660381a58e0bb63be037a1cdfc3e43a6bdff5d7cf2f4592bb6334c804f80e116

Analysis

max time kernel
16s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
13-11-2023 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c981f360a3f4914780448d1f10dc9d00.exe
Size

122KB
MD5

c981f360a3f4914780448d1f10dc9d00
SHA1

149b31fd8988aeac61ea716993cbf534b1854ad3
SHA256

660381a58e0bb63be037a1cdfc3e43a6bdff5d7cf2f4592bb6334c804f80e116
SHA512

2493a5c58faa6a7940d0cecc26a9be8617171748c8e9e93b5b09b147fb06d27e3a87e254d80acc98036215e5dfaaedcc0e9f0de7fb990b07ffdc7c448e002943
SSDEEP

1536:lvm1Fu8AjYaFwjRUdW7fmyY7aZYJVmy0KQbj6vbjuKoauGi4o:6u8ANCUdgfmD7zey0KUj6TjR9i4o

Score

10^/10

dropper evasion persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/memory/2736-0-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0028000000014adb-5.dat	family_berbew
behavioral1/files/0x0028000000014adb-12.dat	family_berbew
behavioral1/files/0x0028000000014adb-10.dat	family_berbew
behavioral1/files/0x0028000000014adb-8.dat	family_berbew
behavioral1/memory/2736-7-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/files/0x00070000000153bf-17.dat	family_berbew
behavioral1/files/0x00070000000153bf-23.dat	family_berbew
behavioral1/files/0x00070000000153bf-19.dat	family_berbew
behavioral1/memory/2376-25-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0009000000015c28-30.dat	family_berbew
behavioral1/memory/2376-29-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0009000000015c28-32.dat	family_berbew
behavioral1/files/0x0009000000015c28-36.dat	family_berbew
behavioral1/memory/2736-37-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/files/0x000b000000015601-41.dat	family_berbew
behavioral1/files/0x000b000000015601-43.dat	family_berbew
behavioral1/files/0x000b000000015601-47.dat	family_berbew
behavioral1/memory/2452-51-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015c3d-52.dat	family_berbew
behavioral1/memory/2736-54-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015c3d-55.dat	family_berbew
behavioral1/memory/2736-60-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015c3d-59.dat	family_berbew
behavioral1/memory/2584-62-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/2596-65-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/2736-73-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/files/0x0006000000015c57-72.dat	family_berbew
behavioral1/files/0x0006000000015c57-68.dat	family_berbew
behavioral1/files/0x0006000000015c57-66.dat	family_berbew
behavioral1/files/0x0007000000015c4f-84.dat	family_berbew
behavioral1/memory/2736-85-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015c4f-80.dat	family_berbew
behavioral1/memory/2268-78-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015c4f-77.dat	family_berbew
behavioral1/memory/2708-88-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0028000000014adb-90.dat	family_berbew
behavioral1/memory/2584-98-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/memory/2420-99-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0006000000015c6c-97.dat	family_berbew
behavioral1/memory/2584-96-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/files/0x0006000000015c6c-102.dat	family_berbew
behavioral1/files/0x0006000000015c85-104.dat	family_berbew
behavioral1/files/0x0006000000015c85-106.dat	family_berbew
behavioral1/files/0x0006000000015c85-110.dat	family_berbew
behavioral1/files/0x0006000000015c85-115.dat	family_berbew
behavioral1/files/0x0006000000015ca5-117.dat	family_berbew
behavioral1/files/0x0006000000015ca5-119.dat	family_berbew
behavioral1/files/0x0006000000015ca5-123.dat	family_berbew
behavioral1/files/0x0006000000015ce1-128.dat	family_berbew
behavioral1/files/0x0006000000015ce1-132.dat	family_berbew
behavioral1/memory/2256-131-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/1676-130-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0006000000015ce1-137.dat	family_berbew
behavioral1/memory/1456-140-0x00000000002B0000-0x00000000002D4000-memory.dmp	family_berbew
behavioral1/memory/2736-136-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/memory/2736-151-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/files/0x0006000000015ce1-153.dat	family_berbew
behavioral1/files/0x0008000000015caf-155.dat	family_berbew
behavioral1/files/0x0008000000015caf-157.dat	family_berbew
behavioral1/memory/1456-163-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0008000000015caf-162.dat	family_berbew
behavioral1/memory/2504-161-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/files/0x0008000000015caf-166.dat	family_berbew

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2584	backup.exe
2376	backup.exe
2420	backup.exe
2452	backup.exe
2596	data.exe
2268	backup.exe
2708	backup.exe
1456	backup.exe
1676	backup.exe
2256	backup.exe
2504	backup.exe
1984	backup.exe
2036	backup.exe
932	backup.exe
2692	data.exe
2204	backup.exe
2892	backup.exe
1996	backup.exe
1556	backup.exe
1728	backup.exe
1432	data.exe
1232	backup.exe
2760	System Restore.exe
892	backup.exe
2000	backup.exe
2704	backup.exe
2480	backup.exe
2376	data.exe
2540	backup.exe
2428	backup.exe
1908	backup.exe
1404	backup.exe
2876	backup.exe
2716	backup.exe
1124	backup.exe
760	backup.exe
2544	backup.exe
276	backup.exe
1548	backup.exe
1904	backup.exe
1260	backup.exe
2232	backup.exe
1572	backup.exe
1560	backup.exe
2160	backup.exe
2212	backup.exe
2948	update.exe
1416	backup.exe
1756	backup.exe
1624	backup.exe
1048	backup.exe
2844	backup.exe
1460	backup.exe
556	backup.exe
1496	backup.exe
2068	backup.exe
1252	backup.exe
1508	backup.exe
2776	backup.exe
2468	backup.exe
2648	backup.exe
2292	backup.exe
2440	System Restore.exe
2532	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
1456	backup.exe
1456	backup.exe
1676	backup.exe
1676	backup.exe
1456	backup.exe
1456	backup.exe
2504	backup.exe
2504	backup.exe
1984	backup.exe
1984	backup.exe
2504	backup.exe
2504	backup.exe
932	backup.exe
932	backup.exe
2692	data.exe
2692	data.exe
2692	data.exe
2692	data.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2892	backup.exe
2540	backup.exe
2540	backup.exe
2540	backup.exe
2540	backup.exe
2540	backup.exe
2540	backup.exe
2540	backup.exe
2540	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe
2584	backup.exe
2376	backup.exe
2420	backup.exe
2452	backup.exe
2596	data.exe
2268	backup.exe
2708	backup.exe
1456	backup.exe
1676	backup.exe
2256	backup.exe
2504	backup.exe
1984	backup.exe
2036	backup.exe
932	backup.exe
2692	data.exe
2204	backup.exe
2892	backup.exe
1996	backup.exe
1556	backup.exe
1728	backup.exe
1432	data.exe
1232	backup.exe
2760	System Restore.exe
892	backup.exe
2000	backup.exe
2704	backup.exe
2480	backup.exe
2376	data.exe
2540	backup.exe
2428	backup.exe
1908	backup.exe
1404	backup.exe
2876	backup.exe
2716	backup.exe
1124	backup.exe
760	backup.exe
2544	backup.exe
276	backup.exe
1548	backup.exe
1904	backup.exe
1260	backup.exe
2232	backup.exe
1572	backup.exe
1560	backup.exe
2160	backup.exe
2212	backup.exe
2948	update.exe
1416	backup.exe
1756	backup.exe
1624	backup.exe
1048	backup.exe
2844	backup.exe
1460	backup.exe
556	backup.exe
1496	backup.exe
2068	backup.exe
1252	backup.exe
1508	backup.exe
2776	backup.exe
2468	backup.exe
2648	backup.exe
2292	backup.exe
2440	System Restore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2584	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	28
PID 2736 wrote to memory of 2584	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	28
PID 2736 wrote to memory of 2584	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	28
PID 2736 wrote to memory of 2584	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	28
PID 2736 wrote to memory of 2376	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	29
PID 2736 wrote to memory of 2376	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	29
PID 2736 wrote to memory of 2376	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	29
PID 2736 wrote to memory of 2376	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	29
PID 2736 wrote to memory of 2420	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	30
PID 2736 wrote to memory of 2420	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	30
PID 2736 wrote to memory of 2420	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	30
PID 2736 wrote to memory of 2420	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	30
PID 2736 wrote to memory of 2452	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	31
PID 2736 wrote to memory of 2452	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	31
PID 2736 wrote to memory of 2452	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	31
PID 2736 wrote to memory of 2452	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	31
PID 2736 wrote to memory of 2596	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	32
PID 2736 wrote to memory of 2596	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	32
PID 2736 wrote to memory of 2596	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	32
PID 2736 wrote to memory of 2596	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	32
PID 2736 wrote to memory of 2268	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	33
PID 2736 wrote to memory of 2268	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	33
PID 2736 wrote to memory of 2268	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	33
PID 2736 wrote to memory of 2268	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	33
PID 2736 wrote to memory of 2708	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	34
PID 2736 wrote to memory of 2708	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	34
PID 2736 wrote to memory of 2708	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	34
PID 2736 wrote to memory of 2708	2736	NEAS.c981f360a3f4914780448d1f10dc9d00.exe	34
PID 2584 wrote to memory of 1456	2584	backup.exe	35
PID 2584 wrote to memory of 1456	2584	backup.exe	35
PID 2584 wrote to memory of 1456	2584	backup.exe	35
PID 2584 wrote to memory of 1456	2584	backup.exe	35
PID 1456 wrote to memory of 1676	1456	backup.exe	36
PID 1456 wrote to memory of 1676	1456	backup.exe	36
PID 1456 wrote to memory of 1676	1456	backup.exe	36
PID 1456 wrote to memory of 1676	1456	backup.exe	36
PID 1676 wrote to memory of 2256	1676	backup.exe	37
PID 1676 wrote to memory of 2256	1676	backup.exe	37
PID 1676 wrote to memory of 2256	1676	backup.exe	37
PID 1676 wrote to memory of 2256	1676	backup.exe	37
PID 1456 wrote to memory of 2504	1456	backup.exe	38
PID 1456 wrote to memory of 2504	1456	backup.exe	38
PID 1456 wrote to memory of 2504	1456	backup.exe	38
PID 1456 wrote to memory of 2504	1456	backup.exe	38
PID 2504 wrote to memory of 1984	2504	backup.exe	39
PID 2504 wrote to memory of 1984	2504	backup.exe	39
PID 2504 wrote to memory of 1984	2504	backup.exe	39
PID 2504 wrote to memory of 1984	2504	backup.exe	39
PID 1984 wrote to memory of 2036	1984	backup.exe	40
PID 1984 wrote to memory of 2036	1984	backup.exe	40
PID 1984 wrote to memory of 2036	1984	backup.exe	40
PID 1984 wrote to memory of 2036	1984	backup.exe	40
PID 2504 wrote to memory of 932	2504	backup.exe	41
PID 2504 wrote to memory of 932	2504	backup.exe	41
PID 2504 wrote to memory of 932	2504	backup.exe	41
PID 2504 wrote to memory of 932	2504	backup.exe	41
PID 932 wrote to memory of 2692	932	backup.exe	42
PID 932 wrote to memory of 2692	932	backup.exe	42
PID 932 wrote to memory of 2692	932	backup.exe	42
PID 932 wrote to memory of 2692	932	backup.exe	42
PID 2692 wrote to memory of 2204	2692	data.exe	43
PID 2692 wrote to memory of 2204	2692	data.exe	43
PID 2692 wrote to memory of 2204	2692	data.exe	43
PID 2692 wrote to memory of 2204	2692	data.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.c981f360a3f4914780448d1f10dc9d00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c981f360a3f4914780448d1f10dc9d00.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\3880514436\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3880514436\backup.exe C:\Users\Admin\AppData\Local\Temp\3880514436\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2584
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1456
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1676
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2256
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1984
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:932
      - C:\Program Files\Common Files\Microsoft Shared\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\data.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2692
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2480
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1404
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2232
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2440
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:2532
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2876
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1272
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:2684
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2352
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2384
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2264
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:632
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1864
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:2804
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2964
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2636
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\data.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2068
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:1988
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        System policy modification
        
        PID:1900
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2100
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2908
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1660
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:2456
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2552
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2320
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2328
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2540
        
        C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1488
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:868
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1460
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2000
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2336
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1844
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2276
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1068
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2052
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1652
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:796
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2636
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        
        PID:824
      - C:\Program Files\DVD Maker\de-DE\System Restore.exe
        
        "C:\Program Files\DVD Maker\de-DE\System Restore.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:668
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:2636
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2648
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2884
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1676
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1564
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:2760
    - - C:\Program Files\Google\update.exe
        
        "C:\Program Files\Google\update.exe" C:\Program Files\Google\
        5⤵
        
        PID:2944
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1448
    - - C:\Program Files\Java\update.exe
        
        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
        5⤵
        
        PID:2508
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:2196
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:3064
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1900
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2696
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:852
        
        C:\Program Files\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
        7⤵
        
        PID:2272
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2320
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1708
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:2956
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2240
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2356
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:840
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:2324
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Drops file in Program Files directory
        
        PID:2708
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1216
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:2364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:2964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:2808
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1412
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:2344
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2404
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2120
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1736
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:936
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2140
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2096
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1668
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1712
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1048
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2572
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:2712
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:696
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2408
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:1944
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:3060
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2884
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2888
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:1940
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:1544
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:2492
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        8⤵
        
        PID:2284
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:3032
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:1000
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        7⤵
        
        PID:1744
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        7⤵
        
        PID:2668
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        Drops file in Program Files directory
        
        PID:2908
      - C:\Program Files (x86)\Common Files\SpeechEngines\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\System Restore.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2332
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2436
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2540
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1508
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1856
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1996
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2460
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1436
    - - C:\Program Files (x86)\Microsoft Analysis Services\data.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\data.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2160
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2360
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:2308
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:1676
      - C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        6⤵
        
        PID:1432
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1564
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:472
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\
        6⤵
        
        PID:2064
    - - C:\Program Files (x86)\Microsoft Synchronization Services\data.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\data.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2144
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2444
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2176
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2212
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1916
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2752
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1572
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:932
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1908
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1672
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2136
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1268
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:920
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1792
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:3020
  - - C:\Windows\System Restore.exe
      "C:\Windows\System Restore.exe" C:\Windows\
      4⤵
      PID:1776
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
7b38a4cacf97de4f2760fb28659078d4

SHA1
273d15327da71686399dd794dc2ea6284e3a67de

SHA256
25fc7284495ce522a1dbea652099d79b45c1f9db37c2240f7884a535b5760b6b

SHA512
84af3d2333e4f6661b4299cf3ce4d159e5235b4799eec0b6be03f1a2654e9478b149b9da9f34a92aefedfe97030f6914676939f658c1c0c2a7b580009fbf9110

Download Submit
C:\PerfLogs\backup.exe

Filesize
122KB

MD5
9f4a078577f986d57138150de2dd4d61

SHA1
9c5571acb65af205e6b616caeb0f57e8f25c3332

SHA256
0654ff3a813d5e3094013b8ae0912f028754b5f445ed9d266acc8a7f2d47b184

SHA512
9070ec273022b883beff8aaac15cbee18b2e16d8aa65ca15ee3306dd122fa236b948c04565d8b5ef613762b5aba4161af507bcacff2bd077fab31ce329bc1aeb

Download Submit
C:\PerfLogs\backup.exe

Filesize
122KB

MD5
9f4a078577f986d57138150de2dd4d61

SHA1
9c5571acb65af205e6b616caeb0f57e8f25c3332

SHA256
0654ff3a813d5e3094013b8ae0912f028754b5f445ed9d266acc8a7f2d47b184

SHA512
9070ec273022b883beff8aaac15cbee18b2e16d8aa65ca15ee3306dd122fa236b948c04565d8b5ef613762b5aba4161af507bcacff2bd077fab31ce329bc1aeb

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
9057c2b438844948cec4f5a338b9ded0

SHA1
a55b5338df36dc776b622f4e4111ef96fe6dcdbd

SHA256
087792143be5310e10a536432f0db04184b5af8bf3781f29706c7c50bac43859

SHA512
18c1f2532248739a958cf96821b819d2c04c9d0a0db5654f44fbb2dc1fde9d3e1835701a552efe07bf363bf06559b7e57ed4ea5e508601ac34d63a8b6bd2226b

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
7b38a4cacf97de4f2760fb28659078d4

SHA1
273d15327da71686399dd794dc2ea6284e3a67de

SHA256
25fc7284495ce522a1dbea652099d79b45c1f9db37c2240f7884a535b5760b6b

SHA512
84af3d2333e4f6661b4299cf3ce4d159e5235b4799eec0b6be03f1a2654e9478b149b9da9f34a92aefedfe97030f6914676939f658c1c0c2a7b580009fbf9110

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
7b38a4cacf97de4f2760fb28659078d4

SHA1
273d15327da71686399dd794dc2ea6284e3a67de

SHA256
25fc7284495ce522a1dbea652099d79b45c1f9db37c2240f7884a535b5760b6b

SHA512
84af3d2333e4f6661b4299cf3ce4d159e5235b4799eec0b6be03f1a2654e9478b149b9da9f34a92aefedfe97030f6914676939f658c1c0c2a7b580009fbf9110

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
122KB

MD5
4eb996ef03ca5f758c5e8a75e918ee5e

SHA1
00033592ab8ee515eccc68d85537299558afd430

SHA256
f9d8da228b1dd2a9e9be659f9b1dfb1e837993fb3775ff688bc6def1c86aefb8

SHA512
0fd3e9077097007e23aa7b438c737d04d9e129404f014725f5beabb67ad6e390e36a1e70e62d3c2fe72b3025253dd20bc2a057f5e3ba1b641e5cd4e80008ddba

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
122KB

MD5
62f106036952070e23bd3d240cfff7b9

SHA1
812be595352a9f7289e1d64879ec2af633805867

SHA256
8dcff44d9b741f9ab2967d7831740518b33737d42ca01b3eac65c23c2af53618

SHA512
3e96bfb64502f34e73c63215cdf677774db820edd75d88f34fc6d307471e7700455e74488a4209fe90c22a45416ec65cc2a92f2d1c9e061db769a38e3b5ee2fb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
122KB

MD5
62f106036952070e23bd3d240cfff7b9

SHA1
812be595352a9f7289e1d64879ec2af633805867

SHA256
8dcff44d9b741f9ab2967d7831740518b33737d42ca01b3eac65c23c2af53618

SHA512
3e96bfb64502f34e73c63215cdf677774db820edd75d88f34fc6d307471e7700455e74488a4209fe90c22a45416ec65cc2a92f2d1c9e061db769a38e3b5ee2fb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
817e94df475f9c35207e34788da60848

SHA1
df04951ba11a5a6a03998a839718776b9448d3be

SHA256
a4f5b93c05a6f0ad289c1f87fc112b023887a670bd07bd064609dcdbaf973867

SHA512
5b8340aeddf732d2f3f3880957b1959c2b010ad87bf390dcebd8136be6a552547da9ca9681ebdb50f8772f903d60e869da4c1841aac6dc91561f610674ff35d9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
4eb996ef03ca5f758c5e8a75e918ee5e

SHA1
00033592ab8ee515eccc68d85537299558afd430

SHA256
f9d8da228b1dd2a9e9be659f9b1dfb1e837993fb3775ff688bc6def1c86aefb8

SHA512
0fd3e9077097007e23aa7b438c737d04d9e129404f014725f5beabb67ad6e390e36a1e70e62d3c2fe72b3025253dd20bc2a057f5e3ba1b641e5cd4e80008ddba

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
4eb996ef03ca5f758c5e8a75e918ee5e

SHA1
00033592ab8ee515eccc68d85537299558afd430

SHA256
f9d8da228b1dd2a9e9be659f9b1dfb1e837993fb3775ff688bc6def1c86aefb8

SHA512
0fd3e9077097007e23aa7b438c737d04d9e129404f014725f5beabb67ad6e390e36a1e70e62d3c2fe72b3025253dd20bc2a057f5e3ba1b641e5cd4e80008ddba

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
122KB

MD5
e6168da3461df847be0aa88857f5f297

SHA1
0ab176953e48131ea14c4a93915747222b06fccc

SHA256
9c3d67d71cc622f8d68c6b0f9d6f2cfac84636ef452f274cde20847f774fb7f0

SHA512
113438c59f2fe7d138789b3b3111ea6a2e7d84f91f504a35c2f85a971c9ae28267f8adf4f43c37a5cd16104d06849d4a15b698c08cf19c14f594d2e8399b0e7a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
15dc6fd72a662a9af0709c2afb37addd

SHA1
94c4671427d4023b1a4c4dbe212830827a17bb69

SHA256
cd373211f5d193c8a4836d7a48f835c133f21ad217c5f640c97914ab7f9765a4

SHA512
ead34d45ec034460ef5e00bc8e31520201c152009d1ca72417b23ea9dc86bc1a10eee3349cedcf2b89a485c46c27f66a7381984ab8bcdd1ad8c92d62a2897ad5

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
15dc6fd72a662a9af0709c2afb37addd

SHA1
94c4671427d4023b1a4c4dbe212830827a17bb69

SHA256
cd373211f5d193c8a4836d7a48f835c133f21ad217c5f640c97914ab7f9765a4

SHA512
ead34d45ec034460ef5e00bc8e31520201c152009d1ca72417b23ea9dc86bc1a10eee3349cedcf2b89a485c46c27f66a7381984ab8bcdd1ad8c92d62a2897ad5

Download Submit
C:\Program Files\backup.exe

Filesize
122KB

MD5
9f4a078577f986d57138150de2dd4d61

SHA1
9c5571acb65af205e6b616caeb0f57e8f25c3332

SHA256
0654ff3a813d5e3094013b8ae0912f028754b5f445ed9d266acc8a7f2d47b184

SHA512
9070ec273022b883beff8aaac15cbee18b2e16d8aa65ca15ee3306dd122fa236b948c04565d8b5ef613762b5aba4161af507bcacff2bd077fab31ce329bc1aeb

Download Submit
C:\Program Files\backup.exe

Filesize
122KB

MD5
9f4a078577f986d57138150de2dd4d61

SHA1
9c5571acb65af205e6b616caeb0f57e8f25c3332

SHA256
0654ff3a813d5e3094013b8ae0912f028754b5f445ed9d266acc8a7f2d47b184

SHA512
9070ec273022b883beff8aaac15cbee18b2e16d8aa65ca15ee3306dd122fa236b948c04565d8b5ef613762b5aba4161af507bcacff2bd077fab31ce329bc1aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3880514436\backup.exe

Filesize
122KB

MD5
4b88b0be985d932426f8d7cbcf28be36

SHA1
9f6a7b0963345f9235167c93fa968acbffcfcebf

SHA256
1776a138e65e7dd7560325a9a3153c25e7859760b7ba310fc321f8bf6141feb4

SHA512
27c370ac5c9cf3c8518ffdd01029a5a517320d73ee5609b4ddf3c4eb20d060ff8bf8b9cfb6f7bec8c525840aa3dabcbea5f1c8008c378267146dfceb81c0429f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3880514436\backup.exe

Filesize
122KB

MD5
4b88b0be985d932426f8d7cbcf28be36

SHA1
9f6a7b0963345f9235167c93fa968acbffcfcebf

SHA256
1776a138e65e7dd7560325a9a3153c25e7859760b7ba310fc321f8bf6141feb4

SHA512
27c370ac5c9cf3c8518ffdd01029a5a517320d73ee5609b4ddf3c4eb20d060ff8bf8b9cfb6f7bec8c525840aa3dabcbea5f1c8008c378267146dfceb81c0429f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3880514436\backup.exe

Filesize
122KB

MD5
4b88b0be985d932426f8d7cbcf28be36

SHA1
9f6a7b0963345f9235167c93fa968acbffcfcebf

SHA256
1776a138e65e7dd7560325a9a3153c25e7859760b7ba310fc321f8bf6141feb4

SHA512
27c370ac5c9cf3c8518ffdd01029a5a517320d73ee5609b4ddf3c4eb20d060ff8bf8b9cfb6f7bec8c525840aa3dabcbea5f1c8008c378267146dfceb81c0429f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
40KB

MD5
cf4fcefe6da13e9f02a8ab814f5c1807

SHA1
87bfd84192dc06c3964a92ac74a2419d137ade72

SHA256
a153e9da97f08306f4fc28efa82e45aea8db501b153ce7add66007f5fc4bdb37

SHA512
ce30d6271e4c02b9cdfdf41b64af14be001ba414acf5e33fe42830a9cb5630a4c4faed02a26c0debd108cb7d6ab45a4cb3b06b2050f7bd4c45b26c07132eac01

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
122KB

MD5
40ff0d7fa5429965e7158c2679fd4615

SHA1
ba5b2d70fe17beb3047f4aec647a36242e8679ab

SHA256
730eb21556439f7c9a769f2a93bbcc6657d245bea22dbf62348307ea94341b1d

SHA512
9e0c90bd01ad96c09066367cf28b532c8df1d277a83fac480e3cd3a9f800581c398ec9db295f0c0cdaee9991e2b75f1e8832236b78bf4a52820cc980b73ef5db

Download Submit
C:\backup.exe

Filesize
122KB

MD5
40ff0d7fa5429965e7158c2679fd4615

SHA1
ba5b2d70fe17beb3047f4aec647a36242e8679ab

SHA256
730eb21556439f7c9a769f2a93bbcc6657d245bea22dbf62348307ea94341b1d

SHA512
9e0c90bd01ad96c09066367cf28b532c8df1d277a83fac480e3cd3a9f800581c398ec9db295f0c0cdaee9991e2b75f1e8832236b78bf4a52820cc980b73ef5db

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
7b38a4cacf97de4f2760fb28659078d4

SHA1
273d15327da71686399dd794dc2ea6284e3a67de

SHA256
25fc7284495ce522a1dbea652099d79b45c1f9db37c2240f7884a535b5760b6b

SHA512
84af3d2333e4f6661b4299cf3ce4d159e5235b4799eec0b6be03f1a2654e9478b149b9da9f34a92aefedfe97030f6914676939f658c1c0c2a7b580009fbf9110

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
7b38a4cacf97de4f2760fb28659078d4

SHA1
273d15327da71686399dd794dc2ea6284e3a67de

SHA256
25fc7284495ce522a1dbea652099d79b45c1f9db37c2240f7884a535b5760b6b

SHA512
84af3d2333e4f6661b4299cf3ce4d159e5235b4799eec0b6be03f1a2654e9478b149b9da9f34a92aefedfe97030f6914676939f658c1c0c2a7b580009fbf9110

Download Submit
\PerfLogs\backup.exe

Filesize
122KB

MD5
9f4a078577f986d57138150de2dd4d61

SHA1
9c5571acb65af205e6b616caeb0f57e8f25c3332

SHA256
0654ff3a813d5e3094013b8ae0912f028754b5f445ed9d266acc8a7f2d47b184

SHA512
9070ec273022b883beff8aaac15cbee18b2e16d8aa65ca15ee3306dd122fa236b948c04565d8b5ef613762b5aba4161af507bcacff2bd077fab31ce329bc1aeb

Download Submit
\PerfLogs\backup.exe

Filesize
122KB

MD5
9f4a078577f986d57138150de2dd4d61

SHA1
9c5571acb65af205e6b616caeb0f57e8f25c3332

SHA256
0654ff3a813d5e3094013b8ae0912f028754b5f445ed9d266acc8a7f2d47b184

SHA512
9070ec273022b883beff8aaac15cbee18b2e16d8aa65ca15ee3306dd122fa236b948c04565d8b5ef613762b5aba4161af507bcacff2bd077fab31ce329bc1aeb

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
9057c2b438844948cec4f5a338b9ded0

SHA1
a55b5338df36dc776b622f4e4111ef96fe6dcdbd

SHA256
087792143be5310e10a536432f0db04184b5af8bf3781f29706c7c50bac43859

SHA512
18c1f2532248739a958cf96821b819d2c04c9d0a0db5654f44fbb2dc1fde9d3e1835701a552efe07bf363bf06559b7e57ed4ea5e508601ac34d63a8b6bd2226b

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
9057c2b438844948cec4f5a338b9ded0

SHA1
a55b5338df36dc776b622f4e4111ef96fe6dcdbd

SHA256
087792143be5310e10a536432f0db04184b5af8bf3781f29706c7c50bac43859

SHA512
18c1f2532248739a958cf96821b819d2c04c9d0a0db5654f44fbb2dc1fde9d3e1835701a552efe07bf363bf06559b7e57ed4ea5e508601ac34d63a8b6bd2226b

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
7b38a4cacf97de4f2760fb28659078d4

SHA1
273d15327da71686399dd794dc2ea6284e3a67de

SHA256
25fc7284495ce522a1dbea652099d79b45c1f9db37c2240f7884a535b5760b6b

SHA512
84af3d2333e4f6661b4299cf3ce4d159e5235b4799eec0b6be03f1a2654e9478b149b9da9f34a92aefedfe97030f6914676939f658c1c0c2a7b580009fbf9110

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
7b38a4cacf97de4f2760fb28659078d4

SHA1
273d15327da71686399dd794dc2ea6284e3a67de

SHA256
25fc7284495ce522a1dbea652099d79b45c1f9db37c2240f7884a535b5760b6b

SHA512
84af3d2333e4f6661b4299cf3ce4d159e5235b4799eec0b6be03f1a2654e9478b149b9da9f34a92aefedfe97030f6914676939f658c1c0c2a7b580009fbf9110

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
122KB

MD5
4eb996ef03ca5f758c5e8a75e918ee5e

SHA1
00033592ab8ee515eccc68d85537299558afd430

SHA256
f9d8da228b1dd2a9e9be659f9b1dfb1e837993fb3775ff688bc6def1c86aefb8

SHA512
0fd3e9077097007e23aa7b438c737d04d9e129404f014725f5beabb67ad6e390e36a1e70e62d3c2fe72b3025253dd20bc2a057f5e3ba1b641e5cd4e80008ddba

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
122KB

MD5
4eb996ef03ca5f758c5e8a75e918ee5e

SHA1
00033592ab8ee515eccc68d85537299558afd430

SHA256
f9d8da228b1dd2a9e9be659f9b1dfb1e837993fb3775ff688bc6def1c86aefb8

SHA512
0fd3e9077097007e23aa7b438c737d04d9e129404f014725f5beabb67ad6e390e36a1e70e62d3c2fe72b3025253dd20bc2a057f5e3ba1b641e5cd4e80008ddba

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
122KB

MD5
62f106036952070e23bd3d240cfff7b9

SHA1
812be595352a9f7289e1d64879ec2af633805867

SHA256
8dcff44d9b741f9ab2967d7831740518b33737d42ca01b3eac65c23c2af53618

SHA512
3e96bfb64502f34e73c63215cdf677774db820edd75d88f34fc6d307471e7700455e74488a4209fe90c22a45416ec65cc2a92f2d1c9e061db769a38e3b5ee2fb

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
122KB

MD5
62f106036952070e23bd3d240cfff7b9

SHA1
812be595352a9f7289e1d64879ec2af633805867

SHA256
8dcff44d9b741f9ab2967d7831740518b33737d42ca01b3eac65c23c2af53618

SHA512
3e96bfb64502f34e73c63215cdf677774db820edd75d88f34fc6d307471e7700455e74488a4209fe90c22a45416ec65cc2a92f2d1c9e061db769a38e3b5ee2fb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
817e94df475f9c35207e34788da60848

SHA1
df04951ba11a5a6a03998a839718776b9448d3be

SHA256
a4f5b93c05a6f0ad289c1f87fc112b023887a670bd07bd064609dcdbaf973867

SHA512
5b8340aeddf732d2f3f3880957b1959c2b010ad87bf390dcebd8136be6a552547da9ca9681ebdb50f8772f903d60e869da4c1841aac6dc91561f610674ff35d9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
817e94df475f9c35207e34788da60848

SHA1
df04951ba11a5a6a03998a839718776b9448d3be

SHA256
a4f5b93c05a6f0ad289c1f87fc112b023887a670bd07bd064609dcdbaf973867

SHA512
5b8340aeddf732d2f3f3880957b1959c2b010ad87bf390dcebd8136be6a552547da9ca9681ebdb50f8772f903d60e869da4c1841aac6dc91561f610674ff35d9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
4eb996ef03ca5f758c5e8a75e918ee5e

SHA1
00033592ab8ee515eccc68d85537299558afd430

SHA256
f9d8da228b1dd2a9e9be659f9b1dfb1e837993fb3775ff688bc6def1c86aefb8

SHA512
0fd3e9077097007e23aa7b438c737d04d9e129404f014725f5beabb67ad6e390e36a1e70e62d3c2fe72b3025253dd20bc2a057f5e3ba1b641e5cd4e80008ddba

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
4eb996ef03ca5f758c5e8a75e918ee5e

SHA1
00033592ab8ee515eccc68d85537299558afd430

SHA256
f9d8da228b1dd2a9e9be659f9b1dfb1e837993fb3775ff688bc6def1c86aefb8

SHA512
0fd3e9077097007e23aa7b438c737d04d9e129404f014725f5beabb67ad6e390e36a1e70e62d3c2fe72b3025253dd20bc2a057f5e3ba1b641e5cd4e80008ddba

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
122KB

MD5
e6168da3461df847be0aa88857f5f297

SHA1
0ab176953e48131ea14c4a93915747222b06fccc

SHA256
9c3d67d71cc622f8d68c6b0f9d6f2cfac84636ef452f274cde20847f774fb7f0

SHA512
113438c59f2fe7d138789b3b3111ea6a2e7d84f91f504a35c2f85a971c9ae28267f8adf4f43c37a5cd16104d06849d4a15b698c08cf19c14f594d2e8399b0e7a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
122KB

MD5
e6168da3461df847be0aa88857f5f297

SHA1
0ab176953e48131ea14c4a93915747222b06fccc

SHA256
9c3d67d71cc622f8d68c6b0f9d6f2cfac84636ef452f274cde20847f774fb7f0

SHA512
113438c59f2fe7d138789b3b3111ea6a2e7d84f91f504a35c2f85a971c9ae28267f8adf4f43c37a5cd16104d06849d4a15b698c08cf19c14f594d2e8399b0e7a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
122KB

MD5
e6168da3461df847be0aa88857f5f297

SHA1
0ab176953e48131ea14c4a93915747222b06fccc

SHA256
9c3d67d71cc622f8d68c6b0f9d6f2cfac84636ef452f274cde20847f774fb7f0

SHA512
113438c59f2fe7d138789b3b3111ea6a2e7d84f91f504a35c2f85a971c9ae28267f8adf4f43c37a5cd16104d06849d4a15b698c08cf19c14f594d2e8399b0e7a

Download Submit
\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
15dc6fd72a662a9af0709c2afb37addd

SHA1
94c4671427d4023b1a4c4dbe212830827a17bb69

SHA256
cd373211f5d193c8a4836d7a48f835c133f21ad217c5f640c97914ab7f9765a4

SHA512
ead34d45ec034460ef5e00bc8e31520201c152009d1ca72417b23ea9dc86bc1a10eee3349cedcf2b89a485c46c27f66a7381984ab8bcdd1ad8c92d62a2897ad5

Download Submit
\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
15dc6fd72a662a9af0709c2afb37addd

SHA1
94c4671427d4023b1a4c4dbe212830827a17bb69

SHA256
cd373211f5d193c8a4836d7a48f835c133f21ad217c5f640c97914ab7f9765a4

SHA512
ead34d45ec034460ef5e00bc8e31520201c152009d1ca72417b23ea9dc86bc1a10eee3349cedcf2b89a485c46c27f66a7381984ab8bcdd1ad8c92d62a2897ad5

Download Submit
\Program Files\backup.exe

Filesize
122KB

MD5
9f4a078577f986d57138150de2dd4d61

SHA1
9c5571acb65af205e6b616caeb0f57e8f25c3332

SHA256
0654ff3a813d5e3094013b8ae0912f028754b5f445ed9d266acc8a7f2d47b184

SHA512
9070ec273022b883beff8aaac15cbee18b2e16d8aa65ca15ee3306dd122fa236b948c04565d8b5ef613762b5aba4161af507bcacff2bd077fab31ce329bc1aeb

Download Submit
\Program Files\backup.exe

Filesize
122KB

MD5
9f4a078577f986d57138150de2dd4d61

SHA1
9c5571acb65af205e6b616caeb0f57e8f25c3332

SHA256
0654ff3a813d5e3094013b8ae0912f028754b5f445ed9d266acc8a7f2d47b184

SHA512
9070ec273022b883beff8aaac15cbee18b2e16d8aa65ca15ee3306dd122fa236b948c04565d8b5ef613762b5aba4161af507bcacff2bd077fab31ce329bc1aeb

Download Submit
\Users\Admin\AppData\Local\Temp\3880514436\backup.exe

Filesize
122KB

MD5
4b88b0be985d932426f8d7cbcf28be36

SHA1
9f6a7b0963345f9235167c93fa968acbffcfcebf

SHA256
1776a138e65e7dd7560325a9a3153c25e7859760b7ba310fc321f8bf6141feb4

SHA512
27c370ac5c9cf3c8518ffdd01029a5a517320d73ee5609b4ddf3c4eb20d060ff8bf8b9cfb6f7bec8c525840aa3dabcbea5f1c8008c378267146dfceb81c0429f

Download Submit
\Users\Admin\AppData\Local\Temp\3880514436\backup.exe

Filesize
122KB

MD5
4b88b0be985d932426f8d7cbcf28be36

SHA1
9f6a7b0963345f9235167c93fa968acbffcfcebf

SHA256
1776a138e65e7dd7560325a9a3153c25e7859760b7ba310fc321f8bf6141feb4

SHA512
27c370ac5c9cf3c8518ffdd01029a5a517320d73ee5609b4ddf3c4eb20d060ff8bf8b9cfb6f7bec8c525840aa3dabcbea5f1c8008c378267146dfceb81c0429f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
d1b61f963724029942aa6721eac7fa60

SHA1
d073045854e3692cd10d20dfe863f3bb58bde25e

SHA256
0f1db287c0e424693ff7b39c2b67e283749164b9d2d058237a3cb49bfa09ead5

SHA512
6fedf34fdf3b3fb77b14ab96361f1f2bfd179521a65f9f8ba57dca79e417d466c13978cf735c93a4e38385441c85bbfe49e9d30764d68a2cf3af6504e9ff0474

Download Submit
memory/276-446-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/892-315-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/932-264-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/932-251-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/932-201-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/932-260-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/1124-417-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1232-296-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1252-630-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1260-474-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1404-392-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1416-540-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1432-285-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1456-140-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/1456-163-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1548-457-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1556-256-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-493-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1624-561-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1676-130-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1728-277-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1756-555-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1904-465-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1908-383-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1908-380-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-175-0x00000000003A0000-0x00000000003C4000-memory.dmp

Filesize
144KB

Download
memory/1984-187-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1996-243-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2000-324-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2036-181-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2160-511-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2204-219-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2212-521-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2232-483-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2256-131-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2268-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2376-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2376-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2376-354-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2420-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2420-657-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2428-372-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2440-688-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2452-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2480-345-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-215-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2504-208-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-161-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2504-186-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2540-405-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2540-423-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-449-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-378-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2540-443-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2540-388-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2540-424-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2540-368-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2540-367-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2540-425-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2540-434-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/2544-438-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2584-96-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2584-631-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2584-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2584-98-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2596-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2692-290-0x0000000001CD0000-0x0000000001CF4000-memory.dmp

Filesize
144KB

Download
memory/2692-214-0x0000000001CD0000-0x0000000001CF4000-memory.dmp

Filesize
144KB

Download
memory/2692-291-0x0000000001CD0000-0x0000000001CF4000-memory.dmp

Filesize
144KB

Download
memory/2692-281-0x0000000001CD0000-0x0000000001CF4000-memory.dmp

Filesize
144KB

Download
memory/2692-280-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2704-335-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-88-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-382-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-126-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/2736-13-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2736-7-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2736-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-195-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/2736-151-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2736-85-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2736-24-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2736-73-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2736-37-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2736-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-60-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2736-136-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/2760-305-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2776-647-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2844-579-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2876-399-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2892-453-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-422-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-310-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-320-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-470-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-301-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-322-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-227-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2892-239-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-292-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2892-359-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-319-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-331-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-330-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-340-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-341-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-252-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-253-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-350-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2892-689-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2948-535-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads