b494c557488f8e0e0c2d4c08583129db4b1dcf4d8130766e0f6ded73980ff268

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
06-11-2023 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.89240b0f8a9563db33eb2840517d4270.exe
Size

176KB
MD5

89240b0f8a9563db33eb2840517d4270
SHA1

83af9dfe1938e631c6442fb519b88905ec689fdc
SHA256

b494c557488f8e0e0c2d4c08583129db4b1dcf4d8130766e0f6ded73980ff268
SHA512

f70445ecb54c5f79d050210a3cc851945342bd51a1f6c6fdd4befa1db2234b3d177d44a9b5d7e536ed3bedc745d99da66e6a71e7f199fd702025cc0ec318229e
SSDEEP

768:Ac/TbblFpQNwC3BEc4QEfu0Ei8XxNDI/vFaaz6JZ1Ssw63BEfY:x7bbl/eThavEjDUvFaaAXZL0Y

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2212	backup.exe
2236	backup.exe
704	backup.exe
1376	backup.exe
800	backup.exe
2160	backup.exe
2876	backup.exe
2592	data.exe
3008	backup.exe
2580	backup.exe
1836	data.exe
1488	backup.exe
1732	data.exe
2200	backup.exe
2848	backup.exe
1340	backup.exe
2956	backup.exe
836	data.exe
2560	backup.exe
1052	backup.exe
912	backup.exe
1740	System Restore.exe
2172	backup.exe
2084	backup.exe
3052	backup.exe
2224	backup.exe
2516	backup.exe
908	backup.exe
3068	backup.exe
616	backup.exe
560	backup.exe
1376	backup.exe
2452	backup.exe
2532	backup.exe
2728	backup.exe
3004	backup.exe
2116	backup.exe
2756	update.exe
2616	backup.exe
2604	backup.exe
1708	backup.exe
1912	backup.exe
2852	backup.exe
1620	backup.exe
1452	backup.exe
1064	backup.exe
1320	backup.exe
2968	data.exe
2000	backup.exe
2976	backup.exe
1012	backup.exe
2108	backup.exe
2060	backup.exe
1336	backup.exe
1776	backup.exe
1180	backup.exe
2292	backup.exe
1296	backup.exe
1744	backup.exe
2380	backup.exe
2460	backup.exe
2312	update.exe
1672	backup.exe
1664	data.exe

Loads dropped DLL 64 IoCs

pid	Process
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2592	data.exe
2592	data.exe
3008	backup.exe
3008	backup.exe
2592	data.exe
2592	data.exe
1836	data.exe
1836	data.exe
1488	backup.exe
1488	backup.exe
1836	data.exe
1836	data.exe
2200	backup.exe
2200	backup.exe
2848	backup.exe
2848	backup.exe
2848	backup.exe
2848	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
3068	backup.exe
3068	backup.exe
3068	backup.exe
3068	backup.exe
3068	backup.exe
3068	backup.exe
3068	backup.exe
3068	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x000b0000000122f6-5.dat	upx
behavioral1/files/0x000b0000000122f6-7.dat	upx
behavioral1/files/0x000b0000000122f6-9.dat	upx
behavioral1/files/0x000b0000000122f6-12.dat	upx
behavioral1/memory/2212-13-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0008000000015613-23.dat	upx
behavioral1/files/0x0008000000015613-19.dat	upx
behavioral1/files/0x0008000000015613-17.dat	upx
behavioral1/memory/2236-28-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0007000000015c18-35.dat	upx
behavioral1/files/0x0007000000015c18-31.dat	upx
behavioral1/files/0x0007000000015c18-29.dat	upx
behavioral1/files/0x000800000001564c-39.dat	upx
behavioral1/files/0x000800000001564c-41.dat	upx
behavioral1/files/0x000800000001564c-45.dat	upx
behavioral1/memory/2248-48-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1376-51-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000015c99-58.dat	upx
behavioral1/files/0x0006000000015c99-54.dat	upx
behavioral1/files/0x0006000000015c99-52.dat	upx
behavioral1/memory/800-62-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2212-70-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0009000000014b2a-69.dat	upx
behavioral1/files/0x0009000000014b2a-65.dat	upx
behavioral1/files/0x0009000000014b2a-63.dat	upx
behavioral1/memory/2248-71-0x0000000000500000-0x000000000052C000-memory.dmp	upx
behavioral1/memory/2160-75-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000015ca7-76.dat	upx
behavioral1/files/0x0006000000015ca7-78.dat	upx
behavioral1/memory/704-82-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000015ca7-83.dat	upx
behavioral1/memory/2876-86-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x000b0000000122f6-89.dat	upx
behavioral1/files/0x0006000000015caf-95.dat	upx
behavioral1/files/0x0006000000015caf-100.dat	upx
behavioral1/files/0x0006000000015ce9-102.dat	upx
behavioral1/files/0x0006000000015ce9-108.dat	upx
behavioral1/files/0x0006000000015ce9-104.dat	upx
behavioral1/files/0x0006000000015ce9-114.dat	upx
behavioral1/files/0x0006000000015dc1-116.dat	upx
behavioral1/files/0x0006000000015dc1-118.dat	upx
behavioral1/files/0x0006000000015dc1-122.dat	upx
behavioral1/memory/2580-126-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/3008-140-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2580-139-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x000c000000015c32-148.dat	upx
behavioral1/files/0x000c000000015c32-144.dat	upx
behavioral1/files/0x000c000000015c32-142.dat	upx
behavioral1/files/0x000c000000015c32-151.dat	upx
behavioral1/files/0x0008000000015e3e-153.dat	upx
behavioral1/files/0x0008000000015e3e-155.dat	upx
behavioral1/memory/2592-160-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0008000000015e3e-159.dat	upx
behavioral1/memory/1836-161-0x0000000000520000-0x000000000054C000-memory.dmp	upx
behavioral1/files/0x0008000000015e3e-165.dat	upx
behavioral1/files/0x0006000000015ecd-167.dat	upx
behavioral1/files/0x0006000000015ecd-173.dat	upx
behavioral1/files/0x0006000000015ecd-169.dat	upx
behavioral1/files/0x0006000000016066-186.dat	upx
behavioral1/memory/1732-185-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000016066-180.dat	upx
behavioral1/memory/1488-179-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000016066-177.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Defender\update.exe	data.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\data.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\update.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\System Restore.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe
2212	backup.exe
2236	backup.exe
704	backup.exe
1376	backup.exe
800	backup.exe
2160	backup.exe
2876	backup.exe
2592	data.exe
3008	backup.exe
2580	backup.exe
1836	data.exe
1488	backup.exe
1732	data.exe
2200	backup.exe
2848	backup.exe
1340	backup.exe
2956	backup.exe
836	data.exe
2560	backup.exe
1052	backup.exe
912	backup.exe
1740	System Restore.exe
2172	backup.exe
2084	backup.exe
3052	backup.exe
2224	backup.exe
2516	backup.exe
908	backup.exe
3068	backup.exe
616	backup.exe
560	backup.exe
1376	backup.exe
2452	backup.exe
2532	backup.exe
2728	backup.exe
3004	backup.exe
2116	backup.exe
2756	update.exe
2616	backup.exe
2604	backup.exe
1708	backup.exe
1912	backup.exe
2852	backup.exe
1620	backup.exe
1452	backup.exe
1064	backup.exe
1320	backup.exe
2968	data.exe
2000	backup.exe
2976	backup.exe
1012	backup.exe
2108	backup.exe
2060	backup.exe
1336	backup.exe
1776	backup.exe
1180	backup.exe
2292	backup.exe
1296	backup.exe
1744	backup.exe
2380	backup.exe
2460	backup.exe
2312	update.exe
1672	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2212	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	28
PID 2248 wrote to memory of 2212	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	28
PID 2248 wrote to memory of 2212	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	28
PID 2248 wrote to memory of 2212	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	28
PID 2248 wrote to memory of 2236	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	29
PID 2248 wrote to memory of 2236	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	29
PID 2248 wrote to memory of 2236	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	29
PID 2248 wrote to memory of 2236	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	29
PID 2248 wrote to memory of 704	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	30
PID 2248 wrote to memory of 704	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	30
PID 2248 wrote to memory of 704	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	30
PID 2248 wrote to memory of 704	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	30
PID 2248 wrote to memory of 1376	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	31
PID 2248 wrote to memory of 1376	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	31
PID 2248 wrote to memory of 1376	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	31
PID 2248 wrote to memory of 1376	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	31
PID 2248 wrote to memory of 800	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	32
PID 2248 wrote to memory of 800	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	32
PID 2248 wrote to memory of 800	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	32
PID 2248 wrote to memory of 800	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	32
PID 2248 wrote to memory of 2160	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	33
PID 2248 wrote to memory of 2160	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	33
PID 2248 wrote to memory of 2160	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	33
PID 2248 wrote to memory of 2160	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	33
PID 2248 wrote to memory of 2876	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	34
PID 2248 wrote to memory of 2876	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	34
PID 2248 wrote to memory of 2876	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	34
PID 2248 wrote to memory of 2876	2248	NEAS.89240b0f8a9563db33eb2840517d4270.exe	34
PID 2212 wrote to memory of 2592	2212	backup.exe	35
PID 2212 wrote to memory of 2592	2212	backup.exe	35
PID 2212 wrote to memory of 2592	2212	backup.exe	35
PID 2212 wrote to memory of 2592	2212	backup.exe	35
PID 2592 wrote to memory of 3008	2592	data.exe	36
PID 2592 wrote to memory of 3008	2592	data.exe	36
PID 2592 wrote to memory of 3008	2592	data.exe	36
PID 2592 wrote to memory of 3008	2592	data.exe	36
PID 3008 wrote to memory of 2580	3008	backup.exe	37
PID 3008 wrote to memory of 2580	3008	backup.exe	37
PID 3008 wrote to memory of 2580	3008	backup.exe	37
PID 3008 wrote to memory of 2580	3008	backup.exe	37
PID 2592 wrote to memory of 1836	2592	data.exe	38
PID 2592 wrote to memory of 1836	2592	data.exe	38
PID 2592 wrote to memory of 1836	2592	data.exe	38
PID 2592 wrote to memory of 1836	2592	data.exe	38
PID 1836 wrote to memory of 1488	1836	data.exe	39
PID 1836 wrote to memory of 1488	1836	data.exe	39
PID 1836 wrote to memory of 1488	1836	data.exe	39
PID 1836 wrote to memory of 1488	1836	data.exe	39
PID 1488 wrote to memory of 1732	1488	backup.exe	40
PID 1488 wrote to memory of 1732	1488	backup.exe	40
PID 1488 wrote to memory of 1732	1488	backup.exe	40
PID 1488 wrote to memory of 1732	1488	backup.exe	40
PID 1836 wrote to memory of 2200	1836	data.exe	41
PID 1836 wrote to memory of 2200	1836	data.exe	41
PID 1836 wrote to memory of 2200	1836	data.exe	41
PID 1836 wrote to memory of 2200	1836	data.exe	41
PID 2200 wrote to memory of 2848	2200	backup.exe	42
PID 2200 wrote to memory of 2848	2200	backup.exe	42
PID 2200 wrote to memory of 2848	2200	backup.exe	42
PID 2200 wrote to memory of 2848	2200	backup.exe	42
PID 2848 wrote to memory of 1340	2848	backup.exe	43
PID 2848 wrote to memory of 1340	2848	backup.exe	43
PID 2848 wrote to memory of 1340	2848	backup.exe	43
PID 2848 wrote to memory of 1340	2848	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.89240b0f8a9563db33eb2840517d4270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.89240b0f8a9563db33eb2840517d4270.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.89240b0f8a9563db33eb2840517d4270.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248
- C:\Users\Admin\AppData\Local\Temp\3409014398\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3409014398\backup.exe C:\Users\Admin\AppData\Local\Temp\3409014398\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2212
- - C:\data.exe
    \data.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2580
  - - C:\Program Files\data.exe
      "C:\Program Files\data.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Program Files\7-Zip\Lang\data.exe
        
        "C:\Program Files\7-Zip\Lang\data.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1732
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2848
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1296
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2312
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:2256
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2244
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        System policy modification
        
        PID:2768
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2780
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:2872
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2880
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2620
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2804
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2816
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        System policy modification
        
        PID:2572
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:2196
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1812
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2644
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:272
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        System policy modification
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        System policy modification
        
        PID:2108
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2560
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:340
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:996
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2768
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2100
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:740
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:672
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2316
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2168
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1744
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1500
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2900
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1512
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:832
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        System policy modification
        
        PID:880
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:2220
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:2556
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        System policy modification
        
        PID:1640
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        System policy modification
        
        PID:2164
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        System policy modification
        
        PID:2816
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1000
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:2840
    - - C:\Program Files\Google\data.exe
        
        "C:\Program Files\Google\data.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2792
      - C:\Program Files\Google\Chrome\System Restore.exe
        
        "C:\Program Files\Google\Chrome\System Restore.exe" C:\Program Files\Google\Chrome\
        6⤵
        Drops file in Program Files directory
        
        PID:1596
        
        C:\Program Files\Google\Chrome\Application\update.exe
        
        "C:\Program Files\Google\Chrome\Application\update.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2672
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        
        PID:2052
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:2380
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2408
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2868
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:2436
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        System policy modification
        
        PID:1948
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:2084
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1308
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:940
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1752
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2628
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2680
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2808
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1304
      - C:\Program Files\Internet Explorer\ja-JP\update.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\update.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2932
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:908
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2552
      - C:\Program Files\Java\jdk1.7.0_80\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        System policy modification
        
        PID:2308
        
        C:\Program Files\Java\jdk1.7.0_80\bin\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\data.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:2620
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        
        PID:736
        
        C:\Program Files\Java\jdk1.7.0_80\include\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:2604
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        7⤵
        
        PID:1136
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2812
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1156
    - - C:\Program Files\Microsoft Office\System Restore.exe
        
        "C:\Program Files\Microsoft Office\System Restore.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1584
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:532
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2272
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1484
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1260
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2908
    - - C:\Program Files\Windows Defender\update.exe
        
        "C:\Program Files\Windows Defender\update.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2092
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:2416
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:1700
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        System policy modification
        
        PID:1416
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:528
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:2596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        System policy modification
        
        PID:2276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:2712
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2456
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:2716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2292
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2708
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:1452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2796
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Drops file in Program Files directory
        
        PID:1280
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2024
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3000
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1748
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2328
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        System policy modification
        
        PID:2300
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:556
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:2532
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Drops file in Program Files directory
        
        PID:756
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:1504
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2496
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        System policy modification
        
        PID:2008
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:680
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2580
    - - C:\Program Files (x86)\Google\update.exe
        
        "C:\Program Files (x86)\Google\update.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2508
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2096
      - C:\Program Files (x86)\Google\Temp\System Restore.exe
        
        "C:\Program Files (x86)\Google\Temp\System Restore.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2120
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1400
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:2396
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2116
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1956
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2920
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:3048
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2484
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1532
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2704
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1808
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1780
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1716
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2324
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:2156
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2996
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        System policy modification
        
        PID:2080
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        System policy modification
        
        PID:2276
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:912
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:3004
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1332
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:3052
      - C:\Users\Admin\Music\data.exe
        
        C:\Users\Admin\Music\data.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2656
      - C:\Users\Admin\Pictures\System Restore.exe
        
        "C:\Users\Admin\Pictures\System Restore.exe" C:\Users\Admin\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2268
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1300
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2460
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1908
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2652
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1592
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:2748
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1088
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        System policy modification
        
        PID:2944
        
        C:\Users\Public\Recorded TV\Sample Media\data.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\data.exe" C:\Users\Public\Recorded TV\Sample Media\
        7⤵
        
        PID:2720
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2404
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      System policy modification
      PID:1924
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:704
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1376
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:800
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2876

C:\Program Files\Common Files\SpeechEngines\Microsoft\update.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\update.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
40b1ab4b5bb359b0a8509f9ecee516a9

SHA1
60eeed6dfc0673b8b8b4e427fa67671d74a4e02d

SHA256
d906f4c2a2ca9ca7c00849f00c9253e056013b451f7ac220e0696a50017038d0

SHA512
777de030598f55b54791eb27a7f7890340fa0d3606abfb609e0224f3ef3108d0bbcedc369cadb5a8b1f2b8d318d02f52de43fc72320085df2f02fc829fe7e8dd

Download Submit
C:\PerfLogs\backup.exe

Filesize
176KB

MD5
a7520bf05d70f89f38571ba2101a41d3

SHA1
9b1cbcd3fdf8243c36a902cee97f4e277b4a9577

SHA256
137f670208b1f49e3c2cd74a189bd01177bf07dc4d38cf378dc02eccfeba4759

SHA512
8a5f7f243ce48fb852faf7a2c0d72e05174fd730f3c9aab7969304bc037effa4686362ecfeac712978db81a672759677eb757df5276e1404f6ab33f70a3bdeb9

Download Submit
C:\PerfLogs\backup.exe

Filesize
176KB

MD5
a7520bf05d70f89f38571ba2101a41d3

SHA1
9b1cbcd3fdf8243c36a902cee97f4e277b4a9577

SHA256
137f670208b1f49e3c2cd74a189bd01177bf07dc4d38cf378dc02eccfeba4759

SHA512
8a5f7f243ce48fb852faf7a2c0d72e05174fd730f3c9aab7969304bc037effa4686362ecfeac712978db81a672759677eb757df5276e1404f6ab33f70a3bdeb9

Download Submit
C:\Program Files\7-Zip\Lang\data.exe

Filesize
176KB

MD5
3c39c42491afd57780c8a74c175839ca

SHA1
4367bbf28e0a3243304298a9fa5ad6351f1d5395

SHA256
06431223491b518015469e322ccfbc8d39e3660c391df99e60eddfd45556f76b

SHA512
3e7ca22c22d7782623e0f37de9961ca87a5d3b3c5149e22bbf5797454516e8c798d441d850c171bf236b540509fc0f1e6247e99f9c6b13054dc0138d8e041036

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
095d13ae6ef0ab6ab3ff4791da55848b

SHA1
df6a92c2a2c2575e47da995c95e8431065f4212b

SHA256
bfd94d03a0f0d09cdd9a2aa3645fa2e4bd863f8f450e22b6283d4d01c3efc6ff

SHA512
3aca311ccfaa6d2634fa01d5020c22889486b49fec92bffd0a280e78b34a53b1a22a947bb8831b99df6cb618b154645cc5e91ea00fc6771309a863c901b4bbe8

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
095d13ae6ef0ab6ab3ff4791da55848b

SHA1
df6a92c2a2c2575e47da995c95e8431065f4212b

SHA256
bfd94d03a0f0d09cdd9a2aa3645fa2e4bd863f8f450e22b6283d4d01c3efc6ff

SHA512
3aca311ccfaa6d2634fa01d5020c22889486b49fec92bffd0a280e78b34a53b1a22a947bb8831b99df6cb618b154645cc5e91ea00fc6771309a863c901b4bbe8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
176KB

MD5
af27c64bc8034a6c6e407432e3dc4ec6

SHA1
1c6b569a8d2259b92db25de5f6341af03ba7f12e

SHA256
0f1928106b8c70aed23250f8f2585b2669eb19be07948d1f269fd8c8b1253bbb

SHA512
e02487c5b38f689bfc49ae7f3f5f22ad411180ae9c0c75a54da691098b006cd8f971ff0ab5eb8c3e634588fb8e9829fb09fc756da72b5a8736bff947a81207c5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
3c39c42491afd57780c8a74c175839ca

SHA1
4367bbf28e0a3243304298a9fa5ad6351f1d5395

SHA256
06431223491b518015469e322ccfbc8d39e3660c391df99e60eddfd45556f76b

SHA512
3e7ca22c22d7782623e0f37de9961ca87a5d3b3c5149e22bbf5797454516e8c798d441d850c171bf236b540509fc0f1e6247e99f9c6b13054dc0138d8e041036

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
3c39c42491afd57780c8a74c175839ca

SHA1
4367bbf28e0a3243304298a9fa5ad6351f1d5395

SHA256
06431223491b518015469e322ccfbc8d39e3660c391df99e60eddfd45556f76b

SHA512
3e7ca22c22d7782623e0f37de9961ca87a5d3b3c5149e22bbf5797454516e8c798d441d850c171bf236b540509fc0f1e6247e99f9c6b13054dc0138d8e041036

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
176KB

MD5
8242dda6afeb972e07bc219e7934e062

SHA1
38602ba946e250a4428f73b7092db11cbde1ff63

SHA256
e7f8baaa454299aae20f9e9a2032bef54ed1d5af0f60715c36b36b964292f053

SHA512
2b226b2dafee793cd536371fc0d7a986f7cfa6437014e5ca74873e702985f6cb2bb3c9ece12732ac9c07d115199a3ece16c8af7bf3bc35bc8387d9d87ca643d2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
176KB

MD5
af27c64bc8034a6c6e407432e3dc4ec6

SHA1
1c6b569a8d2259b92db25de5f6341af03ba7f12e

SHA256
0f1928106b8c70aed23250f8f2585b2669eb19be07948d1f269fd8c8b1253bbb

SHA512
e02487c5b38f689bfc49ae7f3f5f22ad411180ae9c0c75a54da691098b006cd8f971ff0ab5eb8c3e634588fb8e9829fb09fc756da72b5a8736bff947a81207c5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
176KB

MD5
af27c64bc8034a6c6e407432e3dc4ec6

SHA1
1c6b569a8d2259b92db25de5f6341af03ba7f12e

SHA256
0f1928106b8c70aed23250f8f2585b2669eb19be07948d1f269fd8c8b1253bbb

SHA512
e02487c5b38f689bfc49ae7f3f5f22ad411180ae9c0c75a54da691098b006cd8f971ff0ab5eb8c3e634588fb8e9829fb09fc756da72b5a8736bff947a81207c5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
176KB

MD5
8242dda6afeb972e07bc219e7934e062

SHA1
38602ba946e250a4428f73b7092db11cbde1ff63

SHA256
e7f8baaa454299aae20f9e9a2032bef54ed1d5af0f60715c36b36b964292f053

SHA512
2b226b2dafee793cd536371fc0d7a986f7cfa6437014e5ca74873e702985f6cb2bb3c9ece12732ac9c07d115199a3ece16c8af7bf3bc35bc8387d9d87ca643d2

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
095d13ae6ef0ab6ab3ff4791da55848b

SHA1
df6a92c2a2c2575e47da995c95e8431065f4212b

SHA256
bfd94d03a0f0d09cdd9a2aa3645fa2e4bd863f8f450e22b6283d4d01c3efc6ff

SHA512
3aca311ccfaa6d2634fa01d5020c22889486b49fec92bffd0a280e78b34a53b1a22a947bb8831b99df6cb618b154645cc5e91ea00fc6771309a863c901b4bbe8

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
095d13ae6ef0ab6ab3ff4791da55848b

SHA1
df6a92c2a2c2575e47da995c95e8431065f4212b

SHA256
bfd94d03a0f0d09cdd9a2aa3645fa2e4bd863f8f450e22b6283d4d01c3efc6ff

SHA512
3aca311ccfaa6d2634fa01d5020c22889486b49fec92bffd0a280e78b34a53b1a22a947bb8831b99df6cb618b154645cc5e91ea00fc6771309a863c901b4bbe8

Download Submit
C:\Program Files\data.exe

Filesize
176KB

MD5
a7520bf05d70f89f38571ba2101a41d3

SHA1
9b1cbcd3fdf8243c36a902cee97f4e277b4a9577

SHA256
137f670208b1f49e3c2cd74a189bd01177bf07dc4d38cf378dc02eccfeba4759

SHA512
8a5f7f243ce48fb852faf7a2c0d72e05174fd730f3c9aab7969304bc037effa4686362ecfeac712978db81a672759677eb757df5276e1404f6ab33f70a3bdeb9

Download Submit
C:\Program Files\data.exe

Filesize
176KB

MD5
a7520bf05d70f89f38571ba2101a41d3

SHA1
9b1cbcd3fdf8243c36a902cee97f4e277b4a9577

SHA256
137f670208b1f49e3c2cd74a189bd01177bf07dc4d38cf378dc02eccfeba4759

SHA512
8a5f7f243ce48fb852faf7a2c0d72e05174fd730f3c9aab7969304bc037effa4686362ecfeac712978db81a672759677eb757df5276e1404f6ab33f70a3bdeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3409014398\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\3409014398\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\3409014398\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
3a205d9e529d598c5f39a82e774e114c

SHA1
934af4a014753b355480d9abf0072c7fe5c9b753

SHA256
8271dd8451c063765a87c9b1a38d452bcf87f6cf3ce9e5cf591e3ee55feaa141

SHA512
4779bf3f0f5b8cb3370329285b04703be33048113bec2f3d26f32613324cdb44166c8335cee5f529325e5bde2368c8c7f3dd6ce7186ce7a1362bfd108333c0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
33KB

MD5
7dade01225e8e503ea2d10fcce9c49a4

SHA1
71718b8d9f232d7f7cca568b2aaaacd563d4ee17

SHA256
5a8224ac118eba6bf29a62b9c8673e22e8ccd23f5ed8b0ac432347c7adff69b4

SHA512
4c3b066235e5bf0fefb8f06b9dec7560bfb141e940394c02262af138be689948c94227905efebbc3998b7623557123bdbe996766e9743e650cbe9dea69e9bb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\data.exe

Filesize
176KB

MD5
e8f10c1ad2fc4cd4d1197d766fd792d4

SHA1
a969e9b9267fdb732a3ba1c98e6a85346ec5c62c

SHA256
461ec4663169ceaba34c4418810736bd0ace4dea1a96dfe102907fe7017a7e54

SHA512
bcff7521ae320ba8b64153e39fc543bc31bd3477a1d81e1e5a7e90d55f64910c0d701a2038ad6c2d6e9245639dd95de7594a55cbad91a06a1020f0e3f834f114

Download Submit
C:\data.exe

Filesize
176KB

MD5
e8f10c1ad2fc4cd4d1197d766fd792d4

SHA1
a969e9b9267fdb732a3ba1c98e6a85346ec5c62c

SHA256
461ec4663169ceaba34c4418810736bd0ace4dea1a96dfe102907fe7017a7e54

SHA512
bcff7521ae320ba8b64153e39fc543bc31bd3477a1d81e1e5a7e90d55f64910c0d701a2038ad6c2d6e9245639dd95de7594a55cbad91a06a1020f0e3f834f114

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
40b1ab4b5bb359b0a8509f9ecee516a9

SHA1
60eeed6dfc0673b8b8b4e427fa67671d74a4e02d

SHA256
d906f4c2a2ca9ca7c00849f00c9253e056013b451f7ac220e0696a50017038d0

SHA512
777de030598f55b54791eb27a7f7890340fa0d3606abfb609e0224f3ef3108d0bbcedc369cadb5a8b1f2b8d318d02f52de43fc72320085df2f02fc829fe7e8dd

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
40b1ab4b5bb359b0a8509f9ecee516a9

SHA1
60eeed6dfc0673b8b8b4e427fa67671d74a4e02d

SHA256
d906f4c2a2ca9ca7c00849f00c9253e056013b451f7ac220e0696a50017038d0

SHA512
777de030598f55b54791eb27a7f7890340fa0d3606abfb609e0224f3ef3108d0bbcedc369cadb5a8b1f2b8d318d02f52de43fc72320085df2f02fc829fe7e8dd

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
a7520bf05d70f89f38571ba2101a41d3

SHA1
9b1cbcd3fdf8243c36a902cee97f4e277b4a9577

SHA256
137f670208b1f49e3c2cd74a189bd01177bf07dc4d38cf378dc02eccfeba4759

SHA512
8a5f7f243ce48fb852faf7a2c0d72e05174fd730f3c9aab7969304bc037effa4686362ecfeac712978db81a672759677eb757df5276e1404f6ab33f70a3bdeb9

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
a7520bf05d70f89f38571ba2101a41d3

SHA1
9b1cbcd3fdf8243c36a902cee97f4e277b4a9577

SHA256
137f670208b1f49e3c2cd74a189bd01177bf07dc4d38cf378dc02eccfeba4759

SHA512
8a5f7f243ce48fb852faf7a2c0d72e05174fd730f3c9aab7969304bc037effa4686362ecfeac712978db81a672759677eb757df5276e1404f6ab33f70a3bdeb9

Download Submit
\Program Files\7-Zip\Lang\data.exe

Filesize
176KB

MD5
3c39c42491afd57780c8a74c175839ca

SHA1
4367bbf28e0a3243304298a9fa5ad6351f1d5395

SHA256
06431223491b518015469e322ccfbc8d39e3660c391df99e60eddfd45556f76b

SHA512
3e7ca22c22d7782623e0f37de9961ca87a5d3b3c5149e22bbf5797454516e8c798d441d850c171bf236b540509fc0f1e6247e99f9c6b13054dc0138d8e041036

Download Submit
\Program Files\7-Zip\Lang\data.exe

Filesize
176KB

MD5
3c39c42491afd57780c8a74c175839ca

SHA1
4367bbf28e0a3243304298a9fa5ad6351f1d5395

SHA256
06431223491b518015469e322ccfbc8d39e3660c391df99e60eddfd45556f76b

SHA512
3e7ca22c22d7782623e0f37de9961ca87a5d3b3c5149e22bbf5797454516e8c798d441d850c171bf236b540509fc0f1e6247e99f9c6b13054dc0138d8e041036

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
095d13ae6ef0ab6ab3ff4791da55848b

SHA1
df6a92c2a2c2575e47da995c95e8431065f4212b

SHA256
bfd94d03a0f0d09cdd9a2aa3645fa2e4bd863f8f450e22b6283d4d01c3efc6ff

SHA512
3aca311ccfaa6d2634fa01d5020c22889486b49fec92bffd0a280e78b34a53b1a22a947bb8831b99df6cb618b154645cc5e91ea00fc6771309a863c901b4bbe8

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
095d13ae6ef0ab6ab3ff4791da55848b

SHA1
df6a92c2a2c2575e47da995c95e8431065f4212b

SHA256
bfd94d03a0f0d09cdd9a2aa3645fa2e4bd863f8f450e22b6283d4d01c3efc6ff

SHA512
3aca311ccfaa6d2634fa01d5020c22889486b49fec92bffd0a280e78b34a53b1a22a947bb8831b99df6cb618b154645cc5e91ea00fc6771309a863c901b4bbe8

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
176KB

MD5
af27c64bc8034a6c6e407432e3dc4ec6

SHA1
1c6b569a8d2259b92db25de5f6341af03ba7f12e

SHA256
0f1928106b8c70aed23250f8f2585b2669eb19be07948d1f269fd8c8b1253bbb

SHA512
e02487c5b38f689bfc49ae7f3f5f22ad411180ae9c0c75a54da691098b006cd8f971ff0ab5eb8c3e634588fb8e9829fb09fc756da72b5a8736bff947a81207c5

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
176KB

MD5
af27c64bc8034a6c6e407432e3dc4ec6

SHA1
1c6b569a8d2259b92db25de5f6341af03ba7f12e

SHA256
0f1928106b8c70aed23250f8f2585b2669eb19be07948d1f269fd8c8b1253bbb

SHA512
e02487c5b38f689bfc49ae7f3f5f22ad411180ae9c0c75a54da691098b006cd8f971ff0ab5eb8c3e634588fb8e9829fb09fc756da72b5a8736bff947a81207c5

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
3c39c42491afd57780c8a74c175839ca

SHA1
4367bbf28e0a3243304298a9fa5ad6351f1d5395

SHA256
06431223491b518015469e322ccfbc8d39e3660c391df99e60eddfd45556f76b

SHA512
3e7ca22c22d7782623e0f37de9961ca87a5d3b3c5149e22bbf5797454516e8c798d441d850c171bf236b540509fc0f1e6247e99f9c6b13054dc0138d8e041036

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
3c39c42491afd57780c8a74c175839ca

SHA1
4367bbf28e0a3243304298a9fa5ad6351f1d5395

SHA256
06431223491b518015469e322ccfbc8d39e3660c391df99e60eddfd45556f76b

SHA512
3e7ca22c22d7782623e0f37de9961ca87a5d3b3c5149e22bbf5797454516e8c798d441d850c171bf236b540509fc0f1e6247e99f9c6b13054dc0138d8e041036

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
176KB

MD5
8242dda6afeb972e07bc219e7934e062

SHA1
38602ba946e250a4428f73b7092db11cbde1ff63

SHA256
e7f8baaa454299aae20f9e9a2032bef54ed1d5af0f60715c36b36b964292f053

SHA512
2b226b2dafee793cd536371fc0d7a986f7cfa6437014e5ca74873e702985f6cb2bb3c9ece12732ac9c07d115199a3ece16c8af7bf3bc35bc8387d9d87ca643d2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
176KB

MD5
8242dda6afeb972e07bc219e7934e062

SHA1
38602ba946e250a4428f73b7092db11cbde1ff63

SHA256
e7f8baaa454299aae20f9e9a2032bef54ed1d5af0f60715c36b36b964292f053

SHA512
2b226b2dafee793cd536371fc0d7a986f7cfa6437014e5ca74873e702985f6cb2bb3c9ece12732ac9c07d115199a3ece16c8af7bf3bc35bc8387d9d87ca643d2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
176KB

MD5
af27c64bc8034a6c6e407432e3dc4ec6

SHA1
1c6b569a8d2259b92db25de5f6341af03ba7f12e

SHA256
0f1928106b8c70aed23250f8f2585b2669eb19be07948d1f269fd8c8b1253bbb

SHA512
e02487c5b38f689bfc49ae7f3f5f22ad411180ae9c0c75a54da691098b006cd8f971ff0ab5eb8c3e634588fb8e9829fb09fc756da72b5a8736bff947a81207c5

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
176KB

MD5
af27c64bc8034a6c6e407432e3dc4ec6

SHA1
1c6b569a8d2259b92db25de5f6341af03ba7f12e

SHA256
0f1928106b8c70aed23250f8f2585b2669eb19be07948d1f269fd8c8b1253bbb

SHA512
e02487c5b38f689bfc49ae7f3f5f22ad411180ae9c0c75a54da691098b006cd8f971ff0ab5eb8c3e634588fb8e9829fb09fc756da72b5a8736bff947a81207c5

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
176KB

MD5
8242dda6afeb972e07bc219e7934e062

SHA1
38602ba946e250a4428f73b7092db11cbde1ff63

SHA256
e7f8baaa454299aae20f9e9a2032bef54ed1d5af0f60715c36b36b964292f053

SHA512
2b226b2dafee793cd536371fc0d7a986f7cfa6437014e5ca74873e702985f6cb2bb3c9ece12732ac9c07d115199a3ece16c8af7bf3bc35bc8387d9d87ca643d2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
176KB

MD5
8242dda6afeb972e07bc219e7934e062

SHA1
38602ba946e250a4428f73b7092db11cbde1ff63

SHA256
e7f8baaa454299aae20f9e9a2032bef54ed1d5af0f60715c36b36b964292f053

SHA512
2b226b2dafee793cd536371fc0d7a986f7cfa6437014e5ca74873e702985f6cb2bb3c9ece12732ac9c07d115199a3ece16c8af7bf3bc35bc8387d9d87ca643d2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
176KB

MD5
8242dda6afeb972e07bc219e7934e062

SHA1
38602ba946e250a4428f73b7092db11cbde1ff63

SHA256
e7f8baaa454299aae20f9e9a2032bef54ed1d5af0f60715c36b36b964292f053

SHA512
2b226b2dafee793cd536371fc0d7a986f7cfa6437014e5ca74873e702985f6cb2bb3c9ece12732ac9c07d115199a3ece16c8af7bf3bc35bc8387d9d87ca643d2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
095d13ae6ef0ab6ab3ff4791da55848b

SHA1
df6a92c2a2c2575e47da995c95e8431065f4212b

SHA256
bfd94d03a0f0d09cdd9a2aa3645fa2e4bd863f8f450e22b6283d4d01c3efc6ff

SHA512
3aca311ccfaa6d2634fa01d5020c22889486b49fec92bffd0a280e78b34a53b1a22a947bb8831b99df6cb618b154645cc5e91ea00fc6771309a863c901b4bbe8

Download Submit
\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
095d13ae6ef0ab6ab3ff4791da55848b

SHA1
df6a92c2a2c2575e47da995c95e8431065f4212b

SHA256
bfd94d03a0f0d09cdd9a2aa3645fa2e4bd863f8f450e22b6283d4d01c3efc6ff

SHA512
3aca311ccfaa6d2634fa01d5020c22889486b49fec92bffd0a280e78b34a53b1a22a947bb8831b99df6cb618b154645cc5e91ea00fc6771309a863c901b4bbe8

Download Submit
\Program Files\data.exe

Filesize
176KB

MD5
a7520bf05d70f89f38571ba2101a41d3

SHA1
9b1cbcd3fdf8243c36a902cee97f4e277b4a9577

SHA256
137f670208b1f49e3c2cd74a189bd01177bf07dc4d38cf378dc02eccfeba4759

SHA512
8a5f7f243ce48fb852faf7a2c0d72e05174fd730f3c9aab7969304bc037effa4686362ecfeac712978db81a672759677eb757df5276e1404f6ab33f70a3bdeb9

Download Submit
\Program Files\data.exe

Filesize
176KB

MD5
a7520bf05d70f89f38571ba2101a41d3

SHA1
9b1cbcd3fdf8243c36a902cee97f4e277b4a9577

SHA256
137f670208b1f49e3c2cd74a189bd01177bf07dc4d38cf378dc02eccfeba4759

SHA512
8a5f7f243ce48fb852faf7a2c0d72e05174fd730f3c9aab7969304bc037effa4686362ecfeac712978db81a672759677eb757df5276e1404f6ab33f70a3bdeb9

Download Submit
\Users\Admin\AppData\Local\Temp\3409014398\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\3409014398\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
3a205d9e529d598c5f39a82e774e114c

SHA1
934af4a014753b355480d9abf0072c7fe5c9b753

SHA256
8271dd8451c063765a87c9b1a38d452bcf87f6cf3ce9e5cf591e3ee55feaa141

SHA512
4779bf3f0f5b8cb3370329285b04703be33048113bec2f3d26f32613324cdb44166c8335cee5f529325e5bde2368c8c7f3dd6ce7186ce7a1362bfd108333c0a5

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
3a205d9e529d598c5f39a82e774e114c

SHA1
934af4a014753b355480d9abf0072c7fe5c9b753

SHA256
8271dd8451c063765a87c9b1a38d452bcf87f6cf3ce9e5cf591e3ee55feaa141

SHA512
4779bf3f0f5b8cb3370329285b04703be33048113bec2f3d26f32613324cdb44166c8335cee5f529325e5bde2368c8c7f3dd6ce7186ce7a1362bfd108333c0a5

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
276abb9b557f963a4e349bbcb54a8155

SHA1
bb2ad7a6ce1d9a42740d8eb7d44517150e9190d7

SHA256
14d5dc3b6518520c465eae5e94b9cd750920d7188340c40f53ec5879941e8515

SHA512
14d27e6e8a718a640a4a85c3f41fc5e7bb7e674c68810d36a831cdc15d379583a1ae5f5199bc7a43f14ecd3a63c086f5ae38dc476786898bf5f5c0facaf0b306

Download Submit
memory/616-362-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/704-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/800-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/836-244-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/912-283-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1052-275-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1340-218-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1376-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1488-179-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1732-185-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1740-294-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1836-161-0x0000000000520000-0x000000000054C000-memory.dmp

Filesize
176KB

Download
memory/1836-239-0x0000000000520000-0x000000000054C000-memory.dmp

Filesize
176KB

Download
memory/1836-201-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1836-187-0x0000000000520000-0x000000000054C000-memory.dmp

Filesize
176KB

Download
memory/1836-184-0x0000000000520000-0x000000000054C000-memory.dmp

Filesize
176KB

Download
memory/1836-231-0x0000000000520000-0x000000000054C000-memory.dmp

Filesize
176KB

Download
memory/2084-313-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2160-75-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2172-303-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2200-255-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/2200-202-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/2200-251-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2212-163-0x0000000000340000-0x000000000036C000-memory.dmp

Filesize
176KB

Download
memory/2212-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2212-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2212-99-0x0000000000340000-0x000000000036C000-memory.dmp

Filesize
176KB

Download
memory/2224-331-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2236-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2248-48-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2248-24-0x0000000000500000-0x000000000052C000-memory.dmp

Filesize
176KB

Download
memory/2248-189-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/2248-97-0x0000000000500000-0x000000000052C000-memory.dmp

Filesize
176KB

Download
memory/2248-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2248-109-0x0000000000500000-0x000000000052C000-memory.dmp

Filesize
176KB

Download
memory/2248-71-0x0000000000500000-0x000000000052C000-memory.dmp

Filesize
176KB

Download
memory/2248-11-0x0000000000500000-0x000000000052C000-memory.dmp

Filesize
176KB

Download
memory/2248-123-0x0000000000500000-0x000000000052C000-memory.dmp

Filesize
176KB

Download
memory/2248-135-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/2248-46-0x0000000000500000-0x000000000052C000-memory.dmp

Filesize
176KB

Download
memory/2516-340-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2560-264-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2580-139-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2580-126-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2592-199-0x0000000000520000-0x000000000054C000-memory.dmp

Filesize
176KB

Download
memory/2592-160-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2848-213-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2848-271-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2848-289-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2848-285-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2876-86-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2956-299-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/2956-253-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/2956-240-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/2956-305-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/2956-309-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/2956-290-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2956-318-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/2956-319-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/2956-237-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/2956-336-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/2956-267-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/3008-140-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3052-324-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads