d236efb61c4c82edffeeac844032d329df771b8f26ca6356158841f89dd924e8

Analysis

max time kernel
10s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b765b33b03ee31274927c81665461950.exe
Size

88KB
MD5

b765b33b03ee31274927c81665461950
SHA1

400b7df9e1dd754f888623e4fe963d23b52da44c
SHA256

d236efb61c4c82edffeeac844032d329df771b8f26ca6356158841f89dd924e8
SHA512

69461718ee7f6c21d9513accacf0b4f4b21c1626fad7d2f67dca1c46c6de37a6170118ecf52093e1f00b00128c5d7c3cbc23ecb40d91e3963b1e3646df92730f
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmP:BeT7BVwxfvEFwjRP

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 39 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.b765b33b03ee31274927c81665461950.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 40 IoCs

pid	Process
2984	backup.exe
568	backup.exe
2612	backup.exe
2620	backup.exe
2580	update.exe
2680	backup.exe
2484	backup.exe
2900	backup.exe
2448	backup.exe
2764	backup.exe
2440	backup.exe
1140	backup.exe
1860	backup.exe
1780	backup.exe
1560	backup.exe
2560	backup.exe
2944	backup.exe
1868	backup.exe
1736	backup.exe
2300	backup.exe
2072	backup.exe
2876	backup.exe
1220	backup.exe
2256	backup.exe
2000	backup.exe
2820	backup.exe
2956	backup.exe
568	backup.exe
2720	backup.exe
2704	backup.exe
2752	backup.exe
2628	backup.exe
2464	backup.exe
2892	backup.exe
580	backup.exe
824	data.exe
2756	update.exe
2344	backup.exe
2132	backup.exe
1120	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2580	update.exe
2580	update.exe
2580	update.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2900	backup.exe
2900	backup.exe
2448	backup.exe
2448	backup.exe
2900	backup.exe
2900	backup.exe
2440	backup.exe
2440	backup.exe
1140	backup.exe
1140	backup.exe
2440	backup.exe
2440	backup.exe
1780	backup.exe
1780	backup.exe
1560	backup.exe
1560	backup.exe
1560	backup.exe
1560	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2944	backup.exe
2720	backup.exe
2720	backup.exe
2720	backup.exe
2720	backup.exe
2720	backup.exe
2720	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2412-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x002c000000015ce1-5.dat	upx
behavioral1/files/0x002c000000015ce1-7.dat	upx
behavioral1/files/0x002c000000015ce1-12.dat	upx
behavioral1/files/0x002c000000015ce1-9.dat	upx
behavioral1/memory/2984-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015ed7-17.dat	upx
behavioral1/files/0x0007000000015ed7-19.dat	upx
behavioral1/files/0x0007000000015ed7-23.dat	upx
behavioral1/memory/568-27-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000016372-28.dat	upx
behavioral1/files/0x0008000000016372-35.dat	upx
behavioral1/files/0x0008000000016372-30.dat	upx
behavioral1/files/0x000a0000000161a5-46.dat	upx
behavioral1/memory/2412-45-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000a0000000161a5-41.dat	upx
behavioral1/files/0x000a0000000161a5-39.dat	upx
behavioral1/files/0x000600000001666b-51.dat	upx
behavioral1/memory/2620-53-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000600000001666b-55.dat	upx
behavioral1/files/0x000600000001666b-57.dat	upx
behavioral1/memory/2984-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000600000001666b-58.dat	upx
behavioral1/files/0x000600000001666b-59.dat	upx
behavioral1/files/0x000600000001666b-60.dat	upx
behavioral1/files/0x000600000001682e-67.dat	upx
behavioral1/files/0x000600000001682e-73.dat	upx
behavioral1/memory/2612-74-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2580-72-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000600000001682e-65.dat	upx
behavioral1/memory/2680-78-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00080000000165d3-85.dat	upx
behavioral1/files/0x00080000000165d3-81.dat	upx
behavioral1/files/0x00080000000165d3-79.dat	upx
behavioral1/files/0x002c000000015ce1-90.dat	upx
behavioral1/memory/2484-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0018000000015cf0-97.dat	upx
behavioral1/files/0x0018000000015cf0-100.dat	upx
behavioral1/files/0x0006000000016c34-102.dat	upx
behavioral1/files/0x0006000000016c34-105.dat	upx
behavioral1/files/0x0006000000016c34-110.dat	upx
behavioral1/files/0x0006000000016c34-115.dat	upx
behavioral1/files/0x0006000000016c7f-124.dat	upx
behavioral1/files/0x0006000000016c7f-119.dat	upx
behavioral1/files/0x0006000000016c7f-117.dat	upx
behavioral1/files/0x0007000000016cdd-147.dat	upx
behavioral1/files/0x0007000000016cdd-152.dat	upx
behavioral1/files/0x0007000000016cdd-144.dat	upx
behavioral1/memory/2764-143-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2448-142-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016cdd-156.dat	upx
behavioral1/files/0x0007000000016c3c-165.dat	upx
behavioral1/memory/2900-168-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016c3c-160.dat	upx
behavioral1/files/0x0007000000016c3c-158.dat	upx
behavioral1/files/0x0007000000016c3c-171.dat	upx
behavioral1/files/0x0006000000016cfa-173.dat	upx
behavioral1/files/0x0006000000016cfa-176.dat	upx
behavioral1/files/0x0006000000016cfa-180.dat	upx
behavioral1/files/0x0007000000016d01-194.dat	upx
behavioral1/files/0x0007000000016d01-189.dat	upx
behavioral1/memory/1140-196-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1860-187-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016d01-186.dat	upx

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2412	NEAS.b765b33b03ee31274927c81665461950.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
2412	NEAS.b765b33b03ee31274927c81665461950.exe
2984	backup.exe
568	backup.exe
2612	backup.exe
2620	backup.exe
2580	update.exe
2680	backup.exe
2484	backup.exe
2900	backup.exe
2448	backup.exe
2764	backup.exe
2440	backup.exe
1140	backup.exe
1860	backup.exe
1780	backup.exe
1560	backup.exe
2560	backup.exe
2944	backup.exe
1868	backup.exe
1736	backup.exe
2300	backup.exe
2072	backup.exe
2876	backup.exe
1220	backup.exe
2256	backup.exe
2820	backup.exe
2956	backup.exe
568	backup.exe
2720	backup.exe
2704	backup.exe
2752	backup.exe
2628	backup.exe
2464	backup.exe
2892	backup.exe
580	backup.exe
824	data.exe
2756	update.exe
2344	backup.exe
2132	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2984	2412	NEAS.b765b33b03ee31274927c81665461950.exe	28
PID 2412 wrote to memory of 2984	2412	NEAS.b765b33b03ee31274927c81665461950.exe	28
PID 2412 wrote to memory of 2984	2412	NEAS.b765b33b03ee31274927c81665461950.exe	28
PID 2412 wrote to memory of 2984	2412	NEAS.b765b33b03ee31274927c81665461950.exe	28
PID 2412 wrote to memory of 568	2412	NEAS.b765b33b03ee31274927c81665461950.exe	29
PID 2412 wrote to memory of 568	2412	NEAS.b765b33b03ee31274927c81665461950.exe	29
PID 2412 wrote to memory of 568	2412	NEAS.b765b33b03ee31274927c81665461950.exe	29
PID 2412 wrote to memory of 568	2412	NEAS.b765b33b03ee31274927c81665461950.exe	29
PID 2412 wrote to memory of 2612	2412	NEAS.b765b33b03ee31274927c81665461950.exe	30
PID 2412 wrote to memory of 2612	2412	NEAS.b765b33b03ee31274927c81665461950.exe	30
PID 2412 wrote to memory of 2612	2412	NEAS.b765b33b03ee31274927c81665461950.exe	30
PID 2412 wrote to memory of 2612	2412	NEAS.b765b33b03ee31274927c81665461950.exe	30
PID 2412 wrote to memory of 2620	2412	NEAS.b765b33b03ee31274927c81665461950.exe	31
PID 2412 wrote to memory of 2620	2412	NEAS.b765b33b03ee31274927c81665461950.exe	31
PID 2412 wrote to memory of 2620	2412	NEAS.b765b33b03ee31274927c81665461950.exe	31
PID 2412 wrote to memory of 2620	2412	NEAS.b765b33b03ee31274927c81665461950.exe	31
PID 2412 wrote to memory of 2580	2412	NEAS.b765b33b03ee31274927c81665461950.exe	32
PID 2412 wrote to memory of 2580	2412	NEAS.b765b33b03ee31274927c81665461950.exe	32
PID 2412 wrote to memory of 2580	2412	NEAS.b765b33b03ee31274927c81665461950.exe	32
PID 2412 wrote to memory of 2580	2412	NEAS.b765b33b03ee31274927c81665461950.exe	32
PID 2412 wrote to memory of 2580	2412	NEAS.b765b33b03ee31274927c81665461950.exe	32
PID 2412 wrote to memory of 2580	2412	NEAS.b765b33b03ee31274927c81665461950.exe	32
PID 2412 wrote to memory of 2580	2412	NEAS.b765b33b03ee31274927c81665461950.exe	32
PID 2412 wrote to memory of 2680	2412	NEAS.b765b33b03ee31274927c81665461950.exe	33
PID 2412 wrote to memory of 2680	2412	NEAS.b765b33b03ee31274927c81665461950.exe	33
PID 2412 wrote to memory of 2680	2412	NEAS.b765b33b03ee31274927c81665461950.exe	33
PID 2412 wrote to memory of 2680	2412	NEAS.b765b33b03ee31274927c81665461950.exe	33
PID 2412 wrote to memory of 2484	2412	NEAS.b765b33b03ee31274927c81665461950.exe	34
PID 2412 wrote to memory of 2484	2412	NEAS.b765b33b03ee31274927c81665461950.exe	34
PID 2412 wrote to memory of 2484	2412	NEAS.b765b33b03ee31274927c81665461950.exe	34
PID 2412 wrote to memory of 2484	2412	NEAS.b765b33b03ee31274927c81665461950.exe	34
PID 2984 wrote to memory of 2900	2984	backup.exe	35
PID 2984 wrote to memory of 2900	2984	backup.exe	35
PID 2984 wrote to memory of 2900	2984	backup.exe	35
PID 2984 wrote to memory of 2900	2984	backup.exe	35
PID 2900 wrote to memory of 2448	2900	backup.exe	36
PID 2900 wrote to memory of 2448	2900	backup.exe	36
PID 2900 wrote to memory of 2448	2900	backup.exe	36
PID 2900 wrote to memory of 2448	2900	backup.exe	36
PID 2448 wrote to memory of 2764	2448	backup.exe	37
PID 2448 wrote to memory of 2764	2448	backup.exe	37
PID 2448 wrote to memory of 2764	2448	backup.exe	37
PID 2448 wrote to memory of 2764	2448	backup.exe	37
PID 2900 wrote to memory of 2440	2900	backup.exe	38
PID 2900 wrote to memory of 2440	2900	backup.exe	38
PID 2900 wrote to memory of 2440	2900	backup.exe	38
PID 2900 wrote to memory of 2440	2900	backup.exe	38
PID 2440 wrote to memory of 1140	2440	backup.exe	39
PID 2440 wrote to memory of 1140	2440	backup.exe	39
PID 2440 wrote to memory of 1140	2440	backup.exe	39
PID 2440 wrote to memory of 1140	2440	backup.exe	39
PID 1140 wrote to memory of 1860	1140	backup.exe	40
PID 1140 wrote to memory of 1860	1140	backup.exe	40
PID 1140 wrote to memory of 1860	1140	backup.exe	40
PID 1140 wrote to memory of 1860	1140	backup.exe	40
PID 2440 wrote to memory of 1780	2440	backup.exe	41
PID 2440 wrote to memory of 1780	2440	backup.exe	41
PID 2440 wrote to memory of 1780	2440	backup.exe	41
PID 2440 wrote to memory of 1780	2440	backup.exe	41
PID 1780 wrote to memory of 1560	1780	backup.exe	42
PID 1780 wrote to memory of 1560	1780	backup.exe	42
PID 1780 wrote to memory of 1560	1780	backup.exe	42
PID 1780 wrote to memory of 1560	1780	backup.exe	42
PID 1560 wrote to memory of 2560	1560	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.b765b33b03ee31274927c81665461950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.b765b33b03ee31274927c81665461950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.b765b33b03ee31274927c81665461950.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b765b33b03ee31274927c81665461950.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412
- C:\Users\Admin\AppData\Local\Temp\2154603369\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2154603369\backup.exe C:\Users\Admin\AppData\Local\Temp\2154603369\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2984
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2900
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2448
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2764
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2440
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1140
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1860
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1780
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1220
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2256
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        
        PID:2344
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:3056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1256
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:1896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:2256
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:2668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:2196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:2896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:3004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:2732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:2872
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:2544
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2820
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2724
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:3004
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1088
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:2892
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2252
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2300
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2704
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2676
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2668
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1964
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:2484
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1684
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:940
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1836
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1648
        
        C:\Program Files\Common Files\System\en-US\update.exe
        
        "C:\Program Files\Common Files\System\en-US\update.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1996
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:1720
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:2740
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1456
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1080
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1752
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1340
      - C:\Program Files\DVD Maker\ja-JP\update.exe
        
        "C:\Program Files\DVD Maker\ja-JP\update.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1772
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2084
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:2508
      - C:\Program Files\Google\Chrome\update.exe
        
        "C:\Program Files\Google\Chrome\update.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:2764
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1484
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2244
      - C:\Program Files\Internet Explorer\de-DE\System Restore.exe
        
        "C:\Program Files\Internet Explorer\de-DE\System Restore.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2124
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:488
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2412
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2232
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2388
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2608
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:1600
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2220
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1740
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:2716
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:392
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        
        PID:1780
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:2660
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2364
    - - C:\Program Files\Microsoft Games\System Restore.exe
        
        "C:\Program Files\Microsoft Games\System Restore.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2592
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1668
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1448
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:2032
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2184
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2100
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2932
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2036
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2656
    - - C:\Program Files\Windows Journal\backup.exe
        
        "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
        5⤵
        
        PID:2556
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      PID:948
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:1736
      - C:\Program Files (x86)\Adobe\Reader 9.0\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:2432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:2980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:2772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:2780
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1256
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2060
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:2376
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2352
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1240
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:2448
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2708
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:936
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2876
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:272
    - - C:\Program Files (x86)\Common Files\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System Restore.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2776
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2268
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2800
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:3020
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2736
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2628
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1556
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:916
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2344
    - - C:\Program Files (x86)\Internet Explorer\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\System Restore.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1188
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1552
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1288
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2524
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:3012
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:996
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2040
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2552
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2432
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:1828
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2680
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1116
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:568
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
88KB

MD5
f466a08bd0ae733e3ed7939c9f090d0f

SHA1
f2838839f633655069e95637961c1d09aa6ea02c

SHA256
cd8f701bd0264435401ac97dd53756e5ab1b8baba5e95a3ac5aa80118ca01cd4

SHA512
9c8034d30f040d5e17ec4157b013a18f2ae76d55e2294a82779fef5a8c7c59ec37e6b4aab936e3377962a35d1c6fd4b319399bb39375f5c204a73c0ee2148382

Download Submit
C:\PerfLogs\backup.exe

Filesize
88KB

MD5
420e7a8eb9f23688df3268b8b9e4a9e7

SHA1
dfcbab4d22677a3dd9fb0c746dd267dcde5ce322

SHA256
67e59e0532f7ae7056736ceefa305f57b4c2c93e3b2711fd7d3766f0fdc9aeda

SHA512
d3b54f476128b20404011b2244702f5b7f324d38f8f92d60e6f8bb0580cc048282aefbd318f955babe36f748ec363147ea234e94a28baa70106e1fc811f6cfa0

Download Submit
C:\PerfLogs\backup.exe

Filesize
88KB

MD5
420e7a8eb9f23688df3268b8b9e4a9e7

SHA1
dfcbab4d22677a3dd9fb0c746dd267dcde5ce322

SHA256
67e59e0532f7ae7056736ceefa305f57b4c2c93e3b2711fd7d3766f0fdc9aeda

SHA512
d3b54f476128b20404011b2244702f5b7f324d38f8f92d60e6f8bb0580cc048282aefbd318f955babe36f748ec363147ea234e94a28baa70106e1fc811f6cfa0

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
88KB

MD5
c2b4dcccc891890b9d695fd785979600

SHA1
8b2eaaa111398ba426a6724b9031f1b1aadf6a34

SHA256
1a19ee02c1fb19a24484120fc0a683b72067dfbe52140ffe1a6cc5f4e4fd4ae8

SHA512
fe4f6cc9a26604c8f49ea6914a41d6638b186280c958f8959e07ce058987164e4e560865dc037dc48b96f8283409b38825d26828e2fb2e4b9b239a1058682a3f

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
f466a08bd0ae733e3ed7939c9f090d0f

SHA1
f2838839f633655069e95637961c1d09aa6ea02c

SHA256
cd8f701bd0264435401ac97dd53756e5ab1b8baba5e95a3ac5aa80118ca01cd4

SHA512
9c8034d30f040d5e17ec4157b013a18f2ae76d55e2294a82779fef5a8c7c59ec37e6b4aab936e3377962a35d1c6fd4b319399bb39375f5c204a73c0ee2148382

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
f466a08bd0ae733e3ed7939c9f090d0f

SHA1
f2838839f633655069e95637961c1d09aa6ea02c

SHA256
cd8f701bd0264435401ac97dd53756e5ab1b8baba5e95a3ac5aa80118ca01cd4

SHA512
9c8034d30f040d5e17ec4157b013a18f2ae76d55e2294a82779fef5a8c7c59ec37e6b4aab936e3377962a35d1c6fd4b319399bb39375f5c204a73c0ee2148382

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
88KB

MD5
54e0c6fa706ae1dbc0696749e6aad51b

SHA1
8e355cf4f949ff2cc9e7669db5bd5e336fc9755d

SHA256
186dd47dedca37ff040f21959232edd4a62bb99b6fdf90b57ac71d9923fc8ab3

SHA512
474e4ed6f912ca898b456086cc20067424c84d7e08ec90fee3543174d15dd498feb5afc6add4b4631d800fd6aec0be17c9a56628606715024290b26df3e23244

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
aa31a778d87376af463bc5f373035868

SHA1
d12394cfe96db283cd964fb6e2c0807ff67fda5f

SHA256
19f8902d48474648766cd06a982da6d37e522aedf71d021686b998cd06345bc3

SHA512
f46a0232c9f0e8d9ca86c534fc7995dce7bdbb13e1c2483c762c1bf84a02d4140bda58047e55038a8b3ec117e055ce49e91f29671f008260d0139da7679d59b9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
aa31a778d87376af463bc5f373035868

SHA1
d12394cfe96db283cd964fb6e2c0807ff67fda5f

SHA256
19f8902d48474648766cd06a982da6d37e522aedf71d021686b998cd06345bc3

SHA512
f46a0232c9f0e8d9ca86c534fc7995dce7bdbb13e1c2483c762c1bf84a02d4140bda58047e55038a8b3ec117e055ce49e91f29671f008260d0139da7679d59b9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
88KB

MD5
c7165de8bd4fc822f7b651d0a25e2848

SHA1
245635636f4ca76538dec7b7e3e611815fc81f5f

SHA256
aa2e62bc4da692c5aad2e01620b386ef80e82b7feb45e7d1f4d02f5cffd7225f

SHA512
99a6be746f3e924baf16fbb737ffc3da250ecb32299360f42fa148ab5efcd57e46eb68cdddbe533c20c3a1cf0f803b2a9aff597f7a9a0d1005f3b8d05d2fc0a6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
88KB

MD5
54e0c6fa706ae1dbc0696749e6aad51b

SHA1
8e355cf4f949ff2cc9e7669db5bd5e336fc9755d

SHA256
186dd47dedca37ff040f21959232edd4a62bb99b6fdf90b57ac71d9923fc8ab3

SHA512
474e4ed6f912ca898b456086cc20067424c84d7e08ec90fee3543174d15dd498feb5afc6add4b4631d800fd6aec0be17c9a56628606715024290b26df3e23244

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
88KB

MD5
54e0c6fa706ae1dbc0696749e6aad51b

SHA1
8e355cf4f949ff2cc9e7669db5bd5e336fc9755d

SHA256
186dd47dedca37ff040f21959232edd4a62bb99b6fdf90b57ac71d9923fc8ab3

SHA512
474e4ed6f912ca898b456086cc20067424c84d7e08ec90fee3543174d15dd498feb5afc6add4b4631d800fd6aec0be17c9a56628606715024290b26df3e23244

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
88KB

MD5
9e32699cd8c4d45051114a821094e865

SHA1
88cba18b2b32e85ce8e18b15f891661df42f400e

SHA256
5b892edec795dedd5b71def555417df33b6267be7a42d0dd7892fba40cfa14a9

SHA512
689d49e6d5b6e21be66b7f089505d047557f08e06a6997936bcb39a8973370fe6cbd94b09e4cd8b4abf61cdb55f48b7d02a7ead084cf0a34f91d78567d00993d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
88KB

MD5
9e32699cd8c4d45051114a821094e865

SHA1
88cba18b2b32e85ce8e18b15f891661df42f400e

SHA256
5b892edec795dedd5b71def555417df33b6267be7a42d0dd7892fba40cfa14a9

SHA512
689d49e6d5b6e21be66b7f089505d047557f08e06a6997936bcb39a8973370fe6cbd94b09e4cd8b4abf61cdb55f48b7d02a7ead084cf0a34f91d78567d00993d

Download Submit
C:\Program Files\backup.exe

Filesize
88KB

MD5
420e7a8eb9f23688df3268b8b9e4a9e7

SHA1
dfcbab4d22677a3dd9fb0c746dd267dcde5ce322

SHA256
67e59e0532f7ae7056736ceefa305f57b4c2c93e3b2711fd7d3766f0fdc9aeda

SHA512
d3b54f476128b20404011b2244702f5b7f324d38f8f92d60e6f8bb0580cc048282aefbd318f955babe36f748ec363147ea234e94a28baa70106e1fc811f6cfa0

Download Submit
C:\Program Files\backup.exe

Filesize
88KB

MD5
420e7a8eb9f23688df3268b8b9e4a9e7

SHA1
dfcbab4d22677a3dd9fb0c746dd267dcde5ce322

SHA256
67e59e0532f7ae7056736ceefa305f57b4c2c93e3b2711fd7d3766f0fdc9aeda

SHA512
d3b54f476128b20404011b2244702f5b7f324d38f8f92d60e6f8bb0580cc048282aefbd318f955babe36f748ec363147ea234e94a28baa70106e1fc811f6cfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2154603369\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2154603369\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2154603369\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
88KB

MD5
1299a928ffebf4d81537baffac328011

SHA1
8fc3bcb1d3871b30336ea04aae5d634ace373d60

SHA256
d2fb0621b3cb6595f3070a26d3b43259268200c3e08d942af2b96c5152106a50

SHA512
904cc0b0aef2ffad4530d71b4629ccfaa8d8f79d7e235b58a0c4cb4ddf7623f033b2ec7d371a9b1d4325c6ab5140e47bc7275c61e84048c7a339123144f9014c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
3691d7288c510b08c9caa2fb99e8e1d5

SHA1
fcc224d5c98eb24f81611d79d426c9b2c25b3c61

SHA256
571e5c1b0722450bca8bc14e5a0bea1ef271dd945ddaeb72890e57159ef34ad3

SHA512
086acd840210fb19b9375df02945f4f957c5c4ace7a9cb60965e425139f49d50b287080692b91bb967ca254dde2ad0241db2f06254c359d8db110cf44427a2ae

Download Submit
C:\backup.exe

Filesize
88KB

MD5
ffa325870315e073be6b1efd02b4ef57

SHA1
7447298a3838599e6ababbd1cd1fd11db1d4c26b

SHA256
19c7d39d424b8c20cc9a72c60659fc671d1266c6622af51ccf4b3494d9bf0081

SHA512
f1cfe816a950f17b9fa552a1086893a75ae0efa139646c686255182cab09b8ba46881312cf68dd34f5d96e90389eeba89fedc1847c8801b6c88dd5b8cfe79a57

Download Submit
C:\backup.exe

Filesize
88KB

MD5
ffa325870315e073be6b1efd02b4ef57

SHA1
7447298a3838599e6ababbd1cd1fd11db1d4c26b

SHA256
19c7d39d424b8c20cc9a72c60659fc671d1266c6622af51ccf4b3494d9bf0081

SHA512
f1cfe816a950f17b9fa552a1086893a75ae0efa139646c686255182cab09b8ba46881312cf68dd34f5d96e90389eeba89fedc1847c8801b6c88dd5b8cfe79a57

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
88KB

MD5
f466a08bd0ae733e3ed7939c9f090d0f

SHA1
f2838839f633655069e95637961c1d09aa6ea02c

SHA256
cd8f701bd0264435401ac97dd53756e5ab1b8baba5e95a3ac5aa80118ca01cd4

SHA512
9c8034d30f040d5e17ec4157b013a18f2ae76d55e2294a82779fef5a8c7c59ec37e6b4aab936e3377962a35d1c6fd4b319399bb39375f5c204a73c0ee2148382

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
88KB

MD5
f466a08bd0ae733e3ed7939c9f090d0f

SHA1
f2838839f633655069e95637961c1d09aa6ea02c

SHA256
cd8f701bd0264435401ac97dd53756e5ab1b8baba5e95a3ac5aa80118ca01cd4

SHA512
9c8034d30f040d5e17ec4157b013a18f2ae76d55e2294a82779fef5a8c7c59ec37e6b4aab936e3377962a35d1c6fd4b319399bb39375f5c204a73c0ee2148382

Download Submit
\PerfLogs\backup.exe

Filesize
88KB

MD5
420e7a8eb9f23688df3268b8b9e4a9e7

SHA1
dfcbab4d22677a3dd9fb0c746dd267dcde5ce322

SHA256
67e59e0532f7ae7056736ceefa305f57b4c2c93e3b2711fd7d3766f0fdc9aeda

SHA512
d3b54f476128b20404011b2244702f5b7f324d38f8f92d60e6f8bb0580cc048282aefbd318f955babe36f748ec363147ea234e94a28baa70106e1fc811f6cfa0

Download Submit
\PerfLogs\backup.exe

Filesize
88KB

MD5
420e7a8eb9f23688df3268b8b9e4a9e7

SHA1
dfcbab4d22677a3dd9fb0c746dd267dcde5ce322

SHA256
67e59e0532f7ae7056736ceefa305f57b4c2c93e3b2711fd7d3766f0fdc9aeda

SHA512
d3b54f476128b20404011b2244702f5b7f324d38f8f92d60e6f8bb0580cc048282aefbd318f955babe36f748ec363147ea234e94a28baa70106e1fc811f6cfa0

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
88KB

MD5
c2b4dcccc891890b9d695fd785979600

SHA1
8b2eaaa111398ba426a6724b9031f1b1aadf6a34

SHA256
1a19ee02c1fb19a24484120fc0a683b72067dfbe52140ffe1a6cc5f4e4fd4ae8

SHA512
fe4f6cc9a26604c8f49ea6914a41d6638b186280c958f8959e07ce058987164e4e560865dc037dc48b96f8283409b38825d26828e2fb2e4b9b239a1058682a3f

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
88KB

MD5
c2b4dcccc891890b9d695fd785979600

SHA1
8b2eaaa111398ba426a6724b9031f1b1aadf6a34

SHA256
1a19ee02c1fb19a24484120fc0a683b72067dfbe52140ffe1a6cc5f4e4fd4ae8

SHA512
fe4f6cc9a26604c8f49ea6914a41d6638b186280c958f8959e07ce058987164e4e560865dc037dc48b96f8283409b38825d26828e2fb2e4b9b239a1058682a3f

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
f466a08bd0ae733e3ed7939c9f090d0f

SHA1
f2838839f633655069e95637961c1d09aa6ea02c

SHA256
cd8f701bd0264435401ac97dd53756e5ab1b8baba5e95a3ac5aa80118ca01cd4

SHA512
9c8034d30f040d5e17ec4157b013a18f2ae76d55e2294a82779fef5a8c7c59ec37e6b4aab936e3377962a35d1c6fd4b319399bb39375f5c204a73c0ee2148382

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
f466a08bd0ae733e3ed7939c9f090d0f

SHA1
f2838839f633655069e95637961c1d09aa6ea02c

SHA256
cd8f701bd0264435401ac97dd53756e5ab1b8baba5e95a3ac5aa80118ca01cd4

SHA512
9c8034d30f040d5e17ec4157b013a18f2ae76d55e2294a82779fef5a8c7c59ec37e6b4aab936e3377962a35d1c6fd4b319399bb39375f5c204a73c0ee2148382

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
88KB

MD5
54e0c6fa706ae1dbc0696749e6aad51b

SHA1
8e355cf4f949ff2cc9e7669db5bd5e336fc9755d

SHA256
186dd47dedca37ff040f21959232edd4a62bb99b6fdf90b57ac71d9923fc8ab3

SHA512
474e4ed6f912ca898b456086cc20067424c84d7e08ec90fee3543174d15dd498feb5afc6add4b4631d800fd6aec0be17c9a56628606715024290b26df3e23244

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
88KB

MD5
54e0c6fa706ae1dbc0696749e6aad51b

SHA1
8e355cf4f949ff2cc9e7669db5bd5e336fc9755d

SHA256
186dd47dedca37ff040f21959232edd4a62bb99b6fdf90b57ac71d9923fc8ab3

SHA512
474e4ed6f912ca898b456086cc20067424c84d7e08ec90fee3543174d15dd498feb5afc6add4b4631d800fd6aec0be17c9a56628606715024290b26df3e23244

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
aa31a778d87376af463bc5f373035868

SHA1
d12394cfe96db283cd964fb6e2c0807ff67fda5f

SHA256
19f8902d48474648766cd06a982da6d37e522aedf71d021686b998cd06345bc3

SHA512
f46a0232c9f0e8d9ca86c534fc7995dce7bdbb13e1c2483c762c1bf84a02d4140bda58047e55038a8b3ec117e055ce49e91f29671f008260d0139da7679d59b9

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
aa31a778d87376af463bc5f373035868

SHA1
d12394cfe96db283cd964fb6e2c0807ff67fda5f

SHA256
19f8902d48474648766cd06a982da6d37e522aedf71d021686b998cd06345bc3

SHA512
f46a0232c9f0e8d9ca86c534fc7995dce7bdbb13e1c2483c762c1bf84a02d4140bda58047e55038a8b3ec117e055ce49e91f29671f008260d0139da7679d59b9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
88KB

MD5
c7165de8bd4fc822f7b651d0a25e2848

SHA1
245635636f4ca76538dec7b7e3e611815fc81f5f

SHA256
aa2e62bc4da692c5aad2e01620b386ef80e82b7feb45e7d1f4d02f5cffd7225f

SHA512
99a6be746f3e924baf16fbb737ffc3da250ecb32299360f42fa148ab5efcd57e46eb68cdddbe533c20c3a1cf0f803b2a9aff597f7a9a0d1005f3b8d05d2fc0a6

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
88KB

MD5
c7165de8bd4fc822f7b651d0a25e2848

SHA1
245635636f4ca76538dec7b7e3e611815fc81f5f

SHA256
aa2e62bc4da692c5aad2e01620b386ef80e82b7feb45e7d1f4d02f5cffd7225f

SHA512
99a6be746f3e924baf16fbb737ffc3da250ecb32299360f42fa148ab5efcd57e46eb68cdddbe533c20c3a1cf0f803b2a9aff597f7a9a0d1005f3b8d05d2fc0a6

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
88KB

MD5
54e0c6fa706ae1dbc0696749e6aad51b

SHA1
8e355cf4f949ff2cc9e7669db5bd5e336fc9755d

SHA256
186dd47dedca37ff040f21959232edd4a62bb99b6fdf90b57ac71d9923fc8ab3

SHA512
474e4ed6f912ca898b456086cc20067424c84d7e08ec90fee3543174d15dd498feb5afc6add4b4631d800fd6aec0be17c9a56628606715024290b26df3e23244

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
88KB

MD5
54e0c6fa706ae1dbc0696749e6aad51b

SHA1
8e355cf4f949ff2cc9e7669db5bd5e336fc9755d

SHA256
186dd47dedca37ff040f21959232edd4a62bb99b6fdf90b57ac71d9923fc8ab3

SHA512
474e4ed6f912ca898b456086cc20067424c84d7e08ec90fee3543174d15dd498feb5afc6add4b4631d800fd6aec0be17c9a56628606715024290b26df3e23244

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
88KB

MD5
7fb0a42859187f1d4fc7fb5cf21280f0

SHA1
c67b1cf737c0f2adad387f6f3d9462bfd6a814db

SHA256
2a59989643f088f5aec7e463f5fe457eecc35c157d77003d6efac223e41cf86b

SHA512
3146de606d079c719322b1fa752f2df779f8b5000c19456b61f3a6bb5d254a2d9e1d2ffed6a73ed4ad6817164b2c5eaf0bd747dd34020a3f8565faf498781f27

Download Submit
\Program Files\Common Files\backup.exe

Filesize
88KB

MD5
9e32699cd8c4d45051114a821094e865

SHA1
88cba18b2b32e85ce8e18b15f891661df42f400e

SHA256
5b892edec795dedd5b71def555417df33b6267be7a42d0dd7892fba40cfa14a9

SHA512
689d49e6d5b6e21be66b7f089505d047557f08e06a6997936bcb39a8973370fe6cbd94b09e4cd8b4abf61cdb55f48b7d02a7ead084cf0a34f91d78567d00993d

Download Submit
\Program Files\Common Files\backup.exe

Filesize
88KB

MD5
9e32699cd8c4d45051114a821094e865

SHA1
88cba18b2b32e85ce8e18b15f891661df42f400e

SHA256
5b892edec795dedd5b71def555417df33b6267be7a42d0dd7892fba40cfa14a9

SHA512
689d49e6d5b6e21be66b7f089505d047557f08e06a6997936bcb39a8973370fe6cbd94b09e4cd8b4abf61cdb55f48b7d02a7ead084cf0a34f91d78567d00993d

Download Submit
\Program Files\backup.exe

Filesize
88KB

MD5
420e7a8eb9f23688df3268b8b9e4a9e7

SHA1
dfcbab4d22677a3dd9fb0c746dd267dcde5ce322

SHA256
67e59e0532f7ae7056736ceefa305f57b4c2c93e3b2711fd7d3766f0fdc9aeda

SHA512
d3b54f476128b20404011b2244702f5b7f324d38f8f92d60e6f8bb0580cc048282aefbd318f955babe36f748ec363147ea234e94a28baa70106e1fc811f6cfa0

Download Submit
\Program Files\backup.exe

Filesize
88KB

MD5
420e7a8eb9f23688df3268b8b9e4a9e7

SHA1
dfcbab4d22677a3dd9fb0c746dd267dcde5ce322

SHA256
67e59e0532f7ae7056736ceefa305f57b4c2c93e3b2711fd7d3766f0fdc9aeda

SHA512
d3b54f476128b20404011b2244702f5b7f324d38f8f92d60e6f8bb0580cc048282aefbd318f955babe36f748ec363147ea234e94a28baa70106e1fc811f6cfa0

Download Submit
\Users\Admin\AppData\Local\Temp\2154603369\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\2154603369\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
88KB

MD5
1299a928ffebf4d81537baffac328011

SHA1
8fc3bcb1d3871b30336ea04aae5d634ace373d60

SHA256
d2fb0621b3cb6595f3070a26d3b43259268200c3e08d942af2b96c5152106a50

SHA512
904cc0b0aef2ffad4530d71b4629ccfaa8d8f79d7e235b58a0c4cb4ddf7623f033b2ec7d371a9b1d4325c6ab5140e47bc7275c61e84048c7a339123144f9014c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
88KB

MD5
1299a928ffebf4d81537baffac328011

SHA1
8fc3bcb1d3871b30336ea04aae5d634ace373d60

SHA256
d2fb0621b3cb6595f3070a26d3b43259268200c3e08d942af2b96c5152106a50

SHA512
904cc0b0aef2ffad4530d71b4629ccfaa8d8f79d7e235b58a0c4cb4ddf7623f033b2ec7d371a9b1d4325c6ab5140e47bc7275c61e84048c7a339123144f9014c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
88KB

MD5
cd915e2fce908e3cd42da8b5cdc8cbb8

SHA1
d2e4703d9101e766883610179db3a6b0efc88ca7

SHA256
3d1b1ca3f0a7eebae130e39ec326ae91754bd69181f3114e36acb940a69b3e39

SHA512
e3eaa7737a8dc14725f0c1efaacf343719efdfd999884beea6a2a37ad6f9595bbfc982daa6f37dd1984b695bdd86e8276987384136127a12398f0b608d32403f

Download Submit
memory/568-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1140-196-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1140-182-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1140-181-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1220-315-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1560-236-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/1560-222-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/1560-272-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1560-213-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1560-289-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/1736-266-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1736-264-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1780-212-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/1780-259-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1780-261-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/1780-268-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/1860-187-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1868-253-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2300-284-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2412-34-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2412-86-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2412-123-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2412-146-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2412-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2412-11-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2412-47-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2412-210-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2412-71-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2412-139-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2412-138-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2412-45-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2440-249-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/2440-224-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2440-195-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/2440-193-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/2440-166-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/2448-125-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2448-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2484-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2560-228-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2580-61-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2580-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2612-74-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2620-53-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2680-78-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2764-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2876-303-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2900-174-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2900-168-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2900-109-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2900-207-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2900-169-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2900-104-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2900-153-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2900-151-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2944-262-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2944-273-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2944-297-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2944-298-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-307-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2944-247-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2984-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2984-164-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2984-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads