bc0fd92639ec96f52754067937b4445fb6bb8198e92136ee471826c7e715f2c3

Analysis

max time kernel
8s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
17/11/2023, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
Size

84KB
MD5

5a522a76bd470c9e47214ccc7202cca0
SHA1

da98f30b66ff1ed76baefa63e750b00316fcfd11
SHA256

bc0fd92639ec96f52754067937b4445fb6bb8198e92136ee471826c7e715f2c3
SHA512

c394ffa941342b68f8be5e738fb835201f4a31c09eb190c64d0878b3bc6acb75e0cd9d7e7652b6ede212e709f132d6dc38414993bd2fb7478e4246601e28482d
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmW:BeT7BVwxfvEFwjRW

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 53 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 54 IoCs

pid	Process
3032	backup.exe
2652	backup.exe
2640	backup.exe
2108	backup.exe
2668	System Restore.exe
2512	backup.exe
3040	backup.exe
580	backup.exe
2816	backup.exe
2956	backup.exe
2452	backup.exe
1524	backup.exe
1276	backup.exe
1328	backup.exe
1108	backup.exe
1884	backup.exe
1032	backup.exe
1396	backup.exe
308	backup.exe
768	backup.exe
2292	backup.exe
2984	backup.exe
1868	update.exe
844	backup.exe
2084	backup.exe
2764	backup.exe
2644	backup.exe
2696	data.exe
2504	backup.exe
2584	backup.exe
2544	backup.exe
2540	backup.exe
1692	backup.exe
1752	backup.exe
268	backup.exe
272	backup.exe
1652	backup.exe
2412	backup.exe
1584	backup.exe
2820	backup.exe
1532	backup.exe
1516	backup.exe
1204	System Restore.exe
2252	backup.exe
1536	backup.exe
2896	backup.exe
2400	backup.exe
2136	backup.exe
2124	backup.exe
1112	backup.exe
784	backup.exe
1780	backup.exe
952	backup.exe
900	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
580	backup.exe
580	backup.exe
2816	backup.exe
2816	backup.exe
580	backup.exe
580	backup.exe
2452	backup.exe
2452	backup.exe
1524	backup.exe
1524	backup.exe
2452	backup.exe
2452	backup.exe
1328	backup.exe
1328	backup.exe
1108	backup.exe
1108	backup.exe
1108	backup.exe
1108	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1868	update.exe
1868	update.exe
1868	update.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
1032	backup.exe
2504	backup.exe
2504	backup.exe
2504	backup.exe
2504	backup.exe
2504	backup.exe
2504	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2580-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0035000000016fda-5.dat	upx
behavioral1/files/0x0035000000016fda-7.dat	upx
behavioral1/files/0x0035000000016fda-9.dat	upx
behavioral1/files/0x0035000000016fda-10.dat	upx
behavioral1/memory/3032-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000018ab2-17.dat	upx
behavioral1/files/0x0007000000018ab2-19.dat	upx
behavioral1/files/0x0007000000018ab2-23.dat	upx
behavioral1/files/0x0008000000018b16-27.dat	upx
behavioral1/files/0x0008000000018b16-29.dat	upx
behavioral1/files/0x0008000000018b16-33.dat	upx
behavioral1/memory/2652-35-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000018b10-39.dat	upx
behavioral1/files/0x0008000000018b10-45.dat	upx
behavioral1/files/0x0008000000018b10-41.dat	upx
behavioral1/memory/2108-49-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000018b9b-50.dat	upx
behavioral1/files/0x0006000000018b9b-52.dat	upx
behavioral1/files/0x0006000000018b9b-56.dat	upx
behavioral1/memory/2668-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000018bc0-62.dat	upx
behavioral1/memory/2580-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000018bc0-65.dat	upx
behavioral1/files/0x0006000000018bc0-69.dat	upx
behavioral1/memory/3032-70-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2512-74-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000a000000018b43-81.dat	upx
behavioral1/files/0x000a000000018b43-77.dat	upx
behavioral1/files/0x000a000000018b43-75.dat	upx
behavioral1/memory/3040-84-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0035000000016fda-86.dat	upx
behavioral1/files/0x0006000000018bc4-93.dat	upx
behavioral1/files/0x0006000000018bc4-97.dat	upx
behavioral1/files/0x0005000000019322-99.dat	upx
behavioral1/files/0x0005000000019322-105.dat	upx
behavioral1/files/0x0005000000019322-101.dat	upx
behavioral1/memory/2640-106-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0005000000019322-112.dat	upx
behavioral1/memory/2816-111-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0005000000019394-116.dat	upx
behavioral1/files/0x0005000000019394-118.dat	upx
behavioral1/files/0x0005000000019394-123.dat	upx
behavioral1/memory/2580-127-0x00000000002D0000-0x00000000002EC000-memory.dmp	upx
behavioral1/files/0x00050000000193b9-130.dat	upx
behavioral1/files/0x00050000000193b9-149.dat	upx
behavioral1/memory/2956-148-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2816-136-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00050000000193b9-134.dat	upx
behavioral1/files/0x00050000000193b9-152.dat	upx
behavioral1/files/0x0007000000019396-156.dat	upx
behavioral1/files/0x0007000000019396-161.dat	upx
behavioral1/memory/580-162-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000019396-154.dat	upx
behavioral1/files/0x0007000000019396-165.dat	upx
behavioral1/files/0x0005000000019472-170.dat	upx
behavioral1/files/0x0005000000019472-175.dat	upx
behavioral1/memory/3032-168-0x00000000003E0000-0x00000000003FC000-memory.dmp	upx
behavioral1/files/0x0005000000019472-167.dat	upx
behavioral1/memory/1524-181-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1276-180-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0005000000019495-182.dat	upx
behavioral1/files/0x0005000000019495-189.dat	upx
behavioral1/files/0x0005000000019495-184.dat	upx

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe

Suspicious use of SetWindowsHookEx 53 IoCs

pid	Process
2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
3032	backup.exe
2652	backup.exe
2640	backup.exe
2108	backup.exe
2668	System Restore.exe
2512	backup.exe
3040	backup.exe
580	backup.exe
2816	backup.exe
2956	backup.exe
2452	backup.exe
1524	backup.exe
1276	backup.exe
1328	backup.exe
1108	backup.exe
1884	backup.exe
1032	backup.exe
1396	backup.exe
308	backup.exe
768	backup.exe
2292	backup.exe
2984	backup.exe
1868	update.exe
844	backup.exe
2764	backup.exe
2644	backup.exe
2696	data.exe
2504	backup.exe
2584	backup.exe
2544	backup.exe
2540	backup.exe
1692	backup.exe
1752	backup.exe
268	backup.exe
272	backup.exe
1652	backup.exe
2412	backup.exe
1584	backup.exe
2820	backup.exe
1532	backup.exe
1516	backup.exe
1204	System Restore.exe
2252	backup.exe
1536	backup.exe
2896	backup.exe
2400	backup.exe
2136	backup.exe
2124	backup.exe
1112	backup.exe
784	backup.exe
1780	backup.exe
952	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 3032	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	28
PID 2580 wrote to memory of 3032	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	28
PID 2580 wrote to memory of 3032	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	28
PID 2580 wrote to memory of 3032	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	28
PID 2580 wrote to memory of 2652	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	29
PID 2580 wrote to memory of 2652	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	29
PID 2580 wrote to memory of 2652	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	29
PID 2580 wrote to memory of 2652	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	29
PID 2580 wrote to memory of 2640	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	30
PID 2580 wrote to memory of 2640	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	30
PID 2580 wrote to memory of 2640	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	30
PID 2580 wrote to memory of 2640	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	30
PID 2580 wrote to memory of 2108	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	31
PID 2580 wrote to memory of 2108	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	31
PID 2580 wrote to memory of 2108	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	31
PID 2580 wrote to memory of 2108	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	31
PID 2580 wrote to memory of 2668	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	32
PID 2580 wrote to memory of 2668	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	32
PID 2580 wrote to memory of 2668	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	32
PID 2580 wrote to memory of 2668	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	32
PID 2580 wrote to memory of 2512	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	33
PID 2580 wrote to memory of 2512	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	33
PID 2580 wrote to memory of 2512	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	33
PID 2580 wrote to memory of 2512	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	33
PID 2580 wrote to memory of 3040	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	34
PID 2580 wrote to memory of 3040	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	34
PID 2580 wrote to memory of 3040	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	34
PID 2580 wrote to memory of 3040	2580	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe	34
PID 3032 wrote to memory of 580	3032	backup.exe	35
PID 3032 wrote to memory of 580	3032	backup.exe	35
PID 3032 wrote to memory of 580	3032	backup.exe	35
PID 3032 wrote to memory of 580	3032	backup.exe	35
PID 580 wrote to memory of 2816	580	backup.exe	36
PID 580 wrote to memory of 2816	580	backup.exe	36
PID 580 wrote to memory of 2816	580	backup.exe	36
PID 580 wrote to memory of 2816	580	backup.exe	36
PID 2816 wrote to memory of 2956	2816	backup.exe	37
PID 2816 wrote to memory of 2956	2816	backup.exe	37
PID 2816 wrote to memory of 2956	2816	backup.exe	37
PID 2816 wrote to memory of 2956	2816	backup.exe	37
PID 580 wrote to memory of 2452	580	backup.exe	38
PID 580 wrote to memory of 2452	580	backup.exe	38
PID 580 wrote to memory of 2452	580	backup.exe	38
PID 580 wrote to memory of 2452	580	backup.exe	38
PID 2452 wrote to memory of 1524	2452	backup.exe	39
PID 2452 wrote to memory of 1524	2452	backup.exe	39
PID 2452 wrote to memory of 1524	2452	backup.exe	39
PID 2452 wrote to memory of 1524	2452	backup.exe	39
PID 1524 wrote to memory of 1276	1524	backup.exe	40
PID 1524 wrote to memory of 1276	1524	backup.exe	40
PID 1524 wrote to memory of 1276	1524	backup.exe	40
PID 1524 wrote to memory of 1276	1524	backup.exe	40
PID 2452 wrote to memory of 1328	2452	backup.exe	41
PID 2452 wrote to memory of 1328	2452	backup.exe	41
PID 2452 wrote to memory of 1328	2452	backup.exe	41
PID 2452 wrote to memory of 1328	2452	backup.exe	41
PID 1328 wrote to memory of 1108	1328	backup.exe	42
PID 1328 wrote to memory of 1108	1328	backup.exe	42
PID 1328 wrote to memory of 1108	1328	backup.exe	42
PID 1328 wrote to memory of 1108	1328	backup.exe	42
PID 1108 wrote to memory of 1884	1108	backup.exe	43
PID 1108 wrote to memory of 1884	1108	backup.exe	43
PID 1108 wrote to memory of 1884	1108	backup.exe	43
PID 1108 wrote to memory of 1884	1108	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.5a522a76bd470c9e47214ccc7202cca0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5a522a76bd470c9e47214ccc7202cca0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2580
- C:\Users\Admin\AppData\Local\Temp\2176697170\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2176697170\backup.exe C:\Users\Admin\AppData\Local\Temp\2176697170\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:580
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2816
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2956
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2452
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1328
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1108
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:2084
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2412
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1204
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2252
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2400
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2136
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:2940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:2288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:2928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:2088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:2244
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:3064
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:2364
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:2696
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2516
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2188
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2940
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:2544
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:2148
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2956
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2784
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1500
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:2520
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:2856
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:2788
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:2240
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:3068
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:924
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:3024
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:2524
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:572
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:320
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:556
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:984
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1476
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2504
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:896
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2364
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:628
        
        C:\Program Files\Common Files\System\ado\ja-JP\data.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\data.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:756
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1348
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2860
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1352
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1632
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1712
        
        C:\Program Files\Common Files\System\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ja-JP\update.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2576
        
        C:\Program Files\Common Files\System\msadc\update.exe
        
        "C:\Program Files\Common Files\System\msadc\update.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1620
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:2664
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:2812
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:2788
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1496
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:784
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2952
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2440
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1648
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:2688
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:2984
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Drops file in Program Files directory
        
        PID:1032
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        
        PID:1716
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        
        PID:1516
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:1100
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2604
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:1532
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:2520
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:2820
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:1360
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:3064
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1004
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:772
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1636
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2760
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1132
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2844
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2536
  - - C:\Program Files (x86)\update.exe
      "C:\Program Files (x86)\update.exe" C:\Program Files (x86)\
      4⤵
      PID:2732
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:2960
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:524
      - C:\Program Files (x86)\Common Files\Adobe\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\data.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2824
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2204
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1940
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:2304
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1604
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2380
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2288
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1100
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2096
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1344
    - - C:\Program Files (x86)\Google\System Restore.exe
        
        "C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2292
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2832
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1496
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2968
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2028
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2112
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2836
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2468
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2244
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1196
    - - C:\Users\Admin\System Restore.exe
        
        "C:\Users\Admin\System Restore.exe" C:\Users\Admin\
        5⤵
        
        PID:612
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1660
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2884
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1368
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:532
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2956
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2124
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2152
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2052
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:3044
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:1944
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2464
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:576
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2252
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:2420
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:2472
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:1428
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:2976
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2684
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2652
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2332
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2640
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3040

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
1⤵
PID:2844
- C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
  2⤵
  PID:2204
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
  2⤵
  PID:1128
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
    3⤵
    PID:1812
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
    3⤵
    PID:2652
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
    3⤵
    PID:1636
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
    3⤵
    PID:1224
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
      4⤵
      PID:2720
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
    3⤵
    PID:2184
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
    3⤵
    PID:2432
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
    3⤵
    PID:2120
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
    3⤵
    PID:2156
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
    3⤵
    PID:2900
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
    3⤵
    PID:296
- C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
  2⤵
  PID:1088
- - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
    3⤵
    PID:2084
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
      4⤵
      PID:1720
- - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
    3⤵
    PID:480
- - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
    3⤵
    PID:2444
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
      4⤵
      PID:1264
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
      4⤵
      PID:1500
- - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
    3⤵
    PID:2612
- - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
    3⤵
    PID:1536
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
      4⤵
      PID:2792
- C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
  2⤵
  PID:2128
- - C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
    3⤵
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
68737f6824b59ba72dd191850cc45bce

SHA1
b44c03cc7197252d86f12e9fb7a6c91363f281ab

SHA256
7268544b0652d8cbfe880e8bb412f00dde15666b5f63d634cc33b223a4532572

SHA512
dc28e39199d0c39bed25a9aee6f65b220462a52e517d042c456bec9f127864ee4079e5c396ddb92099bb6b4eaf30075185e668fb5666c7af640df3dc769a2ad0

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
b3e038366bfbb9630e5cd686ced02010

SHA1
4627230f779f405de08d5c691c3fe2f2f402b7f3

SHA256
9bad2ae443d8c8fe2a25935e05bd369d27e1243c5d76c143608b57ada5bab112

SHA512
b2b80e09da25fa2681f6c4f0b6619a6167e4409ab05b7ed689fd4d7a3be99b97913925b19230f5baf51fff51606519b06b4e343a94b8f4248d5c3e5cb0a73cad

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
b3e038366bfbb9630e5cd686ced02010

SHA1
4627230f779f405de08d5c691c3fe2f2f402b7f3

SHA256
9bad2ae443d8c8fe2a25935e05bd369d27e1243c5d76c143608b57ada5bab112

SHA512
b2b80e09da25fa2681f6c4f0b6619a6167e4409ab05b7ed689fd4d7a3be99b97913925b19230f5baf51fff51606519b06b4e343a94b8f4248d5c3e5cb0a73cad

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
e89d5c714e54055138f8f845a597419d

SHA1
b58a414cd0aec2efa2fd53e4d175144869959e2a

SHA256
03165816eff3bf91798b2ee569ce99a8bf6d3916c9d99f2b8513bdbbdf74d01e

SHA512
4e66fc22122bd3c9fe86ceab440e2453b302e39a5f4baf7c0be8489c7dfea8c5d7fc1fdbe727605705b3263581731fa214818ed5c0cd9e5c8af233972338485e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
68737f6824b59ba72dd191850cc45bce

SHA1
b44c03cc7197252d86f12e9fb7a6c91363f281ab

SHA256
7268544b0652d8cbfe880e8bb412f00dde15666b5f63d634cc33b223a4532572

SHA512
dc28e39199d0c39bed25a9aee6f65b220462a52e517d042c456bec9f127864ee4079e5c396ddb92099bb6b4eaf30075185e668fb5666c7af640df3dc769a2ad0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
68737f6824b59ba72dd191850cc45bce

SHA1
b44c03cc7197252d86f12e9fb7a6c91363f281ab

SHA256
7268544b0652d8cbfe880e8bb412f00dde15666b5f63d634cc33b223a4532572

SHA512
dc28e39199d0c39bed25a9aee6f65b220462a52e517d042c456bec9f127864ee4079e5c396ddb92099bb6b4eaf30075185e668fb5666c7af640df3dc769a2ad0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
e9226f63f4616d482dce235bef089e97

SHA1
faf1e890082a75c266d906f3ee06d93a875611e3

SHA256
19c281567a054e257fc69c776d59ee5301ea8cbf7101d442f52499865df595bf

SHA512
0abec8cd266cdea773b9c5a5dc730713b5f466332ea4c456b84c21ba29a12f729a96eef8861fb9834f5b167b2745a6a52b24641dfcb50e5d7e3e1c9722b7aa0e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
f936c52a0f240544585916dac3460002

SHA1
1ff25377f8f26f5b21431ac43b40ed8a77b5d414

SHA256
e39ab1d79dd1bf2dd763885ca74aebbdcbcec86c9b87269da762a2b0acbaf4b4

SHA512
8392c0de54cd8ed73b0e71eda1026e57cbdf0016f23d0a3a6d3c42d5ee8da5c4a335a90fefc0ae324ace71adeb4e96a367a61bc5e88bcbc2f34c059db9ffe6bf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
f936c52a0f240544585916dac3460002

SHA1
1ff25377f8f26f5b21431ac43b40ed8a77b5d414

SHA256
e39ab1d79dd1bf2dd763885ca74aebbdcbcec86c9b87269da762a2b0acbaf4b4

SHA512
8392c0de54cd8ed73b0e71eda1026e57cbdf0016f23d0a3a6d3c42d5ee8da5c4a335a90fefc0ae324ace71adeb4e96a367a61bc5e88bcbc2f34c059db9ffe6bf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
c7712cab8672c6256d3daf8512f5b559

SHA1
7f4838712f1bb850083ced0ec6d13e70d2b1b8ef

SHA256
b15614a8d4f6bb9e4b7ce6437a38da090bca0207a8c5b84a11bd8510918bfd01

SHA512
1701722e5b6f080bc69bc1385c17a17ccd4cebf7ddad00a0231f80e4404a0f4ea48c09261c1782bd7293c6ba2c4073cab3e5b979ba1fb270a4264a06a7e8d9ac

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
e9226f63f4616d482dce235bef089e97

SHA1
faf1e890082a75c266d906f3ee06d93a875611e3

SHA256
19c281567a054e257fc69c776d59ee5301ea8cbf7101d442f52499865df595bf

SHA512
0abec8cd266cdea773b9c5a5dc730713b5f466332ea4c456b84c21ba29a12f729a96eef8861fb9834f5b167b2745a6a52b24641dfcb50e5d7e3e1c9722b7aa0e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
e9226f63f4616d482dce235bef089e97

SHA1
faf1e890082a75c266d906f3ee06d93a875611e3

SHA256
19c281567a054e257fc69c776d59ee5301ea8cbf7101d442f52499865df595bf

SHA512
0abec8cd266cdea773b9c5a5dc730713b5f466332ea4c456b84c21ba29a12f729a96eef8861fb9834f5b167b2745a6a52b24641dfcb50e5d7e3e1c9722b7aa0e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
c7712cab8672c6256d3daf8512f5b559

SHA1
7f4838712f1bb850083ced0ec6d13e70d2b1b8ef

SHA256
b15614a8d4f6bb9e4b7ce6437a38da090bca0207a8c5b84a11bd8510918bfd01

SHA512
1701722e5b6f080bc69bc1385c17a17ccd4cebf7ddad00a0231f80e4404a0f4ea48c09261c1782bd7293c6ba2c4073cab3e5b979ba1fb270a4264a06a7e8d9ac

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
b12cf10d4782b18c56df8001849ac83d

SHA1
e6b6f4fab9ba17aeaa2f83c2622915f6fb0b5e06

SHA256
da6668ed8a365a6f6d69d81e3f7e05f424af438d85cca28527bee334ceabc20d

SHA512
d71d5c87c096a005e88d93ab7d7b8745705afae033da7c0f88750004d2ae62bff0e514a43cf6e1c4916c9d8b38bbcbfaa53ebf133e383a521fbeb27871e16198

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
b12cf10d4782b18c56df8001849ac83d

SHA1
e6b6f4fab9ba17aeaa2f83c2622915f6fb0b5e06

SHA256
da6668ed8a365a6f6d69d81e3f7e05f424af438d85cca28527bee334ceabc20d

SHA512
d71d5c87c096a005e88d93ab7d7b8745705afae033da7c0f88750004d2ae62bff0e514a43cf6e1c4916c9d8b38bbcbfaa53ebf133e383a521fbeb27871e16198

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
b3e038366bfbb9630e5cd686ced02010

SHA1
4627230f779f405de08d5c691c3fe2f2f402b7f3

SHA256
9bad2ae443d8c8fe2a25935e05bd369d27e1243c5d76c143608b57ada5bab112

SHA512
b2b80e09da25fa2681f6c4f0b6619a6167e4409ab05b7ed689fd4d7a3be99b97913925b19230f5baf51fff51606519b06b4e343a94b8f4248d5c3e5cb0a73cad

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
b3e038366bfbb9630e5cd686ced02010

SHA1
4627230f779f405de08d5c691c3fe2f2f402b7f3

SHA256
9bad2ae443d8c8fe2a25935e05bd369d27e1243c5d76c143608b57ada5bab112

SHA512
b2b80e09da25fa2681f6c4f0b6619a6167e4409ab05b7ed689fd4d7a3be99b97913925b19230f5baf51fff51606519b06b4e343a94b8f4248d5c3e5cb0a73cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\2176697170\backup.exe

Filesize
84KB

MD5
c3b3961a98aa501b19eed9d2ffa8bfa0

SHA1
ca925bbd656f3d2d2075c71409dab6e464ef43c2

SHA256
b5b165909d8e2887e4c52120c0b2f0d26b0b4438efe08e7b879dd4970e978dcf

SHA512
11b35e08d8554a50d3422e7a0ae40a1716304c74aa024e5f56ccf71c19a8f6db49d914eb0f2ad87d6b97aed4c9e221d824d3e34f6f66949fa98fca2bbb6c97e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2176697170\backup.exe

Filesize
84KB

MD5
c3b3961a98aa501b19eed9d2ffa8bfa0

SHA1
ca925bbd656f3d2d2075c71409dab6e464ef43c2

SHA256
b5b165909d8e2887e4c52120c0b2f0d26b0b4438efe08e7b879dd4970e978dcf

SHA512
11b35e08d8554a50d3422e7a0ae40a1716304c74aa024e5f56ccf71c19a8f6db49d914eb0f2ad87d6b97aed4c9e221d824d3e34f6f66949fa98fca2bbb6c97e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2176697170\backup.exe

Filesize
84KB

MD5
c3b3961a98aa501b19eed9d2ffa8bfa0

SHA1
ca925bbd656f3d2d2075c71409dab6e464ef43c2

SHA256
b5b165909d8e2887e4c52120c0b2f0d26b0b4438efe08e7b879dd4970e978dcf

SHA512
11b35e08d8554a50d3422e7a0ae40a1716304c74aa024e5f56ccf71c19a8f6db49d914eb0f2ad87d6b97aed4c9e221d824d3e34f6f66949fa98fca2bbb6c97e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
c3b3961a98aa501b19eed9d2ffa8bfa0

SHA1
ca925bbd656f3d2d2075c71409dab6e464ef43c2

SHA256
b5b165909d8e2887e4c52120c0b2f0d26b0b4438efe08e7b879dd4970e978dcf

SHA512
11b35e08d8554a50d3422e7a0ae40a1716304c74aa024e5f56ccf71c19a8f6db49d914eb0f2ad87d6b97aed4c9e221d824d3e34f6f66949fa98fca2bbb6c97e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
e4b665cd209069636b28f9610f052b86

SHA1
13830b6ab640c405f3592ae013f8333da44f8bac

SHA256
f166f09ea2f75d43797475a986e493a82a866fa90d168d5ab19d33dcb84bc093

SHA512
a5c241a25b7602ca36802f257ffa0f3f276947b67cebb6e25cb314f2b0e2b80f5e754a259f95a198b9b985b037ac1656edd81da57831ba6469b64ac9d8350c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
84KB

MD5
f09dd90b0509a51a7d01b14fe377713e

SHA1
2104d30b4914eaf887ad2620657e83c79b6db143

SHA256
77bf3cacbf1db2d28e142362a824020bd2617546ade6c9611101b46040cfd8d4

SHA512
a604d788de679adab9355fc5bd889004fb6b3c6481a3a10f952145b65d932daff24fd2c4356fda44567a156ef06e4256845f4a3fecfe2a115718c46adbf2ee49

Download Submit
C:\backup.exe

Filesize
84KB

MD5
f09dd90b0509a51a7d01b14fe377713e

SHA1
2104d30b4914eaf887ad2620657e83c79b6db143

SHA256
77bf3cacbf1db2d28e142362a824020bd2617546ade6c9611101b46040cfd8d4

SHA512
a604d788de679adab9355fc5bd889004fb6b3c6481a3a10f952145b65d932daff24fd2c4356fda44567a156ef06e4256845f4a3fecfe2a115718c46adbf2ee49

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
68737f6824b59ba72dd191850cc45bce

SHA1
b44c03cc7197252d86f12e9fb7a6c91363f281ab

SHA256
7268544b0652d8cbfe880e8bb412f00dde15666b5f63d634cc33b223a4532572

SHA512
dc28e39199d0c39bed25a9aee6f65b220462a52e517d042c456bec9f127864ee4079e5c396ddb92099bb6b4eaf30075185e668fb5666c7af640df3dc769a2ad0

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
68737f6824b59ba72dd191850cc45bce

SHA1
b44c03cc7197252d86f12e9fb7a6c91363f281ab

SHA256
7268544b0652d8cbfe880e8bb412f00dde15666b5f63d634cc33b223a4532572

SHA512
dc28e39199d0c39bed25a9aee6f65b220462a52e517d042c456bec9f127864ee4079e5c396ddb92099bb6b4eaf30075185e668fb5666c7af640df3dc769a2ad0

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
b3e038366bfbb9630e5cd686ced02010

SHA1
4627230f779f405de08d5c691c3fe2f2f402b7f3

SHA256
9bad2ae443d8c8fe2a25935e05bd369d27e1243c5d76c143608b57ada5bab112

SHA512
b2b80e09da25fa2681f6c4f0b6619a6167e4409ab05b7ed689fd4d7a3be99b97913925b19230f5baf51fff51606519b06b4e343a94b8f4248d5c3e5cb0a73cad

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
b3e038366bfbb9630e5cd686ced02010

SHA1
4627230f779f405de08d5c691c3fe2f2f402b7f3

SHA256
9bad2ae443d8c8fe2a25935e05bd369d27e1243c5d76c143608b57ada5bab112

SHA512
b2b80e09da25fa2681f6c4f0b6619a6167e4409ab05b7ed689fd4d7a3be99b97913925b19230f5baf51fff51606519b06b4e343a94b8f4248d5c3e5cb0a73cad

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
e89d5c714e54055138f8f845a597419d

SHA1
b58a414cd0aec2efa2fd53e4d175144869959e2a

SHA256
03165816eff3bf91798b2ee569ce99a8bf6d3916c9d99f2b8513bdbbdf74d01e

SHA512
4e66fc22122bd3c9fe86ceab440e2453b302e39a5f4baf7c0be8489c7dfea8c5d7fc1fdbe727605705b3263581731fa214818ed5c0cd9e5c8af233972338485e

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
e89d5c714e54055138f8f845a597419d

SHA1
b58a414cd0aec2efa2fd53e4d175144869959e2a

SHA256
03165816eff3bf91798b2ee569ce99a8bf6d3916c9d99f2b8513bdbbdf74d01e

SHA512
4e66fc22122bd3c9fe86ceab440e2453b302e39a5f4baf7c0be8489c7dfea8c5d7fc1fdbe727605705b3263581731fa214818ed5c0cd9e5c8af233972338485e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
68737f6824b59ba72dd191850cc45bce

SHA1
b44c03cc7197252d86f12e9fb7a6c91363f281ab

SHA256
7268544b0652d8cbfe880e8bb412f00dde15666b5f63d634cc33b223a4532572

SHA512
dc28e39199d0c39bed25a9aee6f65b220462a52e517d042c456bec9f127864ee4079e5c396ddb92099bb6b4eaf30075185e668fb5666c7af640df3dc769a2ad0

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
68737f6824b59ba72dd191850cc45bce

SHA1
b44c03cc7197252d86f12e9fb7a6c91363f281ab

SHA256
7268544b0652d8cbfe880e8bb412f00dde15666b5f63d634cc33b223a4532572

SHA512
dc28e39199d0c39bed25a9aee6f65b220462a52e517d042c456bec9f127864ee4079e5c396ddb92099bb6b4eaf30075185e668fb5666c7af640df3dc769a2ad0

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
e9226f63f4616d482dce235bef089e97

SHA1
faf1e890082a75c266d906f3ee06d93a875611e3

SHA256
19c281567a054e257fc69c776d59ee5301ea8cbf7101d442f52499865df595bf

SHA512
0abec8cd266cdea773b9c5a5dc730713b5f466332ea4c456b84c21ba29a12f729a96eef8861fb9834f5b167b2745a6a52b24641dfcb50e5d7e3e1c9722b7aa0e

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
e9226f63f4616d482dce235bef089e97

SHA1
faf1e890082a75c266d906f3ee06d93a875611e3

SHA256
19c281567a054e257fc69c776d59ee5301ea8cbf7101d442f52499865df595bf

SHA512
0abec8cd266cdea773b9c5a5dc730713b5f466332ea4c456b84c21ba29a12f729a96eef8861fb9834f5b167b2745a6a52b24641dfcb50e5d7e3e1c9722b7aa0e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
f936c52a0f240544585916dac3460002

SHA1
1ff25377f8f26f5b21431ac43b40ed8a77b5d414

SHA256
e39ab1d79dd1bf2dd763885ca74aebbdcbcec86c9b87269da762a2b0acbaf4b4

SHA512
8392c0de54cd8ed73b0e71eda1026e57cbdf0016f23d0a3a6d3c42d5ee8da5c4a335a90fefc0ae324ace71adeb4e96a367a61bc5e88bcbc2f34c059db9ffe6bf

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
f936c52a0f240544585916dac3460002

SHA1
1ff25377f8f26f5b21431ac43b40ed8a77b5d414

SHA256
e39ab1d79dd1bf2dd763885ca74aebbdcbcec86c9b87269da762a2b0acbaf4b4

SHA512
8392c0de54cd8ed73b0e71eda1026e57cbdf0016f23d0a3a6d3c42d5ee8da5c4a335a90fefc0ae324ace71adeb4e96a367a61bc5e88bcbc2f34c059db9ffe6bf

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
c7712cab8672c6256d3daf8512f5b559

SHA1
7f4838712f1bb850083ced0ec6d13e70d2b1b8ef

SHA256
b15614a8d4f6bb9e4b7ce6437a38da090bca0207a8c5b84a11bd8510918bfd01

SHA512
1701722e5b6f080bc69bc1385c17a17ccd4cebf7ddad00a0231f80e4404a0f4ea48c09261c1782bd7293c6ba2c4073cab3e5b979ba1fb270a4264a06a7e8d9ac

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
c7712cab8672c6256d3daf8512f5b559

SHA1
7f4838712f1bb850083ced0ec6d13e70d2b1b8ef

SHA256
b15614a8d4f6bb9e4b7ce6437a38da090bca0207a8c5b84a11bd8510918bfd01

SHA512
1701722e5b6f080bc69bc1385c17a17ccd4cebf7ddad00a0231f80e4404a0f4ea48c09261c1782bd7293c6ba2c4073cab3e5b979ba1fb270a4264a06a7e8d9ac

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
e9226f63f4616d482dce235bef089e97

SHA1
faf1e890082a75c266d906f3ee06d93a875611e3

SHA256
19c281567a054e257fc69c776d59ee5301ea8cbf7101d442f52499865df595bf

SHA512
0abec8cd266cdea773b9c5a5dc730713b5f466332ea4c456b84c21ba29a12f729a96eef8861fb9834f5b167b2745a6a52b24641dfcb50e5d7e3e1c9722b7aa0e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
e9226f63f4616d482dce235bef089e97

SHA1
faf1e890082a75c266d906f3ee06d93a875611e3

SHA256
19c281567a054e257fc69c776d59ee5301ea8cbf7101d442f52499865df595bf

SHA512
0abec8cd266cdea773b9c5a5dc730713b5f466332ea4c456b84c21ba29a12f729a96eef8861fb9834f5b167b2745a6a52b24641dfcb50e5d7e3e1c9722b7aa0e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
c7712cab8672c6256d3daf8512f5b559

SHA1
7f4838712f1bb850083ced0ec6d13e70d2b1b8ef

SHA256
b15614a8d4f6bb9e4b7ce6437a38da090bca0207a8c5b84a11bd8510918bfd01

SHA512
1701722e5b6f080bc69bc1385c17a17ccd4cebf7ddad00a0231f80e4404a0f4ea48c09261c1782bd7293c6ba2c4073cab3e5b979ba1fb270a4264a06a7e8d9ac

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
c7712cab8672c6256d3daf8512f5b559

SHA1
7f4838712f1bb850083ced0ec6d13e70d2b1b8ef

SHA256
b15614a8d4f6bb9e4b7ce6437a38da090bca0207a8c5b84a11bd8510918bfd01

SHA512
1701722e5b6f080bc69bc1385c17a17ccd4cebf7ddad00a0231f80e4404a0f4ea48c09261c1782bd7293c6ba2c4073cab3e5b979ba1fb270a4264a06a7e8d9ac

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
84KB

MD5
c7712cab8672c6256d3daf8512f5b559

SHA1
7f4838712f1bb850083ced0ec6d13e70d2b1b8ef

SHA256
b15614a8d4f6bb9e4b7ce6437a38da090bca0207a8c5b84a11bd8510918bfd01

SHA512
1701722e5b6f080bc69bc1385c17a17ccd4cebf7ddad00a0231f80e4404a0f4ea48c09261c1782bd7293c6ba2c4073cab3e5b979ba1fb270a4264a06a7e8d9ac

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
b12cf10d4782b18c56df8001849ac83d

SHA1
e6b6f4fab9ba17aeaa2f83c2622915f6fb0b5e06

SHA256
da6668ed8a365a6f6d69d81e3f7e05f424af438d85cca28527bee334ceabc20d

SHA512
d71d5c87c096a005e88d93ab7d7b8745705afae033da7c0f88750004d2ae62bff0e514a43cf6e1c4916c9d8b38bbcbfaa53ebf133e383a521fbeb27871e16198

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
b12cf10d4782b18c56df8001849ac83d

SHA1
e6b6f4fab9ba17aeaa2f83c2622915f6fb0b5e06

SHA256
da6668ed8a365a6f6d69d81e3f7e05f424af438d85cca28527bee334ceabc20d

SHA512
d71d5c87c096a005e88d93ab7d7b8745705afae033da7c0f88750004d2ae62bff0e514a43cf6e1c4916c9d8b38bbcbfaa53ebf133e383a521fbeb27871e16198

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
b3e038366bfbb9630e5cd686ced02010

SHA1
4627230f779f405de08d5c691c3fe2f2f402b7f3

SHA256
9bad2ae443d8c8fe2a25935e05bd369d27e1243c5d76c143608b57ada5bab112

SHA512
b2b80e09da25fa2681f6c4f0b6619a6167e4409ab05b7ed689fd4d7a3be99b97913925b19230f5baf51fff51606519b06b4e343a94b8f4248d5c3e5cb0a73cad

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
b3e038366bfbb9630e5cd686ced02010

SHA1
4627230f779f405de08d5c691c3fe2f2f402b7f3

SHA256
9bad2ae443d8c8fe2a25935e05bd369d27e1243c5d76c143608b57ada5bab112

SHA512
b2b80e09da25fa2681f6c4f0b6619a6167e4409ab05b7ed689fd4d7a3be99b97913925b19230f5baf51fff51606519b06b4e343a94b8f4248d5c3e5cb0a73cad

Download Submit
\Users\Admin\AppData\Local\Temp\2176697170\backup.exe

Filesize
84KB

MD5
c3b3961a98aa501b19eed9d2ffa8bfa0

SHA1
ca925bbd656f3d2d2075c71409dab6e464ef43c2

SHA256
b5b165909d8e2887e4c52120c0b2f0d26b0b4438efe08e7b879dd4970e978dcf

SHA512
11b35e08d8554a50d3422e7a0ae40a1716304c74aa024e5f56ccf71c19a8f6db49d914eb0f2ad87d6b97aed4c9e221d824d3e34f6f66949fa98fca2bbb6c97e9

Download Submit
\Users\Admin\AppData\Local\Temp\2176697170\backup.exe

Filesize
84KB

MD5
c3b3961a98aa501b19eed9d2ffa8bfa0

SHA1
ca925bbd656f3d2d2075c71409dab6e464ef43c2

SHA256
b5b165909d8e2887e4c52120c0b2f0d26b0b4438efe08e7b879dd4970e978dcf

SHA512
11b35e08d8554a50d3422e7a0ae40a1716304c74aa024e5f56ccf71c19a8f6db49d914eb0f2ad87d6b97aed4c9e221d824d3e34f6f66949fa98fca2bbb6c97e9

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
c3b3961a98aa501b19eed9d2ffa8bfa0

SHA1
ca925bbd656f3d2d2075c71409dab6e464ef43c2

SHA256
b5b165909d8e2887e4c52120c0b2f0d26b0b4438efe08e7b879dd4970e978dcf

SHA512
11b35e08d8554a50d3422e7a0ae40a1716304c74aa024e5f56ccf71c19a8f6db49d914eb0f2ad87d6b97aed4c9e221d824d3e34f6f66949fa98fca2bbb6c97e9

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
c3b3961a98aa501b19eed9d2ffa8bfa0

SHA1
ca925bbd656f3d2d2075c71409dab6e464ef43c2

SHA256
b5b165909d8e2887e4c52120c0b2f0d26b0b4438efe08e7b879dd4970e978dcf

SHA512
11b35e08d8554a50d3422e7a0ae40a1716304c74aa024e5f56ccf71c19a8f6db49d914eb0f2ad87d6b97aed4c9e221d824d3e34f6f66949fa98fca2bbb6c97e9

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
1213af863a4f9a2534161e47b538acdb

SHA1
2dc341de0c8908ab163f714d5445ef824e235487

SHA256
01e80e29af06ae7dc5b3d473b5134fec0604c8a07c5f75c50da5cda913a7457c

SHA512
b8d2ec27190202979b6bc94222a6d02215acee17bbb5627adb191dbcbf11bc8d423fee7a441d9452c674828bb01c21fde6f23245e2189895de6fbd2953f6c684

Download Submit
memory/308-261-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/580-162-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/580-108-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/580-110-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/768-278-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/844-316-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1032-311-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1032-313-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1032-292-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1032-322-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1032-307-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1032-242-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1032-298-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1032-310-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1032-265-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1108-207-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1108-291-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1108-294-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1108-229-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1108-269-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1276-180-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1328-260-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1328-205-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1328-204-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1328-266-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1396-248-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1524-176-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1524-174-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1524-181-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1868-315-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1868-301-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1884-220-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2108-49-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2292-286-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2452-231-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2452-223-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2452-188-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2452-190-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2452-243-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2512-74-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2580-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2580-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2580-34-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2580-127-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2580-122-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2580-124-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2580-128-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2580-57-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2580-12-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2580-202-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2640-106-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2652-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2668-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2816-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2816-111-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2956-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2984-299-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3032-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3032-168-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/3032-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3032-94-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/3032-92-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/3032-160-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/3040-84-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads