0a889c23900e3e29f1796624bf666e53d4a578fb518fc4e66d4471efa36c9989

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 23:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
Size

122KB
MD5

f533d280af8dc3733760bea3ef1f1ca0
SHA1

cdb972d5df18bcd5758dfe5e9e1da60ccf3cb892
SHA256

0a889c23900e3e29f1796624bf666e53d4a578fb518fc4e66d4471efa36c9989
SHA512

736da9f42d8154828b5d508bc29aa96ed38eabf1799494adb2ee9b5ef43c8be3e1ce055df976df4694beb3e7b693be69959b2fadf611a9ca4a2f19cca73a03d9
SSDEEP

1536:lvm1Fu8AjYaFwjRUdW7fmyY7aZYJVmy0KQbj6vbjuKoauGi4+:6u8ANCUdgfmD7zey0KUj6TjR9i4+

Score

10^/10

dropper evasion persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/memory/2340-0-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x00340000000144fa-5.dat	family_berbew
behavioral1/memory/2340-7-0x00000000002B0000-0x00000000002D4000-memory.dmp	family_berbew
behavioral1/files/0x00340000000144fa-10.dat	family_berbew
behavioral1/files/0x00340000000144fa-12.dat	family_berbew
behavioral1/files/0x00340000000144fa-8.dat	family_berbew
behavioral1/files/0x000a000000014abe-17.dat	family_berbew
behavioral1/files/0x000a000000014abe-19.dat	family_berbew
behavioral1/files/0x000a000000014abe-22.dat	family_berbew
behavioral1/memory/2764-25-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/2764-29-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0009000000014faf-30.dat	family_berbew
behavioral1/files/0x0009000000014faf-32.dat	family_berbew
behavioral1/files/0x0009000000014faf-36.dat	family_berbew
behavioral1/files/0x000b000000014adb-40.dat	family_berbew
behavioral1/files/0x000b000000014adb-42.dat	family_berbew
behavioral1/files/0x000b000000014adb-46.dat	family_berbew
behavioral1/files/0x0006000000015223-52.dat	family_berbew
behavioral1/memory/2668-51-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/2340-54-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0006000000015223-55.dat	family_berbew
behavioral1/files/0x0006000000015223-60.dat	family_berbew
behavioral1/memory/2340-61-0x00000000002B0000-0x00000000002D4000-memory.dmp	family_berbew
behavioral1/memory/3016-59-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/2660-65-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x00060000000153bf-68.dat	family_berbew
behavioral1/files/0x00060000000153bf-66.dat	family_berbew
behavioral1/memory/2340-70-0x00000000002B0000-0x00000000002D4000-memory.dmp	family_berbew
behavioral1/files/0x00060000000153bf-73.dat	family_berbew
behavioral1/memory/2572-77-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0008000000014fec-78.dat	family_berbew
behavioral1/files/0x0008000000014fec-80.dat	family_berbew
behavioral1/files/0x0008000000014fec-84.dat	family_berbew
behavioral1/memory/2748-85-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/2200-88-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x00340000000144fa-90.dat	family_berbew
behavioral1/memory/3016-97-0x00000000003B0000-0x00000000003D4000-memory.dmp	family_berbew
behavioral1/files/0x00060000000155fd-96.dat	family_berbew
behavioral1/files/0x00060000000155fd-102.dat	family_berbew
behavioral1/files/0x000600000001560d-104.dat	family_berbew
behavioral1/files/0x000600000001560d-106.dat	family_berbew
behavioral1/files/0x000600000001560d-110.dat	family_berbew
behavioral1/files/0x000600000001560d-113.dat	family_berbew
behavioral1/files/0x0006000000015654-118.dat	family_berbew
behavioral1/memory/776-127-0x00000000002A0000-0x00000000002C4000-memory.dmp	family_berbew
behavioral1/files/0x0006000000015654-122.dat	family_berbew
behavioral1/files/0x0006000000015654-126.dat	family_berbew
behavioral1/memory/2796-139-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/776-138-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015c3d-142.dat	family_berbew
behavioral1/files/0x0007000000015c3d-146.dat	family_berbew
behavioral1/files/0x0007000000015c3d-140.dat	family_berbew
behavioral1/files/0x0007000000015c3d-149.dat	family_berbew
behavioral1/files/0x0007000000015619-151.dat	family_berbew
behavioral1/files/0x0007000000015619-153.dat	family_berbew
behavioral1/memory/592-158-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015619-157.dat	family_berbew
behavioral1/files/0x0007000000015619-161.dat	family_berbew
behavioral1/files/0x0006000000015c57-163.dat	family_berbew
behavioral1/memory/592-165-0x0000000000260000-0x0000000000284000-memory.dmp	family_berbew
behavioral1/files/0x0006000000015c57-166.dat	family_berbew
behavioral1/files/0x0006000000015c57-171.dat	family_berbew
behavioral1/files/0x0006000000015c7a-184.dat	family_berbew
behavioral1/files/0x0006000000015c7a-179.dat	family_berbew

Modifies visibility of file extensions in Explorer 2 TTPs 63 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
3016	backup.exe
2764	backup.exe
2748	backup.exe
2668	backup.exe
2660	System Restore.exe
2572	backup.exe
2200	backup.exe
592	backup.exe
776	backup.exe
2796	backup.exe
1216	backup.exe
1976	backup.exe
396	backup.exe
1564	backup.exe
2396	backup.exe
2836	backup.exe
2268	backup.exe
1368	backup.exe
1536	data.exe
2292	backup.exe
1956	backup.exe
2940	backup.exe
2072	backup.exe
712	backup.exe
1708	backup.exe
888	backup.exe
1556	backup.exe
2716	backup.exe
2648	update.exe
2744	backup.exe
2500	backup.exe
1996	System Restore.exe
2512	backup.exe
2092	backup.exe
2468	backup.exe
588	backup.exe
812	backup.exe
1888	backup.exe
2416	backup.exe
776	System Restore.exe
1480	backup.exe
2188	backup.exe
2056	backup.exe
396	backup.exe
1612	backup.exe
2068	backup.exe
3064	backup.exe
2264	backup.exe
2972	backup.exe
1368	backup.exe
1792	backup.exe
1336	backup.exe
2460	backup.exe
304	data.exe
2988	backup.exe
324	backup.exe
2248	update.exe
2336	backup.exe
3024	System Restore.exe
2968	backup.exe
2728	backup.exe
2740	backup.exe
2664	backup.exe
2300	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
592	backup.exe
592	backup.exe
776	backup.exe
776	backup.exe
592	backup.exe
592	backup.exe
1216	backup.exe
1216	backup.exe
1976	backup.exe
1976	backup.exe
1216	backup.exe
1216	backup.exe
1564	backup.exe
1564	backup.exe
2396	backup.exe
2396	backup.exe
2396	backup.exe
2396	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
2648	update.exe
2648	update.exe
2648	update.exe
2648	update.exe
2648	update.exe
2744	backup.exe
2744	backup.exe
2744	backup.exe
2648	update.exe

Drops file in Program Files directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	update.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
3016	backup.exe
2764	backup.exe
2748	backup.exe
2668	backup.exe
2660	System Restore.exe
2572	backup.exe
2200	backup.exe
592	backup.exe
776	backup.exe
2796	backup.exe
1216	backup.exe
1976	backup.exe
396	backup.exe
1564	backup.exe
2396	backup.exe
2836	backup.exe
2268	backup.exe
1368	backup.exe
1536	data.exe
2292	backup.exe
1956	backup.exe
2940	backup.exe
2072	backup.exe
712	backup.exe
1708	backup.exe
888	backup.exe
1556	backup.exe
2716	backup.exe
2648	update.exe
2744	backup.exe
2500	backup.exe
1996	System Restore.exe
2512	backup.exe
2092	backup.exe
2468	backup.exe
588	backup.exe
812	backup.exe
1888	backup.exe
2416	backup.exe
776	System Restore.exe
1480	backup.exe
2188	backup.exe
2056	backup.exe
396	backup.exe
1612	backup.exe
2068	backup.exe
3064	backup.exe
2264	backup.exe
2972	backup.exe
1368	backup.exe
1792	backup.exe
1336	backup.exe
2460	backup.exe
304	data.exe
2988	backup.exe
324	backup.exe
2248	update.exe
2336	backup.exe
3024	System Restore.exe
2968	backup.exe
2728	backup.exe
2740	backup.exe
2664	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3016	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	28
PID 2340 wrote to memory of 3016	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	28
PID 2340 wrote to memory of 3016	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	28
PID 2340 wrote to memory of 3016	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	28
PID 2340 wrote to memory of 2764	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	29
PID 2340 wrote to memory of 2764	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	29
PID 2340 wrote to memory of 2764	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	29
PID 2340 wrote to memory of 2764	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	29
PID 2340 wrote to memory of 2748	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	30
PID 2340 wrote to memory of 2748	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	30
PID 2340 wrote to memory of 2748	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	30
PID 2340 wrote to memory of 2748	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	30
PID 2340 wrote to memory of 2668	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	31
PID 2340 wrote to memory of 2668	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	31
PID 2340 wrote to memory of 2668	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	31
PID 2340 wrote to memory of 2668	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	31
PID 2340 wrote to memory of 2660	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	32
PID 2340 wrote to memory of 2660	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	32
PID 2340 wrote to memory of 2660	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	32
PID 2340 wrote to memory of 2660	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	32
PID 2340 wrote to memory of 2572	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	33
PID 2340 wrote to memory of 2572	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	33
PID 2340 wrote to memory of 2572	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	33
PID 2340 wrote to memory of 2572	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	33
PID 2340 wrote to memory of 2200	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	34
PID 2340 wrote to memory of 2200	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	34
PID 2340 wrote to memory of 2200	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	34
PID 2340 wrote to memory of 2200	2340	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe	34
PID 3016 wrote to memory of 592	3016	backup.exe	35
PID 3016 wrote to memory of 592	3016	backup.exe	35
PID 3016 wrote to memory of 592	3016	backup.exe	35
PID 3016 wrote to memory of 592	3016	backup.exe	35
PID 592 wrote to memory of 776	592	backup.exe	36
PID 592 wrote to memory of 776	592	backup.exe	36
PID 592 wrote to memory of 776	592	backup.exe	36
PID 592 wrote to memory of 776	592	backup.exe	36
PID 776 wrote to memory of 2796	776	backup.exe	37
PID 776 wrote to memory of 2796	776	backup.exe	37
PID 776 wrote to memory of 2796	776	backup.exe	37
PID 776 wrote to memory of 2796	776	backup.exe	37
PID 592 wrote to memory of 1216	592	backup.exe	38
PID 592 wrote to memory of 1216	592	backup.exe	38
PID 592 wrote to memory of 1216	592	backup.exe	38
PID 592 wrote to memory of 1216	592	backup.exe	38
PID 1216 wrote to memory of 1976	1216	backup.exe	39
PID 1216 wrote to memory of 1976	1216	backup.exe	39
PID 1216 wrote to memory of 1976	1216	backup.exe	39
PID 1216 wrote to memory of 1976	1216	backup.exe	39
PID 1976 wrote to memory of 396	1976	backup.exe	40
PID 1976 wrote to memory of 396	1976	backup.exe	40
PID 1976 wrote to memory of 396	1976	backup.exe	40
PID 1976 wrote to memory of 396	1976	backup.exe	40
PID 1216 wrote to memory of 1564	1216	backup.exe	41
PID 1216 wrote to memory of 1564	1216	backup.exe	41
PID 1216 wrote to memory of 1564	1216	backup.exe	41
PID 1216 wrote to memory of 1564	1216	backup.exe	41
PID 1564 wrote to memory of 2396	1564	backup.exe	42
PID 1564 wrote to memory of 2396	1564	backup.exe	42
PID 1564 wrote to memory of 2396	1564	backup.exe	42
PID 1564 wrote to memory of 2396	1564	backup.exe	42
PID 2396 wrote to memory of 2836	2396	backup.exe	43
PID 2396 wrote to memory of 2836	2396	backup.exe	43
PID 2396 wrote to memory of 2836	2396	backup.exe	43
PID 2396 wrote to memory of 2836	2396	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f533d280af8dc3733760bea3ef1f1ca0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340
- C:\Users\Admin\AppData\Local\Temp\1398638915\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1398638915\backup.exe C:\Users\Admin\AppData\Local\Temp\1398638915\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3016
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:776
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2796
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1216
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1976
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:396
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1564
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2396
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2500
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2092
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2188
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2264
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2248
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:2300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:2900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:2772
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:2472
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:396
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2440
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:640
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:2712
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:2660
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2424
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2760
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1968
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:2504
      - C:\Program Files\Common Files\SpeechEngines\update.exe
        
        "C:\Program Files\Common Files\SpeechEngines\update.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:2648
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\System Restore.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\System Restore.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1904
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2060
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2664
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:2508
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1620
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:940
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1880
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2940
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1080
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2252
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:2460
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1680
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2800
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2056
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2948
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2344
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2508
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1368
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:3004
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2780
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2436
    - - C:\Program Files\Java\data.exe
        
        "C:\Program Files\Java\data.exe" C:\Program Files\Java\
        5⤵
        
        PID:2084
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1104
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2888
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2880
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2416
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:284
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2968
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2740
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:2892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:1100
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2404
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:2376
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:2828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1048
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2612
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1252
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:2716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:3056
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:2116
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:2676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2000
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:2156
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:2428
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:2220
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1128
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2284
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:2368
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1104
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1276
    - - C:\Program Files (x86)\Google\update.exe
        
        "C:\Program Files (x86)\Google\update.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2908
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2356
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1696
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2076
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1592
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:1336
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:2476
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:2976
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2924
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1080
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1764
      - C:\Program Files (x86)\Microsoft Office\CLIPART\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\data.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:1816
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:1016
      - C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        6⤵
        
        PID:936
      - C:\Program Files (x86)\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\
        6⤵
        
        PID:2600
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1792
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:2232
    - - C:\Program Files (x86)\Microsoft Sync Framework\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\System Restore.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2796
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:464
      - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\
        6⤵
        
        PID:2168
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1552
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:1596
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:1728
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1452
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2120
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2088
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2468
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2836
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2668
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1664
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:3020
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1092
      - C:\Users\Admin\Pictures\update.exe
        
        C:\Users\Admin\Pictures\update.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2588
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:808
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2408
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:952
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2328
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2504
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1760
      - C:\Users\Public\Music\System Restore.exe
        
        "C:\Users\Public\Music\System Restore.exe" C:\Users\Public\Music\
        6⤵
        
        PID:2592
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2956
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:2080
        
        C:\Users\Public\Recorded TV\Sample Media\backup.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
        7⤵
        
        PID:3048
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1240
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2300
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:576
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:2648
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:2500
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:960
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:2948
        
        C:\Windows\AppPatch\Custom\Custom64\data.exe
        
        C:\Windows\AppPatch\Custom\Custom64\data.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:1160
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:2496
      - C:\Windows\AppPatch\es-ES\System Restore.exe
        
        "C:\Windows\AppPatch\es-ES\System Restore.exe" C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:1616
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:1908
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:1624
      - C:\Windows\AppPatch\it-IT\backup.exe
        
        C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
        6⤵
        
        PID:2628
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1612
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:840
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:2752
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:112
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:1096
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1572
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        
        PID:1448
      - C:\Windows\Branding\ShellBrd\backup.exe
        
        C:\Windows\Branding\ShellBrd\backup.exe C:\Windows\Branding\ShellBrd\
        6⤵
        
        PID:2432
    - - C:\Windows\CSC\update.exe
        
        C:\Windows\CSC\update.exe C:\Windows\CSC\
        5⤵
        
        PID:2576
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2316
    - - C:\Windows\de-DE\System Restore.exe
        
        "C:\Windows\de-DE\System Restore.exe" C:\Windows\de-DE\
        5⤵
        
        PID:324
    - - C:\Windows\DigitalLocker\backup.exe
        
        C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
        5⤵
        
        PID:2784
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
d9cdc286b53a8dfc0df57da41dc74e9d

SHA1
065a22d3432db3d09fb9b65356d8f244dd57dfdb

SHA256
8013c2eecaa9b2ba5ed06a9c15adc188b04af693410e8b6885715f3512aa0bc9

SHA512
621742f907ab7d8d02de25ff7124fabedc0fb22c4a50916a1ac11d5a55909cc3cf2568edf24c605b3a56f3b9ffd5790639cecf24c0feb163c4aaf2a75c337b6a

Download Submit
C:\PerfLogs\backup.exe

Filesize
122KB

MD5
2dd53ea37358dfe9d3264a737f9bf077

SHA1
881e6fdb562d9b3236fc71c30759890ee0b41d1a

SHA256
2d7c513789a6ada836265bbe5923318e3dd4ffdffbda31adbdc91e12dee7d7c4

SHA512
a3a5baa84b259651f85f92f87a7ef6ac6ab92d735cb24cf941acb90c04fc44c5e926fa0be71bbbd264ad367493172afdb4f84d682267be63ed90803c40fb5280

Download Submit
C:\PerfLogs\backup.exe

Filesize
122KB

MD5
2dd53ea37358dfe9d3264a737f9bf077

SHA1
881e6fdb562d9b3236fc71c30759890ee0b41d1a

SHA256
2d7c513789a6ada836265bbe5923318e3dd4ffdffbda31adbdc91e12dee7d7c4

SHA512
a3a5baa84b259651f85f92f87a7ef6ac6ab92d735cb24cf941acb90c04fc44c5e926fa0be71bbbd264ad367493172afdb4f84d682267be63ed90803c40fb5280

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
9fb6b737f17a1ec65738d22101b59821

SHA1
9f543be3d0728fb8e284b5e1c0b8f08782d012c6

SHA256
5a295bd7538af698fa0c408896dd743722641c6c15ff17de522629856c3ebe45

SHA512
144b5726a3dc020a6e1edc6fc296999d2b50823de87da57798ef41b536a6eb21ce9aad702ade0b8207bd1828d6f51d7e8f63332dc1364b7a26c6632a774d27ff

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
d9cdc286b53a8dfc0df57da41dc74e9d

SHA1
065a22d3432db3d09fb9b65356d8f244dd57dfdb

SHA256
8013c2eecaa9b2ba5ed06a9c15adc188b04af693410e8b6885715f3512aa0bc9

SHA512
621742f907ab7d8d02de25ff7124fabedc0fb22c4a50916a1ac11d5a55909cc3cf2568edf24c605b3a56f3b9ffd5790639cecf24c0feb163c4aaf2a75c337b6a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
d9cdc286b53a8dfc0df57da41dc74e9d

SHA1
065a22d3432db3d09fb9b65356d8f244dd57dfdb

SHA256
8013c2eecaa9b2ba5ed06a9c15adc188b04af693410e8b6885715f3512aa0bc9

SHA512
621742f907ab7d8d02de25ff7124fabedc0fb22c4a50916a1ac11d5a55909cc3cf2568edf24c605b3a56f3b9ffd5790639cecf24c0feb163c4aaf2a75c337b6a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
122KB

MD5
67e575ce05e7103878bdf4f65cc0f038

SHA1
dfb7c70dfd699d6bcd21724ebfa82cb1efe0b68c

SHA256
e439fd5b1b9f187e9e495e5a1870c1b093bfcbae3e24885315403788fa4ec440

SHA512
cc2aefb329edfc797f89481be42aa1416c37d519445db8c8f69fd9c35092e02f2ebd960bb165eb4d077160ccd0c7015af620338a457eb20d656633207c7aba9f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
92c7ef4397c958a7014ce723e14c8947

SHA1
65a43388569124232297875c1846094249b665b5

SHA256
0e0d29b922925a31558daa9eaa1e8ace21a082501263b458dbd2fb76ab431a50

SHA512
2d4788f29224096ebedb383a9211ee4a56e9632fb6e5b810ca738739491984d49341fd031b79b86f5c53ca9b5377650a4a53dc251ff877ea75c627497d23222a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
92c7ef4397c958a7014ce723e14c8947

SHA1
65a43388569124232297875c1846094249b665b5

SHA256
0e0d29b922925a31558daa9eaa1e8ace21a082501263b458dbd2fb76ab431a50

SHA512
2d4788f29224096ebedb383a9211ee4a56e9632fb6e5b810ca738739491984d49341fd031b79b86f5c53ca9b5377650a4a53dc251ff877ea75c627497d23222a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
135b9ec8763462e397f7028078ca4ee6

SHA1
ada1f706565d372e884fe7d9c51cbd723353ad8b

SHA256
2ee9487a1d474b7a86e1a51c855ef9f13ff946b5a9a8d5dc794c9116d80f9504

SHA512
78512276d8f5e8eed51aadc95113761040556d4c1128fbebcdbd4df900d5499ae0249e1ef2cced0434bbc601a00c4b997e3157fe36f3e0f44fa2c852bad23ad4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
67e575ce05e7103878bdf4f65cc0f038

SHA1
dfb7c70dfd699d6bcd21724ebfa82cb1efe0b68c

SHA256
e439fd5b1b9f187e9e495e5a1870c1b093bfcbae3e24885315403788fa4ec440

SHA512
cc2aefb329edfc797f89481be42aa1416c37d519445db8c8f69fd9c35092e02f2ebd960bb165eb4d077160ccd0c7015af620338a457eb20d656633207c7aba9f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
67e575ce05e7103878bdf4f65cc0f038

SHA1
dfb7c70dfd699d6bcd21724ebfa82cb1efe0b68c

SHA256
e439fd5b1b9f187e9e495e5a1870c1b093bfcbae3e24885315403788fa4ec440

SHA512
cc2aefb329edfc797f89481be42aa1416c37d519445db8c8f69fd9c35092e02f2ebd960bb165eb4d077160ccd0c7015af620338a457eb20d656633207c7aba9f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe

Filesize
122KB

MD5
135b9ec8763462e397f7028078ca4ee6

SHA1
ada1f706565d372e884fe7d9c51cbd723353ad8b

SHA256
2ee9487a1d474b7a86e1a51c855ef9f13ff946b5a9a8d5dc794c9116d80f9504

SHA512
78512276d8f5e8eed51aadc95113761040556d4c1128fbebcdbd4df900d5499ae0249e1ef2cced0434bbc601a00c4b997e3157fe36f3e0f44fa2c852bad23ad4

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
138e5fd3c4e5dd694e96c2de72b2bc45

SHA1
c68c99d6118a4e8f89a8f2ae0a0a145ca67edeae

SHA256
3a2ed6e03662228a769edafd9455e7ca8b3200997cd0517b748c89ccfd92b530

SHA512
8aa7c501f6a529e93efdcc135a8756552da1613e9fd49e28be1abd7800ad956b74dfba2243c5f12408a573de3d5de788b4634d285e69b7a6d1e4d290a1ca2975

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
138e5fd3c4e5dd694e96c2de72b2bc45

SHA1
c68c99d6118a4e8f89a8f2ae0a0a145ca67edeae

SHA256
3a2ed6e03662228a769edafd9455e7ca8b3200997cd0517b748c89ccfd92b530

SHA512
8aa7c501f6a529e93efdcc135a8756552da1613e9fd49e28be1abd7800ad956b74dfba2243c5f12408a573de3d5de788b4634d285e69b7a6d1e4d290a1ca2975

Download Submit
C:\Program Files\backup.exe

Filesize
122KB

MD5
2dd53ea37358dfe9d3264a737f9bf077

SHA1
881e6fdb562d9b3236fc71c30759890ee0b41d1a

SHA256
2d7c513789a6ada836265bbe5923318e3dd4ffdffbda31adbdc91e12dee7d7c4

SHA512
a3a5baa84b259651f85f92f87a7ef6ac6ab92d735cb24cf941acb90c04fc44c5e926fa0be71bbbd264ad367493172afdb4f84d682267be63ed90803c40fb5280

Download Submit
C:\Program Files\backup.exe

Filesize
122KB

MD5
2dd53ea37358dfe9d3264a737f9bf077

SHA1
881e6fdb562d9b3236fc71c30759890ee0b41d1a

SHA256
2d7c513789a6ada836265bbe5923318e3dd4ffdffbda31adbdc91e12dee7d7c4

SHA512
a3a5baa84b259651f85f92f87a7ef6ac6ab92d735cb24cf941acb90c04fc44c5e926fa0be71bbbd264ad367493172afdb4f84d682267be63ed90803c40fb5280

Download Submit
C:\Users\Admin\AppData\Local\Temp\1398638915\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1398638915\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1398638915\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
41KB

MD5
4cec9872dacdb603f1dc0ce9e184f967

SHA1
1f2f9b0b4a25e7ea2545631b2f5af737a638eb5a

SHA256
e0bdb23661a50424d0ba80d9a341b033cf068db7d399219c9a5319fed379392b

SHA512
f03676959729bb5f8b35069c94d6ce03eb2ef4ab35a85d33924e6fea1a0b3c0ac1b166708c9a3d99e0019a33cd6acffd853b5e871f202d82781c2c53cf413f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
122KB

MD5
37933aeef4d2ceb7a0bfd8021ab720ba

SHA1
51be910b0b580a6559048eccc6252e6a4cf302ab

SHA256
0fa9e2d4278429f333f102a70a96f5e0679fa49abc16389f9c5db58a3306c01e

SHA512
52ef460ed992f7a138b0b6a8f53144c24c2abac9aed8beb933d6ee19f4c905da2789b28e455f171f03cdc14a510d721c93e2bb961ecff95942a3502cd0f3d8c5

Download Submit
C:\backup.exe

Filesize
122KB

MD5
37933aeef4d2ceb7a0bfd8021ab720ba

SHA1
51be910b0b580a6559048eccc6252e6a4cf302ab

SHA256
0fa9e2d4278429f333f102a70a96f5e0679fa49abc16389f9c5db58a3306c01e

SHA512
52ef460ed992f7a138b0b6a8f53144c24c2abac9aed8beb933d6ee19f4c905da2789b28e455f171f03cdc14a510d721c93e2bb961ecff95942a3502cd0f3d8c5

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
d9cdc286b53a8dfc0df57da41dc74e9d

SHA1
065a22d3432db3d09fb9b65356d8f244dd57dfdb

SHA256
8013c2eecaa9b2ba5ed06a9c15adc188b04af693410e8b6885715f3512aa0bc9

SHA512
621742f907ab7d8d02de25ff7124fabedc0fb22c4a50916a1ac11d5a55909cc3cf2568edf24c605b3a56f3b9ffd5790639cecf24c0feb163c4aaf2a75c337b6a

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
d9cdc286b53a8dfc0df57da41dc74e9d

SHA1
065a22d3432db3d09fb9b65356d8f244dd57dfdb

SHA256
8013c2eecaa9b2ba5ed06a9c15adc188b04af693410e8b6885715f3512aa0bc9

SHA512
621742f907ab7d8d02de25ff7124fabedc0fb22c4a50916a1ac11d5a55909cc3cf2568edf24c605b3a56f3b9ffd5790639cecf24c0feb163c4aaf2a75c337b6a

Download Submit
\PerfLogs\backup.exe

Filesize
122KB

MD5
2dd53ea37358dfe9d3264a737f9bf077

SHA1
881e6fdb562d9b3236fc71c30759890ee0b41d1a

SHA256
2d7c513789a6ada836265bbe5923318e3dd4ffdffbda31adbdc91e12dee7d7c4

SHA512
a3a5baa84b259651f85f92f87a7ef6ac6ab92d735cb24cf941acb90c04fc44c5e926fa0be71bbbd264ad367493172afdb4f84d682267be63ed90803c40fb5280

Download Submit
\PerfLogs\backup.exe

Filesize
122KB

MD5
2dd53ea37358dfe9d3264a737f9bf077

SHA1
881e6fdb562d9b3236fc71c30759890ee0b41d1a

SHA256
2d7c513789a6ada836265bbe5923318e3dd4ffdffbda31adbdc91e12dee7d7c4

SHA512
a3a5baa84b259651f85f92f87a7ef6ac6ab92d735cb24cf941acb90c04fc44c5e926fa0be71bbbd264ad367493172afdb4f84d682267be63ed90803c40fb5280

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
9fb6b737f17a1ec65738d22101b59821

SHA1
9f543be3d0728fb8e284b5e1c0b8f08782d012c6

SHA256
5a295bd7538af698fa0c408896dd743722641c6c15ff17de522629856c3ebe45

SHA512
144b5726a3dc020a6e1edc6fc296999d2b50823de87da57798ef41b536a6eb21ce9aad702ade0b8207bd1828d6f51d7e8f63332dc1364b7a26c6632a774d27ff

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
9fb6b737f17a1ec65738d22101b59821

SHA1
9f543be3d0728fb8e284b5e1c0b8f08782d012c6

SHA256
5a295bd7538af698fa0c408896dd743722641c6c15ff17de522629856c3ebe45

SHA512
144b5726a3dc020a6e1edc6fc296999d2b50823de87da57798ef41b536a6eb21ce9aad702ade0b8207bd1828d6f51d7e8f63332dc1364b7a26c6632a774d27ff

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
d9cdc286b53a8dfc0df57da41dc74e9d

SHA1
065a22d3432db3d09fb9b65356d8f244dd57dfdb

SHA256
8013c2eecaa9b2ba5ed06a9c15adc188b04af693410e8b6885715f3512aa0bc9

SHA512
621742f907ab7d8d02de25ff7124fabedc0fb22c4a50916a1ac11d5a55909cc3cf2568edf24c605b3a56f3b9ffd5790639cecf24c0feb163c4aaf2a75c337b6a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
d9cdc286b53a8dfc0df57da41dc74e9d

SHA1
065a22d3432db3d09fb9b65356d8f244dd57dfdb

SHA256
8013c2eecaa9b2ba5ed06a9c15adc188b04af693410e8b6885715f3512aa0bc9

SHA512
621742f907ab7d8d02de25ff7124fabedc0fb22c4a50916a1ac11d5a55909cc3cf2568edf24c605b3a56f3b9ffd5790639cecf24c0feb163c4aaf2a75c337b6a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
122KB

MD5
67e575ce05e7103878bdf4f65cc0f038

SHA1
dfb7c70dfd699d6bcd21724ebfa82cb1efe0b68c

SHA256
e439fd5b1b9f187e9e495e5a1870c1b093bfcbae3e24885315403788fa4ec440

SHA512
cc2aefb329edfc797f89481be42aa1416c37d519445db8c8f69fd9c35092e02f2ebd960bb165eb4d077160ccd0c7015af620338a457eb20d656633207c7aba9f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
122KB

MD5
67e575ce05e7103878bdf4f65cc0f038

SHA1
dfb7c70dfd699d6bcd21724ebfa82cb1efe0b68c

SHA256
e439fd5b1b9f187e9e495e5a1870c1b093bfcbae3e24885315403788fa4ec440

SHA512
cc2aefb329edfc797f89481be42aa1416c37d519445db8c8f69fd9c35092e02f2ebd960bb165eb4d077160ccd0c7015af620338a457eb20d656633207c7aba9f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
92c7ef4397c958a7014ce723e14c8947

SHA1
65a43388569124232297875c1846094249b665b5

SHA256
0e0d29b922925a31558daa9eaa1e8ace21a082501263b458dbd2fb76ab431a50

SHA512
2d4788f29224096ebedb383a9211ee4a56e9632fb6e5b810ca738739491984d49341fd031b79b86f5c53ca9b5377650a4a53dc251ff877ea75c627497d23222a

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
92c7ef4397c958a7014ce723e14c8947

SHA1
65a43388569124232297875c1846094249b665b5

SHA256
0e0d29b922925a31558daa9eaa1e8ace21a082501263b458dbd2fb76ab431a50

SHA512
2d4788f29224096ebedb383a9211ee4a56e9632fb6e5b810ca738739491984d49341fd031b79b86f5c53ca9b5377650a4a53dc251ff877ea75c627497d23222a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
135b9ec8763462e397f7028078ca4ee6

SHA1
ada1f706565d372e884fe7d9c51cbd723353ad8b

SHA256
2ee9487a1d474b7a86e1a51c855ef9f13ff946b5a9a8d5dc794c9116d80f9504

SHA512
78512276d8f5e8eed51aadc95113761040556d4c1128fbebcdbd4df900d5499ae0249e1ef2cced0434bbc601a00c4b997e3157fe36f3e0f44fa2c852bad23ad4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
135b9ec8763462e397f7028078ca4ee6

SHA1
ada1f706565d372e884fe7d9c51cbd723353ad8b

SHA256
2ee9487a1d474b7a86e1a51c855ef9f13ff946b5a9a8d5dc794c9116d80f9504

SHA512
78512276d8f5e8eed51aadc95113761040556d4c1128fbebcdbd4df900d5499ae0249e1ef2cced0434bbc601a00c4b997e3157fe36f3e0f44fa2c852bad23ad4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
67e575ce05e7103878bdf4f65cc0f038

SHA1
dfb7c70dfd699d6bcd21724ebfa82cb1efe0b68c

SHA256
e439fd5b1b9f187e9e495e5a1870c1b093bfcbae3e24885315403788fa4ec440

SHA512
cc2aefb329edfc797f89481be42aa1416c37d519445db8c8f69fd9c35092e02f2ebd960bb165eb4d077160ccd0c7015af620338a457eb20d656633207c7aba9f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
67e575ce05e7103878bdf4f65cc0f038

SHA1
dfb7c70dfd699d6bcd21724ebfa82cb1efe0b68c

SHA256
e439fd5b1b9f187e9e495e5a1870c1b093bfcbae3e24885315403788fa4ec440

SHA512
cc2aefb329edfc797f89481be42aa1416c37d519445db8c8f69fd9c35092e02f2ebd960bb165eb4d077160ccd0c7015af620338a457eb20d656633207c7aba9f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe

Filesize
122KB

MD5
135b9ec8763462e397f7028078ca4ee6

SHA1
ada1f706565d372e884fe7d9c51cbd723353ad8b

SHA256
2ee9487a1d474b7a86e1a51c855ef9f13ff946b5a9a8d5dc794c9116d80f9504

SHA512
78512276d8f5e8eed51aadc95113761040556d4c1128fbebcdbd4df900d5499ae0249e1ef2cced0434bbc601a00c4b997e3157fe36f3e0f44fa2c852bad23ad4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe

Filesize
122KB

MD5
135b9ec8763462e397f7028078ca4ee6

SHA1
ada1f706565d372e884fe7d9c51cbd723353ad8b

SHA256
2ee9487a1d474b7a86e1a51c855ef9f13ff946b5a9a8d5dc794c9116d80f9504

SHA512
78512276d8f5e8eed51aadc95113761040556d4c1128fbebcdbd4df900d5499ae0249e1ef2cced0434bbc601a00c4b997e3157fe36f3e0f44fa2c852bad23ad4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
122KB

MD5
e66d4e5ded3f341319c4ec8c5fe4d7e3

SHA1
a1baf113d068c82fc23b475b295f1147dd79fcc0

SHA256
1abb1d3d0ee9396d46f73b35d16cc4dd193bcf248d092f1d02f94422a061fe55

SHA512
66272b62ce3e8ba24d4af9db3776661300fe6431bce0b0a13e0fdc0d166f4147133cd1d57b6cf75829821b94fc99110250687629620d826992b0e3a835f0645c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
138e5fd3c4e5dd694e96c2de72b2bc45

SHA1
c68c99d6118a4e8f89a8f2ae0a0a145ca67edeae

SHA256
3a2ed6e03662228a769edafd9455e7ca8b3200997cd0517b748c89ccfd92b530

SHA512
8aa7c501f6a529e93efdcc135a8756552da1613e9fd49e28be1abd7800ad956b74dfba2243c5f12408a573de3d5de788b4634d285e69b7a6d1e4d290a1ca2975

Download Submit
\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
138e5fd3c4e5dd694e96c2de72b2bc45

SHA1
c68c99d6118a4e8f89a8f2ae0a0a145ca67edeae

SHA256
3a2ed6e03662228a769edafd9455e7ca8b3200997cd0517b748c89ccfd92b530

SHA512
8aa7c501f6a529e93efdcc135a8756552da1613e9fd49e28be1abd7800ad956b74dfba2243c5f12408a573de3d5de788b4634d285e69b7a6d1e4d290a1ca2975

Download Submit
\Program Files\backup.exe

Filesize
122KB

MD5
2dd53ea37358dfe9d3264a737f9bf077

SHA1
881e6fdb562d9b3236fc71c30759890ee0b41d1a

SHA256
2d7c513789a6ada836265bbe5923318e3dd4ffdffbda31adbdc91e12dee7d7c4

SHA512
a3a5baa84b259651f85f92f87a7ef6ac6ab92d735cb24cf941acb90c04fc44c5e926fa0be71bbbd264ad367493172afdb4f84d682267be63ed90803c40fb5280

Download Submit
\Program Files\backup.exe

Filesize
122KB

MD5
2dd53ea37358dfe9d3264a737f9bf077

SHA1
881e6fdb562d9b3236fc71c30759890ee0b41d1a

SHA256
2d7c513789a6ada836265bbe5923318e3dd4ffdffbda31adbdc91e12dee7d7c4

SHA512
a3a5baa84b259651f85f92f87a7ef6ac6ab92d735cb24cf941acb90c04fc44c5e926fa0be71bbbd264ad367493172afdb4f84d682267be63ed90803c40fb5280

Download Submit
\Users\Admin\AppData\Local\Temp\1398638915\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\1398638915\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
8ddfda3448398a599ee6a0f93032ff96

SHA1
15766c0a961fbd9df7faa79552daed518cdee8ca

SHA256
63569d063cb42605bd6b3f399b042ecbdadbf179ac70c83351c9088a101e4b3e

SHA512
021e1a5c8cd8cc7f22c5d4ea94042e17442eda2cb76b4b66e706a2eeb7612c117f21445510014d8570a1f66367fb2d83d4ba0f884f3ec988b89bb2e21ebafa46

Download Submit
memory/304-581-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/396-176-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/588-419-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/592-158-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/592-165-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/776-127-0x00000000002A0000-0x00000000002C4000-memory.dmp

Filesize
144KB

Download
memory/776-458-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/776-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/812-428-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-318-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1216-193-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1216-232-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/1216-185-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/1216-183-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/1368-240-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1480-467-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1536-252-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1564-237-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1612-502-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1708-310-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1792-557-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1888-435-0x0000000000820000-0x0000000000844000-memory.dmp

Filesize
144KB

Download
memory/1888-441-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1888-436-0x0000000000820000-0x0000000000844000-memory.dmp

Filesize
144KB

Download
memory/1888-434-0x0000000000820000-0x0000000000844000-memory.dmp

Filesize
144KB

Download
memory/1956-277-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1976-175-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1996-374-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1996-369-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1996-370-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2056-484-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2072-294-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-401-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-399-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-397-0x00000000002D0000-0x00000000002F4000-memory.dmp

Filesize
144KB

Download
memory/2092-395-0x00000000002D0000-0x00000000002F4000-memory.dmp

Filesize
144KB

Download
memory/2188-476-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2200-88-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-603-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2268-496-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-446-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-236-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-234-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-290-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2268-248-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-463-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-315-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-480-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-332-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-506-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-507-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2268-509-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2292-263-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-685-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2340-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2340-24-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2340-114-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2340-13-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2340-70-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2340-7-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2340-61-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2340-47-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2340-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2340-382-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2340-170-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2396-209-0x0000000000270000-0x0000000000294000-memory.dmp

Filesize
144KB

Download
memory/2396-258-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2396-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2416-451-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2460-577-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2468-411-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2468-406-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2500-368-0x00000000001C0000-0x00000000001CD000-memory.dmp

Filesize
52KB

Download
memory/2500-363-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2500-360-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/2500-358-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/2508-731-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2512-389-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2512-386-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2512-381-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2512-383-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2572-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2648-440-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2648-424-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/2648-415-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/2648-394-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/2648-384-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/2648-433-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/2648-346-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/2648-379-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2648-387-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2660-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2668-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2716-336-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2744-353-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2744-347-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2744-349-0x00000000002D0000-0x00000000002F4000-memory.dmp

Filesize
144KB

Download
memory/2744-351-0x00000000002D0000-0x00000000002F4000-memory.dmp

Filesize
144KB

Download
memory/2748-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2748-626-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2764-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2764-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-139-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2836-214-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-285-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2972-541-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3016-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3016-97-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/3016-616-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3024-627-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads