KB

MD5
5cc02d865e88d183872e7f352bc16fa7

SHA1
7b13a17b1bf228ded33b6dfd2106bcdbc29f2e70

SHA256
e934fd9ee6269798c8e5566ebf91be37d95538ce2a9ba191208d579d89937c57

SHA512
c23287e93af7a42b3deae76e299b58e58f309bb0df888940a554cc48e4c48810664b7ada010093d31506f3a1a7bec7cd38197a4a1ebbf23d19b62c3cda19f972

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
88KB

MD5
5cc02d865e88d183872e7f352bc16fa7

SHA1
7b13a17b1bf228ded33b6dfd2106bcdbc29f2e70

SHA256
e934fd9ee6269798c8e5566ebf91be37d95538ce2a9ba191208d579d89937c57

SHA512
c23287e93af7a42b3deae76e299b58e58f309bb0df888940a554cc48e4c48810664b7ada010093d31506f3a1a7bec7cd38197a4a1ebbf23d19b62c3cda19f972

Download Submit
\PerfLogs\backup.exe

Filesize
88KB

MD5
3e75e1af08cf091cbe2a4d099db72855

SHA1
c9dd62883fca7d056f2eb861526158e9f8936716

SHA256
b92b5aa9fe8812c8cb4274fe543811759276e27ce99ab35960cd5b534c11c7ee

SHA512
739895151129e7bbeed67923dbccbbcbda716c7f122ffd299e7bf191df46446c6bf3be9f34ccfed4987f28b706d1f5c82b2f79eda7045f1b1f40af527bc8e83a

Download Submit
\PerfLogs\backup.exe

Filesize
88KB

MD5
3e75e1af08cf091cbe2a4d099db72855

SHA1
c9dd62883fca7d056f2eb861526158e9f8936716

SHA256
b92b5aa9fe8812c8cb4274fe543811759276e27ce99ab35960cd5b534c11c7ee

SHA512
739895151129e7bbeed67923dbccbbcbda716c7f122ffd299e7bf191df46446c6bf3be9f34ccfed4987f28b706d1f5c82b2f79eda7045f1b1f40af527bc8e83a

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
88KB

MD5
70cf61e095af43ddc8e576eda7f4c4b8

SHA1
d11ecb46ac5521ca6bee46908fddd6e79ac58c6c

SHA256
a56260b24aa452dbaffac55db834692c321bbefde51b0c8ded9c2c0962f67ff1

SHA512
95b2ba94e157d50f4c5937bb590c443c56855f3d8194d6ef2bc30c26cadb02187b719375fd4f6448faa1d504a4c6c36c1494548bc95f44b78739fca4193c24b0

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
88KB

MD5
70cf61e095af43ddc8e576eda7f4c4b8

SHA1
d11ecb46ac5521ca6bee46908fddd6e79ac58c6c

SHA256
a56260b24aa452dbaffac55db834692c321bbefde51b0c8ded9c2c0962f67ff1

SHA512
95b2ba94e157d50f4c5937bb590c443c56855f3d8194d6ef2bc30c26cadb02187b719375fd4f6448faa1d504a4c6c36c1494548bc95f44b78739fca4193c24b0

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
5cc02d865e88d183872e7f352bc16fa7

SHA1
7b13a17b1bf228ded33b6dfd2106bcdbc29f2e70

SHA256
e934fd9ee6269798c8e5566ebf91be37d95538ce2a9ba191208d579d89937c57

SHA512
c23287e93af7a42b3deae76e299b58e58f309bb0df888940a554cc48e4c48810664b7ada010093d31506f3a1a7bec7cd38197a4a1ebbf23d19b62c3cda19f972

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
5cc02d865e88d183872e7f352bc16fa7

SHA1
7b13a17b1bf228ded33b6dfd2106bcdbc29f2e70

SHA256
e934fd9ee6269798c8e5566ebf91be37d95538ce2a9ba191208d579d89937c57

SHA512
c23287e93af7a42b3deae76e299b58e58f309bb0df888940a554cc48e4c48810664b7ada010093d31506f3a1a7bec7cd38197a4a1ebbf23d19b62c3cda19f972

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
88KB

MD5
7c78011a7815d9a6931accb070fff27b

SHA1
32446a259b2b93c357188ed9aa988db7b67d44cf

SHA256
3e4c125e01dfcd56d363eb4f1630ed589aba54059539460900abda43f5e8092c

SHA512
1650ae0174b9ba64d092f00b2ba6cdfde5395ab7e007aeda5682b542b462aacca7915e3e813a995a5823ab5860ec11aafc81624f962a8bd776808bb87fc3885d

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
88KB

MD5
7c78011a7815d9a6931accb070fff27b

SHA1
32446a259b2b93c357188ed9aa988db7b67d44cf

SHA256
3e4c125e01dfcd56d363eb4f1630ed589aba54059539460900abda43f5e8092c

SHA512
1650ae0174b9ba64d092f00b2ba6cdfde5395ab7e007aeda5682b542b462aacca7915e3e813a995a5823ab5860ec11aafc81624f962a8bd776808bb87fc3885d

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
2ac85c8bff67fe6fcbf1fe5def43942e

SHA1
b10e2164ae84d9be36f89483f47dc38937269281

SHA256
617c95b754d9f27eccf705d84014883092929b0dbf31f7dad12d9c0c9bd98e0d

SHA512
949035da4cad864870da5282a56cedc6da61743764d5de686d048b436efa8253636d0ed60ff8e9d21bdf3e6945d84fbc195a7a09ad57b44fbecd363711c8570d

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
2ac85c8bff67fe6fcbf1fe5def43942e

SHA1
b10e2164ae84d9be36f89483f47dc38937269281

SHA256
617c95b754d9f27eccf705d84014883092929b0dbf31f7dad12d9c0c9bd98e0d

SHA512
949035da4cad864870da5282a56cedc6da61743764d5de686d048b436efa8253636d0ed60ff8e9d21bdf3e6945d84fbc195a7a09ad57b44fbecd363711c8570d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
88KB

MD5
4d1d212feefb0d253056b8e96e932b42

SHA1
615536994658f9fb5d08e715f7e2f822d37adf99

SHA256
dd7388f754b7b2556772584f5bae7af72179effe8de9c97d78cc35a09c392872

SHA512
8d24399676ffac3a252aadcfc130eb3fe5fa43c01a41a8e175e034bfe8b59cff268fcc7adec1e1533c61533121735a91e0b75c8a0438c8ce1b525136a99a471b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
88KB

MD5
4d1d212feefb0d253056b8e96e932b42

SHA1
615536994658f9fb5d08e715f7e2f822d37adf99

SHA256
dd7388f754b7b2556772584f5bae7af72179effe8de9c97d78cc35a09c392872

SHA512
8d24399676ffac3a252aadcfc130eb3fe5fa43c01a41a8e175e034bfe8b59cff268fcc7adec1e1533c61533121735a91e0b75c8a0438c8ce1b525136a99a471b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
88KB

MD5
7c78011a7815d9a6931accb070fff27b

SHA1
32446a259b2b93c357188ed9aa988db7b67d44cf

SHA256
3e4c125e01dfcd56d363eb4f1630ed589aba54059539460900abda43f5e8092c

SHA512
1650ae0174b9ba64d092f00b2ba6cdfde5395ab7e007aeda5682b542b462aacca7915e3e813a995a5823ab5860ec11aafc81624f962a8bd776808bb87fc3885d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
88KB

MD5
7c78011a7815d9a6931accb070fff27b

SHA1
32446a259b2b93c357188ed9aa988db7b67d44cf

SHA256
3e4c125e01dfcd56d363eb4f1630ed589aba54059539460900abda43f5e8092c

SHA512
1650ae0174b9ba64d092f00b2ba6cdfde5395ab7e007aeda5682b542b462aacca7915e3e813a995a5823ab5860ec11aafc81624f962a8bd776808bb87fc3885d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
88KB

MD5
4d1d212feefb0d253056b8e96e932b42

SHA1
615536994658f9fb5d08e715f7e2f822d37adf99

SHA256
dd7388f754b7b2556772584f5bae7af72179effe8de9c97d78cc35a09c392872

SHA512
8d24399676ffac3a252aadcfc130eb3fe5fa43c01a41a8e175e034bfe8b59cff268fcc7adec1e1533c61533121735a91e0b75c8a0438c8ce1b525136a99a471b

Download Submit
\Program Files\Common Files\backup.exe

Filesize
88KB

MD5
7f68f8e8bfcbbd88a717529b88b882a3

SHA1
29ee53af5984bc26f0ff8222b830c81687f91d07

SHA256
9e9b6a1b9b98a72aac3c807f715650c8ce03e36bede448152369fd5ff55ee473

SHA512
6c974f60e29bb04289f20ce8ded54e1af9bbd64df85f6845fde55610647340bab1e8b454be44919de905debb88b01d5adbbda2c94d26a50578351ca65f40946d

Download Submit
\Program Files\Common Files\backup.exe

Filesize
88KB

MD5
7f68f8e8bfcbbd88a717529b88b882a3

SHA1
29ee53af5984bc26f0ff8222b830c81687f91d07

SHA256
9e9b6a1b9b98a72aac3c807f715650c8ce03e36bede448152369fd5ff55ee473

SHA512
6c974f60e29bb04289f20ce8ded54e1af9bbd64df85f6845fde55610647340bab1e8b454be44919de905debb88b01d5adbbda2c94d26a50578351ca65f40946d

Download Submit
\Program Files\backup.exe

Filesize
88KB

MD5
3e75e1af08cf091cbe2a4d099db72855

SHA1
c9dd62883fca7d056f2eb861526158e9f8936716

SHA256
b92b5aa9fe8812c8cb4274fe543811759276e27ce99ab35960cd5b534c11c7ee

SHA512
739895151129e7bbeed67923dbccbbcbda716c7f122ffd299e7bf191df46446c6bf3be9f34ccfed4987f28b706d1f5c82b2f79eda7045f1b1f40af527bc8e83a

Download Submit
\Program Files\backup.exe

Filesize
88KB

MD5
3e75e1af08cf091cbe2a4d099db72855

SHA1
c9dd62883fca7d056f2eb861526158e9f8936716

SHA256
b92b5aa9fe8812c8cb4274fe543811759276e27ce99ab35960cd5b534c11c7ee

SHA512
739895151129e7bbeed67923dbccbbcbda716c7f122ffd299e7bf191df46446c6bf3be9f34ccfed4987f28b706d1f5c82b2f79eda7045f1b1f40af527bc8e83a

Download Submit
\Users\Admin\AppData\Local\Temp\1685968619\backup.exe

Filesize
88KB

MD5
6521fd6fbc888aff4b8f2309d8e2afc6

SHA1
51b35b7e4122f3c41ee66c1155cea679c692cfc4

SHA256
d686d0967b04b7eb5a3ad40dfbc13708602968f13deffe0c7ffd260a06959721

SHA512
f18a9719f6cdaab11f2315f677cde5021081ece426d50ad234ab60ee5c27d25aa068144de432086ae9b4c3aab7beb545ef129603c98ab53505770cff578f115f

Download Submit
\Users\Admin\AppData\Local\Temp\1685968619\backup.exe

Filesize
88KB

MD5
6521fd6fbc888aff4b8f2309d8e2afc6

SHA1
51b35b7e4122f3c41ee66c1155cea679c692cfc4

SHA256
d686d0967b04b7eb5a3ad40dfbc13708602968f13deffe0c7ffd260a06959721

SHA512
f18a9719f6cdaab11f2315f677cde5021081ece426d50ad234ab60ee5c27d25aa068144de432086ae9b4c3aab7beb545ef129603c98ab53505770cff578f115f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
88KB

MD5
394b32833d62c77ce8a37b017fe4b1b9

SHA1
29a0b7587d12906726af38a910c18087dd78347e

SHA256
b86f67824add24bea35b3112948e9c2e81fea1f5594673aa5cb48fe73fd92db8

SHA512
6f3f473d1417a946f28220b2d06440fcec94313a7f6c7419c46c866c73a5b2b96c07132c560dbe2f3ec860a84b93a829366eb14b1df6efc3b23d718db7160f4e

Download Submit
memory/268-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/760-224-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1212-206-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1212-151-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1212-150-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1212-155-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1212-165-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1212-111-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1352-166-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/1352-242-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/1352-194-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/1352-201-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1616-329-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1656-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1780-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1808-270-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1916-275-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1916-258-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1916-218-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1948-279-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1980-182-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1980-192-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2136-178-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2136-191-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2136-180-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2176-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2176-129-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2176-115-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2176-73-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2176-135-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2176-24-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2176-84-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2176-183-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2176-11-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2176-45-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2176-35-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2176-37-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2224-305-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2232-238-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2232-208-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2300-34-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2304-332-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2304-333-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2304-337-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2340-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2340-153-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2340-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2340-100-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2496-251-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2588-310-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2588-247-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2588-274-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2588-256-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2588-281-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2588-285-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2588-245-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2588-301-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2640-314-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2652-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2656-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2820-85-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2940-296-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-261-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2996-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads