5f4188ca83d8c345aa754a75531c7b8d0f5c05e23e28c7ee1bd385a9e7d1ec8c

Analysis

max time kernel
67s
max time network
123s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16-11-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
Size

81KB
MD5

2600051b2b33d4df95d13eaee3fc0130
SHA1

8f590fd88c2636f22e186d948e7d80c821a1d532
SHA256

5f4188ca83d8c345aa754a75531c7b8d0f5c05e23e28c7ee1bd385a9e7d1ec8c
SHA512

9b49d568bedfcc7385cb5ff7f000a31b945df091ab9ee4998b0c54f20bf69c23dfedab83f02909306400f6d8db8c39d6c909490119b3e0bbd46c73b47eece395
SSDEEP

768:2pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEm17:2eT7BVwxfvEFwjRp

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2628	backup.exe
2644	backup.exe
2684	backup.exe
2516	backup.exe
2488	backup.exe
3048	backup.exe
268	backup.exe
1468	backup.exe
1824	backup.exe
1328	data.exe
2012	backup.exe
2556	backup.exe
2852	backup.exe
1036	backup.exe
1972	backup.exe
1384	backup.exe
3024	backup.exe
2396	backup.exe
1792	backup.exe
1004	backup.exe
1812	backup.exe
2876	backup.exe
2044	backup.exe
1200	backup.exe
2360	backup.exe
1604	backup.exe
2708	backup.exe
2780	backup.exe
2496	backup.exe
2656	backup.exe
2872	backup.exe
2564	backup.exe
1920	backup.exe
768	update.exe
1472	backup.exe
2912	backup.exe
2848	backup.exe
2856	backup.exe
1796	backup.exe
2016	backup.exe
2756	backup.exe
1512	backup.exe
1628	backup.exe
1676	backup.exe
2220	data.exe
1924	backup.exe
2352	backup.exe
2952	backup.exe
1348	backup.exe
2396	backup.exe
1624	backup.exe
1772	backup.exe
1860	backup.exe
1988	backup.exe
2176	backup.exe
872	backup.exe
2284	backup.exe
2264	backup.exe
1728	backup.exe
2448	backup.exe
2692	backup.exe
2808	backup.exe
2804	backup.exe
2536	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
1468	backup.exe
1468	backup.exe
1824	backup.exe
1824	backup.exe
1468	backup.exe
1468	backup.exe
2012	backup.exe
2012	backup.exe
2556	backup.exe
2556	backup.exe
2012	backup.exe
2012	backup.exe
1036	backup.exe
1036	backup.exe
1972	backup.exe
1972	backup.exe
1972	backup.exe
1972	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
3024	backup.exe
2496	backup.exe
2496	backup.exe
2496	backup.exe
2496	backup.exe
2496	backup.exe
2496	backup.exe
2496	backup.exe
2496	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1716-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0031000000014b79-5.dat	upx
behavioral1/files/0x0031000000014b79-9.dat	upx
behavioral1/files/0x0031000000014b79-7.dat	upx
behavioral1/files/0x0031000000014b79-11.dat	upx
behavioral1/memory/2628-15-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00070000000155fd-18.dat	upx
behavioral1/files/0x00070000000155fd-20.dat	upx
behavioral1/files/0x00070000000155fd-24.dat	upx
behavioral1/files/0x0008000000015654-29.dat	upx
behavioral1/memory/2644-28-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015654-31.dat	upx
behavioral1/files/0x0008000000015654-36.dat	upx
behavioral1/files/0x0008000000015601-47.dat	upx
behavioral1/files/0x0008000000015601-43.dat	upx
behavioral1/files/0x0008000000015601-41.dat	upx
behavioral1/files/0x0008000000015c57-53.dat	upx
behavioral1/memory/2516-52-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015c57-55.dat	upx
behavioral1/files/0x0008000000015c57-59.dat	upx
behavioral1/memory/2488-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015c6c-64.dat	upx
behavioral1/files/0x0006000000015c6c-66.dat	upx
behavioral1/files/0x0006000000015c6c-70.dat	upx
behavioral1/memory/3048-75-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015c7a-76.dat	upx
behavioral1/files/0x0006000000015c7a-79.dat	upx
behavioral1/memory/1716-78-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015c7a-83.dat	upx
behavioral1/memory/2628-85-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/268-88-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0031000000014b79-92.dat	upx
behavioral1/files/0x000b000000015c28-98.dat	upx
behavioral1/memory/1468-108-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000b000000015c28-116.dat	upx
behavioral1/files/0x0013000000014c45-118.dat	upx
behavioral1/files/0x0013000000014c45-120.dat	upx
behavioral1/files/0x0013000000014c45-125.dat	upx
behavioral1/memory/2684-126-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0013000000014c45-129.dat	upx
behavioral1/files/0x0006000000015caf-131.dat	upx
behavioral1/files/0x0006000000015caf-133.dat	upx
behavioral1/files/0x0006000000015caf-137.dat	upx
behavioral1/memory/1824-142-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1328-141-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015ce1-149.dat	upx
behavioral1/files/0x0007000000015ce1-145.dat	upx
behavioral1/files/0x0007000000015ce1-143.dat	upx
behavioral1/files/0x0007000000015ce1-152.dat	upx
behavioral1/files/0x0006000000015cf0-154.dat	upx
behavioral1/files/0x0006000000015cf0-156.dat	upx
behavioral1/files/0x0006000000015cf0-160.dat	upx
behavioral1/files/0x0006000000015cf0-163.dat	upx
behavioral1/files/0x0006000000015dca-165.dat	upx
behavioral1/memory/1468-173-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015dca-172.dat	upx
behavioral1/files/0x0006000000015dca-168.dat	upx
behavioral1/memory/2556-179-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015e1b-180.dat	upx
behavioral1/memory/2852-178-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015e1b-182.dat	upx
behavioral1/files/0x0007000000015e1b-186.dat	upx
behavioral1/memory/2012-187-0x00000000002B0000-0x00000000002CC000-memory.dmp	upx
behavioral1/files/0x0007000000015e1b-190.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
2628	backup.exe
2644	backup.exe
2684	backup.exe
2516	backup.exe
2488	backup.exe
3048	backup.exe
268	backup.exe
1468	backup.exe
1824	backup.exe
1328	data.exe
2012	backup.exe
2556	backup.exe
2852	backup.exe
1036	backup.exe
1972	backup.exe
1384	backup.exe
3024	backup.exe
2396	backup.exe
1792	backup.exe
1004	backup.exe
1812	backup.exe
2876	backup.exe
2044	backup.exe
1200	backup.exe
2360	backup.exe
1604	backup.exe
2708	backup.exe
2780	backup.exe
2496	backup.exe
2656	backup.exe
2872	backup.exe
2564	backup.exe
1920	backup.exe
768	update.exe
1472	backup.exe
2912	backup.exe
2848	backup.exe
2856	backup.exe
1796	backup.exe
2016	backup.exe
2756	backup.exe
1512	backup.exe
1628	backup.exe
1676	backup.exe
2220	data.exe
1924	backup.exe
2352	backup.exe
2952	backup.exe
1348	backup.exe
2396	backup.exe
1624	backup.exe
1772	backup.exe
1860	backup.exe
1988	backup.exe
2176	backup.exe
872	backup.exe
2284	backup.exe
2264	backup.exe
1728	backup.exe
2448	backup.exe
2692	backup.exe
2808	backup.exe
2804	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2628	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	28
PID 1716 wrote to memory of 2628	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	28
PID 1716 wrote to memory of 2628	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	28
PID 1716 wrote to memory of 2628	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	28
PID 1716 wrote to memory of 2644	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	29
PID 1716 wrote to memory of 2644	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	29
PID 1716 wrote to memory of 2644	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	29
PID 1716 wrote to memory of 2644	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	29
PID 1716 wrote to memory of 2684	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	30
PID 1716 wrote to memory of 2684	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	30
PID 1716 wrote to memory of 2684	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	30
PID 1716 wrote to memory of 2684	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	30
PID 1716 wrote to memory of 2516	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	31
PID 1716 wrote to memory of 2516	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	31
PID 1716 wrote to memory of 2516	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	31
PID 1716 wrote to memory of 2516	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	31
PID 1716 wrote to memory of 2488	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	32
PID 1716 wrote to memory of 2488	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	32
PID 1716 wrote to memory of 2488	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	32
PID 1716 wrote to memory of 2488	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	32
PID 1716 wrote to memory of 3048	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	33
PID 1716 wrote to memory of 3048	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	33
PID 1716 wrote to memory of 3048	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	33
PID 1716 wrote to memory of 3048	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	33
PID 1716 wrote to memory of 268	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	34
PID 1716 wrote to memory of 268	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	34
PID 1716 wrote to memory of 268	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	34
PID 1716 wrote to memory of 268	1716	NEAS.2600051b2b33d4df95d13eaee3fc0130.exe	34
PID 2628 wrote to memory of 1468	2628	backup.exe	35
PID 2628 wrote to memory of 1468	2628	backup.exe	35
PID 2628 wrote to memory of 1468	2628	backup.exe	35
PID 2628 wrote to memory of 1468	2628	backup.exe	35
PID 1468 wrote to memory of 1824	1468	backup.exe	36
PID 1468 wrote to memory of 1824	1468	backup.exe	36
PID 1468 wrote to memory of 1824	1468	backup.exe	36
PID 1468 wrote to memory of 1824	1468	backup.exe	36
PID 1824 wrote to memory of 1328	1824	backup.exe	37
PID 1824 wrote to memory of 1328	1824	backup.exe	37
PID 1824 wrote to memory of 1328	1824	backup.exe	37
PID 1824 wrote to memory of 1328	1824	backup.exe	37
PID 1468 wrote to memory of 2012	1468	backup.exe	38
PID 1468 wrote to memory of 2012	1468	backup.exe	38
PID 1468 wrote to memory of 2012	1468	backup.exe	38
PID 1468 wrote to memory of 2012	1468	backup.exe	38
PID 2012 wrote to memory of 2556	2012	backup.exe	39
PID 2012 wrote to memory of 2556	2012	backup.exe	39
PID 2012 wrote to memory of 2556	2012	backup.exe	39
PID 2012 wrote to memory of 2556	2012	backup.exe	39
PID 2556 wrote to memory of 2852	2556	backup.exe	40
PID 2556 wrote to memory of 2852	2556	backup.exe	40
PID 2556 wrote to memory of 2852	2556	backup.exe	40
PID 2556 wrote to memory of 2852	2556	backup.exe	40
PID 2012 wrote to memory of 1036	2012	backup.exe	41
PID 2012 wrote to memory of 1036	2012	backup.exe	41
PID 2012 wrote to memory of 1036	2012	backup.exe	41
PID 2012 wrote to memory of 1036	2012	backup.exe	41
PID 1036 wrote to memory of 1972	1036	backup.exe	42
PID 1036 wrote to memory of 1972	1036	backup.exe	42
PID 1036 wrote to memory of 1972	1036	backup.exe	42
PID 1036 wrote to memory of 1972	1036	backup.exe	42
PID 1972 wrote to memory of 1384	1972	backup.exe	43
PID 1972 wrote to memory of 1384	1972	backup.exe	43
PID 1972 wrote to memory of 1384	1972	backup.exe	43
PID 1972 wrote to memory of 1384	1972	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.2600051b2b33d4df95d13eaee3fc0130.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2600051b2b33d4df95d13eaee3fc0130.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\3530843782\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3530843782\backup.exe C:\Users\Admin\AppData\Local\Temp\3530843782\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1824
    - - C:\PerfLogs\Admin\data.exe
        
        C:\PerfLogs\Admin\data.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1036
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1384
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2176
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:2536
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2544
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2140
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2560
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2548
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2900
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2848
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        System policy modification
        
        PID:2180
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        System policy modification
        
        PID:2556
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:2228
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1356
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        System policy modification
        
        PID:1840
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2340
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:884
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2360
      - C:\Program Files\Common Files\SpeechEngines\System Restore.exe
        
        "C:\Program Files\Common Files\SpeechEngines\System Restore.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:2696
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2620
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2592
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2428
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:308
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2560
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:700
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1100
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2680
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1564
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2372
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2580
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1708
        
        C:\Program Files\Common Files\System\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\fr-FR\data.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        System policy modification
        
        PID:1460
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:1508
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2108
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2688
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Program Files\Common Files\System\msadc\en-US\data.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\data.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3052
        
        C:\Program Files\Common Files\System\msadc\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\System Restore.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:2560
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1312
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:2472
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        System policy modification
        
        PID:2744
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2852
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:3056
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:856
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:1260
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:892
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1504
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:924
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        
        PID:2912
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:1992
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:2836
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:388
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2176
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
      - C:\Program Files\DVD Maker\Shared\data.exe
        
        "C:\Program Files\DVD Maker\Shared\data.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1188
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2648
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:2624
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        System policy modification
        
        PID:2140
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:764
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        System policy modification
        
        PID:2788
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:928
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1760
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:2728
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:2000
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:2360
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2484
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1484
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1640
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:1844
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:2116
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:1720
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:2196
    - - C:\Program Files\Internet Explorer\data.exe
        
        "C:\Program Files\Internet Explorer\data.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1052
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2040
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1560
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2460
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1200
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2696
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2872
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2892
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2212
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1840
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:1520
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      System policy modification
      PID:2732
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1736
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1360
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2004
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2236
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1340
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:2940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:3040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2224
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2132
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1256
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1632
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1372
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2576
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1964
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1984
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2300
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1136
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2240
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1788
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2640
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2500
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1008
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2664
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2952
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2376
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:2248
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2452
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2028
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1804
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:268

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\data.exe

Filesize
81KB

MD5
842728f48bc5aeaaed23e5120c41732a

SHA1
2ca80795fdde18305a2a5be6498c5acfcd90e294

SHA256
7bd56e73afaa8b71d964b0949a3c10b1c98e8b9e20f1b1ee5c977ddcfe660026

SHA512
f83c4cb146454ec8fbca02457364a051f201a868ab34d6b4ea4d3ef8965e1476a8d904411ccc63a2d901f92b2198903d2c5ae91bba6a38576a974c196761b055

Download Submit
C:\PerfLogs\backup.exe

Filesize
81KB

MD5
74702f98dc3c7fad287d64b7cce73960

SHA1
05a211f7010b2379f68f015962bb140fcc92b937

SHA256
dbc9a1aaac59d9e369a028334b195d82cec9f4f5490d3ea293a202f3c09610f7

SHA512
44601441dd7f706dd6321db195b001f86ee15199f300175d5ccf44fcca89cb9c87a1708fb9c532710d82ad0e12674672f057dc8daefd5cba73d06a1c2e2d81ff

Download Submit
C:\PerfLogs\backup.exe

Filesize
81KB

MD5
74702f98dc3c7fad287d64b7cce73960

SHA1
05a211f7010b2379f68f015962bb140fcc92b937

SHA256
dbc9a1aaac59d9e369a028334b195d82cec9f4f5490d3ea293a202f3c09610f7

SHA512
44601441dd7f706dd6321db195b001f86ee15199f300175d5ccf44fcca89cb9c87a1708fb9c532710d82ad0e12674672f057dc8daefd5cba73d06a1c2e2d81ff

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
81KB

MD5
f0a867f2074d9823417f6f4be6bd023b

SHA1
c6993233dc76930c2bbf3785a879a17bf5803793

SHA256
a4bc89ebbd4d613454c76523496fab10aca7eb43024975546ab5b1f9a8dd8d05

SHA512
4c35ab06f473393528f283eafdde28ac377169f5e249219d138c06db235fb52e692ff93f581289533b5d336dd74bdf2d4323bf641f5cc2394bec107fc968bea4

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
81KB

MD5
842728f48bc5aeaaed23e5120c41732a

SHA1
2ca80795fdde18305a2a5be6498c5acfcd90e294

SHA256
7bd56e73afaa8b71d964b0949a3c10b1c98e8b9e20f1b1ee5c977ddcfe660026

SHA512
f83c4cb146454ec8fbca02457364a051f201a868ab34d6b4ea4d3ef8965e1476a8d904411ccc63a2d901f92b2198903d2c5ae91bba6a38576a974c196761b055

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
81KB

MD5
842728f48bc5aeaaed23e5120c41732a

SHA1
2ca80795fdde18305a2a5be6498c5acfcd90e294

SHA256
7bd56e73afaa8b71d964b0949a3c10b1c98e8b9e20f1b1ee5c977ddcfe660026

SHA512
f83c4cb146454ec8fbca02457364a051f201a868ab34d6b4ea4d3ef8965e1476a8d904411ccc63a2d901f92b2198903d2c5ae91bba6a38576a974c196761b055

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
81KB

MD5
e4cce08e7d0e497fbb5f6bbb52cbdc97

SHA1
f15d64fe3891697111a318b9a676ab210845f5d5

SHA256
e7e2597da3b9e72834920a64d820d20ac850379ff4d8b93f6c0021c43ac8af9e

SHA512
b9aaf063a6dd3dcdba65079721092c704afabe5caa605f9252408358c18c8d5e7304dbc701937c2691cc8960984482cc0accc858e0fec0d2cc0ac935cf5c7ac0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
81KB

MD5
1aa93b9f4e8c2ff8ebe18e0255ae3f12

SHA1
9e827330a51b29b59f8b9a5f478ba2754874024d

SHA256
a6a8a06139159a089fb5f1f0cbd7363b56cd338995e8d07013bde717715e2bec

SHA512
abeccb71a410691ab720c42c63c79abfbb663a4147259dd0bac03686708ac2edccd2c52b0581f086e67225b48c81f78c46dd16a295362d5c01aa19b190706ce1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
81KB

MD5
1aa93b9f4e8c2ff8ebe18e0255ae3f12

SHA1
9e827330a51b29b59f8b9a5f478ba2754874024d

SHA256
a6a8a06139159a089fb5f1f0cbd7363b56cd338995e8d07013bde717715e2bec

SHA512
abeccb71a410691ab720c42c63c79abfbb663a4147259dd0bac03686708ac2edccd2c52b0581f086e67225b48c81f78c46dd16a295362d5c01aa19b190706ce1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
81KB

MD5
7a8bc77326ee976407740d1f37a8f6df

SHA1
450eab7a405b52c1f92d042273854cdaad854d88

SHA256
fb11a462a76f1a377fe606776c7e1a8947b5973995e3fc1e64ab1f7362d28e1e

SHA512
e42d046667630c2163f5e9566f30695228937b94cbf61e481b3eed6b81cecfc8e2ead242002aabf6532e25d5c554c4f5500e1c78db3eb07841964bde3778a7e0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
81KB

MD5
e4cce08e7d0e497fbb5f6bbb52cbdc97

SHA1
f15d64fe3891697111a318b9a676ab210845f5d5

SHA256
e7e2597da3b9e72834920a64d820d20ac850379ff4d8b93f6c0021c43ac8af9e

SHA512
b9aaf063a6dd3dcdba65079721092c704afabe5caa605f9252408358c18c8d5e7304dbc701937c2691cc8960984482cc0accc858e0fec0d2cc0ac935cf5c7ac0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
81KB

MD5
e4cce08e7d0e497fbb5f6bbb52cbdc97

SHA1
f15d64fe3891697111a318b9a676ab210845f5d5

SHA256
e7e2597da3b9e72834920a64d820d20ac850379ff4d8b93f6c0021c43ac8af9e

SHA512
b9aaf063a6dd3dcdba65079721092c704afabe5caa605f9252408358c18c8d5e7304dbc701937c2691cc8960984482cc0accc858e0fec0d2cc0ac935cf5c7ac0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
81KB

MD5
7a8bc77326ee976407740d1f37a8f6df

SHA1
450eab7a405b52c1f92d042273854cdaad854d88

SHA256
fb11a462a76f1a377fe606776c7e1a8947b5973995e3fc1e64ab1f7362d28e1e

SHA512
e42d046667630c2163f5e9566f30695228937b94cbf61e481b3eed6b81cecfc8e2ead242002aabf6532e25d5c554c4f5500e1c78db3eb07841964bde3778a7e0

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
81KB

MD5
1e4b9d5ad4e412268148cb904d87e4c4

SHA1
0c1053d0818df6cc09057de8898c00b39c0a1b8d

SHA256
efbad69c97acac7c6bcfee200f4d064342362704d7ce37e68db1d5e8d6e03269

SHA512
e71960821f961125fa40e639e978c0fd9773b70942ce5ff2f276f5ecf241a9e026b190b85353be5bef1a1aacaf34558507a84b48b38a378c3ada154e90345c88

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
81KB

MD5
1e4b9d5ad4e412268148cb904d87e4c4

SHA1
0c1053d0818df6cc09057de8898c00b39c0a1b8d

SHA256
efbad69c97acac7c6bcfee200f4d064342362704d7ce37e68db1d5e8d6e03269

SHA512
e71960821f961125fa40e639e978c0fd9773b70942ce5ff2f276f5ecf241a9e026b190b85353be5bef1a1aacaf34558507a84b48b38a378c3ada154e90345c88

Download Submit
C:\Program Files\backup.exe

Filesize
81KB

MD5
74702f98dc3c7fad287d64b7cce73960

SHA1
05a211f7010b2379f68f015962bb140fcc92b937

SHA256
dbc9a1aaac59d9e369a028334b195d82cec9f4f5490d3ea293a202f3c09610f7

SHA512
44601441dd7f706dd6321db195b001f86ee15199f300175d5ccf44fcca89cb9c87a1708fb9c532710d82ad0e12674672f057dc8daefd5cba73d06a1c2e2d81ff

Download Submit
C:\Program Files\backup.exe

Filesize
81KB

MD5
74702f98dc3c7fad287d64b7cce73960

SHA1
05a211f7010b2379f68f015962bb140fcc92b937

SHA256
dbc9a1aaac59d9e369a028334b195d82cec9f4f5490d3ea293a202f3c09610f7

SHA512
44601441dd7f706dd6321db195b001f86ee15199f300175d5ccf44fcca89cb9c87a1708fb9c532710d82ad0e12674672f057dc8daefd5cba73d06a1c2e2d81ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3530843782\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3530843782\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3530843782\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
1400ddeb6d8cf1e9b3546201e433f27c

SHA1
dd57775ddca6c5910addf021ebfd99c7e40af3f0

SHA256
049791b82018eb97fa4f88b49fa1ad22e6d7b43ccf16a2b32cbaa7600578a853

SHA512
2668f5a7cb454d1c1056be109dd4f2ffad6278d5ac621ac7c349f228172df070d0d78ab6bf0a4552c322cd9d82886f9b77c5e3dbea5a3ee81df5cfb23b3d7412

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
81KB

MD5
04117694232303c4951f16d918c4ce24

SHA1
d57c806a2b2ddc5b73bf1e4e8632e45c0d157a6e

SHA256
eba05b7473432b5de05d36624ea85e465ffa4fa8f11ba3782baef0db8a010381

SHA512
ce4c42ca0b91fcabd83e456c4e725ed34b55820335cada1a67c7b06491c0e05751e517acf6902c93ed33b5f62279f433ed694172d13b17c66d973581adc34bf1

Download Submit
C:\backup.exe

Filesize
81KB

MD5
04117694232303c4951f16d918c4ce24

SHA1
d57c806a2b2ddc5b73bf1e4e8632e45c0d157a6e

SHA256
eba05b7473432b5de05d36624ea85e465ffa4fa8f11ba3782baef0db8a010381

SHA512
ce4c42ca0b91fcabd83e456c4e725ed34b55820335cada1a67c7b06491c0e05751e517acf6902c93ed33b5f62279f433ed694172d13b17c66d973581adc34bf1

Download Submit
\PerfLogs\Admin\data.exe

Filesize
81KB

MD5
842728f48bc5aeaaed23e5120c41732a

SHA1
2ca80795fdde18305a2a5be6498c5acfcd90e294

SHA256
7bd56e73afaa8b71d964b0949a3c10b1c98e8b9e20f1b1ee5c977ddcfe660026

SHA512
f83c4cb146454ec8fbca02457364a051f201a868ab34d6b4ea4d3ef8965e1476a8d904411ccc63a2d901f92b2198903d2c5ae91bba6a38576a974c196761b055

Download Submit
\PerfLogs\Admin\data.exe

Filesize
81KB

MD5
842728f48bc5aeaaed23e5120c41732a

SHA1
2ca80795fdde18305a2a5be6498c5acfcd90e294

SHA256
7bd56e73afaa8b71d964b0949a3c10b1c98e8b9e20f1b1ee5c977ddcfe660026

SHA512
f83c4cb146454ec8fbca02457364a051f201a868ab34d6b4ea4d3ef8965e1476a8d904411ccc63a2d901f92b2198903d2c5ae91bba6a38576a974c196761b055

Download Submit
\PerfLogs\backup.exe

Filesize
81KB

MD5
74702f98dc3c7fad287d64b7cce73960

SHA1
05a211f7010b2379f68f015962bb140fcc92b937

SHA256
dbc9a1aaac59d9e369a028334b195d82cec9f4f5490d3ea293a202f3c09610f7

SHA512
44601441dd7f706dd6321db195b001f86ee15199f300175d5ccf44fcca89cb9c87a1708fb9c532710d82ad0e12674672f057dc8daefd5cba73d06a1c2e2d81ff

Download Submit
\PerfLogs\backup.exe

Filesize
81KB

MD5
74702f98dc3c7fad287d64b7cce73960

SHA1
05a211f7010b2379f68f015962bb140fcc92b937

SHA256
dbc9a1aaac59d9e369a028334b195d82cec9f4f5490d3ea293a202f3c09610f7

SHA512
44601441dd7f706dd6321db195b001f86ee15199f300175d5ccf44fcca89cb9c87a1708fb9c532710d82ad0e12674672f057dc8daefd5cba73d06a1c2e2d81ff

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
81KB

MD5
f0a867f2074d9823417f6f4be6bd023b

SHA1
c6993233dc76930c2bbf3785a879a17bf5803793

SHA256
a4bc89ebbd4d613454c76523496fab10aca7eb43024975546ab5b1f9a8dd8d05

SHA512
4c35ab06f473393528f283eafdde28ac377169f5e249219d138c06db235fb52e692ff93f581289533b5d336dd74bdf2d4323bf641f5cc2394bec107fc968bea4

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
81KB

MD5
f0a867f2074d9823417f6f4be6bd023b

SHA1
c6993233dc76930c2bbf3785a879a17bf5803793

SHA256
a4bc89ebbd4d613454c76523496fab10aca7eb43024975546ab5b1f9a8dd8d05

SHA512
4c35ab06f473393528f283eafdde28ac377169f5e249219d138c06db235fb52e692ff93f581289533b5d336dd74bdf2d4323bf641f5cc2394bec107fc968bea4

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
81KB

MD5
842728f48bc5aeaaed23e5120c41732a

SHA1
2ca80795fdde18305a2a5be6498c5acfcd90e294

SHA256
7bd56e73afaa8b71d964b0949a3c10b1c98e8b9e20f1b1ee5c977ddcfe660026

SHA512
f83c4cb146454ec8fbca02457364a051f201a868ab34d6b4ea4d3ef8965e1476a8d904411ccc63a2d901f92b2198903d2c5ae91bba6a38576a974c196761b055

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
81KB

MD5
842728f48bc5aeaaed23e5120c41732a

SHA1
2ca80795fdde18305a2a5be6498c5acfcd90e294

SHA256
7bd56e73afaa8b71d964b0949a3c10b1c98e8b9e20f1b1ee5c977ddcfe660026

SHA512
f83c4cb146454ec8fbca02457364a051f201a868ab34d6b4ea4d3ef8965e1476a8d904411ccc63a2d901f92b2198903d2c5ae91bba6a38576a974c196761b055

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
81KB

MD5
e4cce08e7d0e497fbb5f6bbb52cbdc97

SHA1
f15d64fe3891697111a318b9a676ab210845f5d5

SHA256
e7e2597da3b9e72834920a64d820d20ac850379ff4d8b93f6c0021c43ac8af9e

SHA512
b9aaf063a6dd3dcdba65079721092c704afabe5caa605f9252408358c18c8d5e7304dbc701937c2691cc8960984482cc0accc858e0fec0d2cc0ac935cf5c7ac0

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
81KB

MD5
e4cce08e7d0e497fbb5f6bbb52cbdc97

SHA1
f15d64fe3891697111a318b9a676ab210845f5d5

SHA256
e7e2597da3b9e72834920a64d820d20ac850379ff4d8b93f6c0021c43ac8af9e

SHA512
b9aaf063a6dd3dcdba65079721092c704afabe5caa605f9252408358c18c8d5e7304dbc701937c2691cc8960984482cc0accc858e0fec0d2cc0ac935cf5c7ac0

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
81KB

MD5
1aa93b9f4e8c2ff8ebe18e0255ae3f12

SHA1
9e827330a51b29b59f8b9a5f478ba2754874024d

SHA256
a6a8a06139159a089fb5f1f0cbd7363b56cd338995e8d07013bde717715e2bec

SHA512
abeccb71a410691ab720c42c63c79abfbb663a4147259dd0bac03686708ac2edccd2c52b0581f086e67225b48c81f78c46dd16a295362d5c01aa19b190706ce1

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
81KB

MD5
1aa93b9f4e8c2ff8ebe18e0255ae3f12

SHA1
9e827330a51b29b59f8b9a5f478ba2754874024d

SHA256
a6a8a06139159a089fb5f1f0cbd7363b56cd338995e8d07013bde717715e2bec

SHA512
abeccb71a410691ab720c42c63c79abfbb663a4147259dd0bac03686708ac2edccd2c52b0581f086e67225b48c81f78c46dd16a295362d5c01aa19b190706ce1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
81KB

MD5
7a8bc77326ee976407740d1f37a8f6df

SHA1
450eab7a405b52c1f92d042273854cdaad854d88

SHA256
fb11a462a76f1a377fe606776c7e1a8947b5973995e3fc1e64ab1f7362d28e1e

SHA512
e42d046667630c2163f5e9566f30695228937b94cbf61e481b3eed6b81cecfc8e2ead242002aabf6532e25d5c554c4f5500e1c78db3eb07841964bde3778a7e0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
81KB

MD5
7a8bc77326ee976407740d1f37a8f6df

SHA1
450eab7a405b52c1f92d042273854cdaad854d88

SHA256
fb11a462a76f1a377fe606776c7e1a8947b5973995e3fc1e64ab1f7362d28e1e

SHA512
e42d046667630c2163f5e9566f30695228937b94cbf61e481b3eed6b81cecfc8e2ead242002aabf6532e25d5c554c4f5500e1c78db3eb07841964bde3778a7e0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
81KB

MD5
e4cce08e7d0e497fbb5f6bbb52cbdc97

SHA1
f15d64fe3891697111a318b9a676ab210845f5d5

SHA256
e7e2597da3b9e72834920a64d820d20ac850379ff4d8b93f6c0021c43ac8af9e

SHA512
b9aaf063a6dd3dcdba65079721092c704afabe5caa605f9252408358c18c8d5e7304dbc701937c2691cc8960984482cc0accc858e0fec0d2cc0ac935cf5c7ac0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
81KB

MD5
e4cce08e7d0e497fbb5f6bbb52cbdc97

SHA1
f15d64fe3891697111a318b9a676ab210845f5d5

SHA256
e7e2597da3b9e72834920a64d820d20ac850379ff4d8b93f6c0021c43ac8af9e

SHA512
b9aaf063a6dd3dcdba65079721092c704afabe5caa605f9252408358c18c8d5e7304dbc701937c2691cc8960984482cc0accc858e0fec0d2cc0ac935cf5c7ac0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
81KB

MD5
7a8bc77326ee976407740d1f37a8f6df

SHA1
450eab7a405b52c1f92d042273854cdaad854d88

SHA256
fb11a462a76f1a377fe606776c7e1a8947b5973995e3fc1e64ab1f7362d28e1e

SHA512
e42d046667630c2163f5e9566f30695228937b94cbf61e481b3eed6b81cecfc8e2ead242002aabf6532e25d5c554c4f5500e1c78db3eb07841964bde3778a7e0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
81KB

MD5
7a8bc77326ee976407740d1f37a8f6df

SHA1
450eab7a405b52c1f92d042273854cdaad854d88

SHA256
fb11a462a76f1a377fe606776c7e1a8947b5973995e3fc1e64ab1f7362d28e1e

SHA512
e42d046667630c2163f5e9566f30695228937b94cbf61e481b3eed6b81cecfc8e2ead242002aabf6532e25d5c554c4f5500e1c78db3eb07841964bde3778a7e0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
81KB

MD5
7a8bc77326ee976407740d1f37a8f6df

SHA1
450eab7a405b52c1f92d042273854cdaad854d88

SHA256
fb11a462a76f1a377fe606776c7e1a8947b5973995e3fc1e64ab1f7362d28e1e

SHA512
e42d046667630c2163f5e9566f30695228937b94cbf61e481b3eed6b81cecfc8e2ead242002aabf6532e25d5c554c4f5500e1c78db3eb07841964bde3778a7e0

Download Submit
\Program Files\Common Files\backup.exe

Filesize
81KB

MD5
1e4b9d5ad4e412268148cb904d87e4c4

SHA1
0c1053d0818df6cc09057de8898c00b39c0a1b8d

SHA256
efbad69c97acac7c6bcfee200f4d064342362704d7ce37e68db1d5e8d6e03269

SHA512
e71960821f961125fa40e639e978c0fd9773b70942ce5ff2f276f5ecf241a9e026b190b85353be5bef1a1aacaf34558507a84b48b38a378c3ada154e90345c88

Download Submit
\Program Files\Common Files\backup.exe

Filesize
81KB

MD5
1e4b9d5ad4e412268148cb904d87e4c4

SHA1
0c1053d0818df6cc09057de8898c00b39c0a1b8d

SHA256
efbad69c97acac7c6bcfee200f4d064342362704d7ce37e68db1d5e8d6e03269

SHA512
e71960821f961125fa40e639e978c0fd9773b70942ce5ff2f276f5ecf241a9e026b190b85353be5bef1a1aacaf34558507a84b48b38a378c3ada154e90345c88

Download Submit
\Program Files\backup.exe

Filesize
81KB

MD5
74702f98dc3c7fad287d64b7cce73960

SHA1
05a211f7010b2379f68f015962bb140fcc92b937

SHA256
dbc9a1aaac59d9e369a028334b195d82cec9f4f5490d3ea293a202f3c09610f7

SHA512
44601441dd7f706dd6321db195b001f86ee15199f300175d5ccf44fcca89cb9c87a1708fb9c532710d82ad0e12674672f057dc8daefd5cba73d06a1c2e2d81ff

Download Submit
\Program Files\backup.exe

Filesize
81KB

MD5
74702f98dc3c7fad287d64b7cce73960

SHA1
05a211f7010b2379f68f015962bb140fcc92b937

SHA256
dbc9a1aaac59d9e369a028334b195d82cec9f4f5490d3ea293a202f3c09610f7

SHA512
44601441dd7f706dd6321db195b001f86ee15199f300175d5ccf44fcca89cb9c87a1708fb9c532710d82ad0e12674672f057dc8daefd5cba73d06a1c2e2d81ff

Download Submit
\Users\Admin\AppData\Local\Temp\3530843782\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\3530843782\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
81KB

MD5
dfa8504c7b65e332aa6ceb916f47b7c3

SHA1
1e0dd14fc612b489d504f43bc03e634d8153a5ea

SHA256
d68a236a4537de9210fb239b934975687f3b8a715265eb7b25ac1fcaa25afdfa

SHA512
1950f07c94b0aeaaf9321d1f45b0f35155b4c8da1509f61d3fdff6c0d394b6a94699df6228525443677e964512261a244c1b23a340f9dabc5a702370a88f75a6

Download Submit
memory/268-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-264-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-262-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1036-199-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/1036-258-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1036-266-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/1200-312-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1328-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1384-219-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1384-216-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1468-211-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/1468-108-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1468-124-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/1468-173-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1604-331-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1716-48-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1716-99-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/1716-12-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1716-13-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1716-71-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1716-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1716-37-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1716-167-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/1716-84-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1716-78-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1716-35-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1792-252-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1812-276-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1824-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1972-295-0x0000000001B60000-0x0000000001B7C000-memory.dmp

Filesize
112KB

Download
memory/1972-270-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1972-215-0x0000000001B60000-0x0000000001B7C000-memory.dmp

Filesize
112KB

Download
memory/2012-213-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2012-187-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2044-302-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-300-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2360-322-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2396-240-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2488-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2516-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2556-174-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2556-179-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2628-102-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2628-85-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2628-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2628-107-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2644-28-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2684-126-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2708-339-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2852-178-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2876-290-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3024-327-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3024-307-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3024-308-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3024-248-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3024-314-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3024-318-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3024-299-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3024-297-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3024-260-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3024-271-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3024-345-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3024-352-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3048-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads