5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59

Analysis

max time kernel
152s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe
Size

72KB
MD5

5fca8bb3e308f03727acf4a9e5d59502
SHA1

cd42f7a4f7b7f4e971cf45f809740ec79e913a99
SHA256

5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59
SHA512

befc7bf9081b073dfd40bc8c5b3e86333697d6b2fdd794fb1d76dac26cb376f4653afcc0a260e9939c9070ed826b86158e8afa4ed064ca81d1d03b76990a4b88
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3k7w:teThavEjDWguKU7w

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
4112	backup.exe
2108	backup.exe
1012	backup.exe
5028	backup.exe
1836	backup.exe
4012	backup.exe
2040	backup.exe
444	backup.exe
5108	data.exe
3076	backup.exe
2136	backup.exe
4848	backup.exe
3460	backup.exe
3176	backup.exe
4268	backup.exe
4680	System Restore.exe
3096	backup.exe
4248	backup.exe
3160	backup.exe
4736	backup.exe
4276	backup.exe
4280	backup.exe
1932	backup.exe
2460	backup.exe
5044	backup.exe
3528	backup.exe
3916	backup.exe
2052	backup.exe
1820	backup.exe
2648	backup.exe
2560	backup.exe
5008	backup.exe
1036	backup.exe
1680	backup.exe
3276	backup.exe
4784	backup.exe
4860	backup.exe
2092	backup.exe
2844	backup.exe
4244	backup.exe
3492	backup.exe
2856	backup.exe
3932	backup.exe
4080	backup.exe
4812	backup.exe
3628	backup.exe
3564	backup.exe
372	backup.exe
3224	backup.exe
4788	backup.exe
3184	backup.exe
2320	backup.exe
1660	backup.exe
4760	backup.exe
2748	backup.exe
1764	backup.exe
904	backup.exe
4252	backup.exe
808	backup.exe
100	backup.exe
260	backup.exe
3076	backup.exe
1732	backup.exe
480	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\update.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\update.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe
4112	backup.exe
2108	backup.exe
1012	backup.exe
5028	backup.exe
1836	backup.exe
4012	backup.exe
2040	backup.exe
444	backup.exe
5108	data.exe
3076	backup.exe
2136	backup.exe
4848	backup.exe
3460	backup.exe
3176	backup.exe
4268	backup.exe
4680	System Restore.exe
3096	backup.exe
4248	backup.exe
3160	backup.exe
4736	backup.exe
4280	backup.exe
4276	backup.exe
3528	backup.exe
3916	backup.exe
2460	backup.exe
1932	backup.exe
5044	backup.exe
2052	backup.exe
1820	backup.exe
2560	backup.exe
2648	backup.exe
5008	backup.exe
1036	backup.exe
1680	backup.exe
3276	backup.exe
4784	backup.exe
4860	backup.exe
2844	backup.exe
2092	backup.exe
4244	backup.exe
2856	backup.exe
4080	backup.exe
3492	backup.exe
3932	backup.exe
3628	backup.exe
4812	backup.exe
372	backup.exe
3564	backup.exe
3224	backup.exe
4788	backup.exe
3184	backup.exe
2320	backup.exe
1660	backup.exe
4760	backup.exe
2748	backup.exe
1764	backup.exe
4252	backup.exe
904	backup.exe
808	backup.exe
100	backup.exe
260	backup.exe
3076	backup.exe
5060	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4112	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	83
PID 4900 wrote to memory of 4112	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	83
PID 4900 wrote to memory of 4112	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	83
PID 4900 wrote to memory of 2108	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	84
PID 4900 wrote to memory of 2108	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	84
PID 4900 wrote to memory of 2108	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	84
PID 4900 wrote to memory of 1012	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	85
PID 4900 wrote to memory of 1012	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	85
PID 4900 wrote to memory of 1012	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	85
PID 4900 wrote to memory of 5028	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	86
PID 4900 wrote to memory of 5028	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	86
PID 4900 wrote to memory of 5028	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	86
PID 4112 wrote to memory of 1836	4112	backup.exe	87
PID 4112 wrote to memory of 1836	4112	backup.exe	87
PID 4112 wrote to memory of 1836	4112	backup.exe	87
PID 4900 wrote to memory of 4012	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	88
PID 4900 wrote to memory of 4012	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	88
PID 4900 wrote to memory of 4012	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	88
PID 4900 wrote to memory of 2040	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	89
PID 4900 wrote to memory of 2040	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	89
PID 4900 wrote to memory of 2040	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	89
PID 1836 wrote to memory of 444	1836	backup.exe	90
PID 1836 wrote to memory of 444	1836	backup.exe	90
PID 1836 wrote to memory of 444	1836	backup.exe	90
PID 4900 wrote to memory of 5108	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	91
PID 4900 wrote to memory of 5108	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	91
PID 4900 wrote to memory of 5108	4900	5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe	91
PID 1836 wrote to memory of 3076	1836	backup.exe	92
PID 1836 wrote to memory of 3076	1836	backup.exe	92
PID 1836 wrote to memory of 3076	1836	backup.exe	92
PID 1836 wrote to memory of 2136	1836	backup.exe	93
PID 1836 wrote to memory of 2136	1836	backup.exe	93
PID 1836 wrote to memory of 2136	1836	backup.exe	93
PID 2136 wrote to memory of 4848	2136	backup.exe	94
PID 2136 wrote to memory of 4848	2136	backup.exe	94
PID 2136 wrote to memory of 4848	2136	backup.exe	94
PID 4848 wrote to memory of 3460	4848	backup.exe	95
PID 4848 wrote to memory of 3460	4848	backup.exe	95
PID 4848 wrote to memory of 3460	4848	backup.exe	95
PID 2136 wrote to memory of 3176	2136	backup.exe	96
PID 2136 wrote to memory of 3176	2136	backup.exe	96
PID 2136 wrote to memory of 3176	2136	backup.exe	96
PID 2136 wrote to memory of 4268	2136	backup.exe	97
PID 2136 wrote to memory of 4268	2136	backup.exe	97
PID 2136 wrote to memory of 4268	2136	backup.exe	97
PID 1836 wrote to memory of 4680	1836	backup.exe	98
PID 1836 wrote to memory of 4680	1836	backup.exe	98
PID 1836 wrote to memory of 4680	1836	backup.exe	98
PID 3176 wrote to memory of 3096	3176	backup.exe	99
PID 3176 wrote to memory of 3096	3176	backup.exe	99
PID 3176 wrote to memory of 3096	3176	backup.exe	99
PID 4268 wrote to memory of 4248	4268	backup.exe	100
PID 4268 wrote to memory of 4248	4268	backup.exe	100
PID 4268 wrote to memory of 4248	4268	backup.exe	100
PID 2136 wrote to memory of 3160	2136	backup.exe	101
PID 2136 wrote to memory of 3160	2136	backup.exe	101
PID 2136 wrote to memory of 3160	2136	backup.exe	101
PID 4680 wrote to memory of 4736	4680	System Restore.exe	102
PID 4680 wrote to memory of 4736	4680	System Restore.exe	102
PID 4680 wrote to memory of 4736	4680	System Restore.exe	102
PID 1836 wrote to memory of 4280	1836	backup.exe	104
PID 1836 wrote to memory of 4280	1836	backup.exe	104
PID 1836 wrote to memory of 4280	1836	backup.exe	104
PID 3176 wrote to memory of 4276	3176	backup.exe	103

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe
"C:\Users\Admin\AppData\Local\Temp\5d539571200cbdb657ba4ad8e9d252cfdc330f094eb87ff9c3635d9020289a59.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\2735428707\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2735428707\backup.exe C:\Users\Admin\AppData\Local\Temp\2735428707\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4112
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:444
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3076
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2136
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3460
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3176
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3096
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4276
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5008
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4080
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2092
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3564
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3184
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4252
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        
        PID:1928
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        System policy modification
        
        PID:2392
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4528
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        
        PID:1772
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1256
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        System policy modification
        
        PID:4844
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        System policy modification
        
        PID:2052
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Drops file in Program Files directory
        
        PID:3740
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:660
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:1732
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:4340
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        System policy modification
        
        PID:3952
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        System policy modification
        
        PID:220
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:4684
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3116
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3864
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:4516
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1708
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        System policy modification
        
        PID:2192
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4248
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2560
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3276
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4784
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3492
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:372
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:100
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3076
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2312
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:3636
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:876
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4348
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3160
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1680
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2844
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3932
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3224
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:904
    - - C:\Program Files\Java\update.exe
        
        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        
        PID:1784
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3604
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:3168
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4560
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        System policy modification
        
        PID:1716
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3360
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3880
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        System policy modification
        
        PID:2876
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        System policy modification
        
        PID:4780
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3064
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1444
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        
        PID:4752
      - C:\Program Files\Java\jre1.8.0_66\update.exe
        
        "C:\Program Files\Java\jre1.8.0_66\update.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2096
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1236
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        
        PID:4508
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:5076
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3100
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:260
  - - C:\Program Files (x86)\System Restore.exe
      "C:\Program Files (x86)\System Restore.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4680
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4736
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3628
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4344
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Drops file in Program Files directory
        
        PID:1008
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1680
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        Drops file in Program Files directory
        
        PID:1872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:4992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4784
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        System policy modification
        
        PID:4384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:4368
    - - C:\Program Files (x86)\Common Files\update.exe
        
        "C:\Program Files (x86)\Common Files\update.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1504
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4432
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:3608
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4280
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3528
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2052
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4244
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4812
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2320
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1764
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:260
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Executes dropped EXE
        
        PID:480
      - C:\Users\Admin\OneDrive\System Restore.exe
        
        "C:\Users\Admin\OneDrive\System Restore.exe" C:\Users\Admin\OneDrive\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:3124
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4864
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:4216
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:476
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        System policy modification
        
        PID:1252
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:4620
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        System policy modification
        
        PID:4656
      - C:\Users\Public\Documents\update.exe
        
        C:\Users\Public\Documents\update.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1228
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1744
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:3460
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:1592
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        System policy modification
        
        PID:3836
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:904
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        
        PID:4932
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1012
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4012
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5108

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
4fdc8f96820afe1fd44127f441c99dac

SHA1
37ba10eba8f577ae678f15a1946c93b9f2fb5b14

SHA256
a601abcf79d139a60b6f80f28ccd2655f94610e00223f97728576f9a50740441

SHA512
1d1bef88fa16d47bfdd19da7b2c92909ddf81b281a5513a7d6fc95b2567a9d20e3e2fb0700435ac893366fc9018292138581e46b5e6a1c63470ad0daedfb299f

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
4fdc8f96820afe1fd44127f441c99dac

SHA1
37ba10eba8f577ae678f15a1946c93b9f2fb5b14

SHA256
a601abcf79d139a60b6f80f28ccd2655f94610e00223f97728576f9a50740441

SHA512
1d1bef88fa16d47bfdd19da7b2c92909ddf81b281a5513a7d6fc95b2567a9d20e3e2fb0700435ac893366fc9018292138581e46b5e6a1c63470ad0daedfb299f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
43f96146e402d53f40cae58c7d90b1e5

SHA1
8f47a6eeead4317c2ab65a1eaefb449a2b7b8b9c

SHA256
aff8ab54430d5cfb6f28e5cc3a61c488a9f62d815242b46070304714de0b6d76

SHA512
efa8dd32a9f3897ed185264aa6e7de2fe037804df7ced3b8bb96cf388bc371b2c4dc6de5bf32d55067e94c3e82cda29a7f89f684cb95d64e94513ce98912e432

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
43f96146e402d53f40cae58c7d90b1e5

SHA1
8f47a6eeead4317c2ab65a1eaefb449a2b7b8b9c

SHA256
aff8ab54430d5cfb6f28e5cc3a61c488a9f62d815242b46070304714de0b6d76

SHA512
efa8dd32a9f3897ed185264aa6e7de2fe037804df7ced3b8bb96cf388bc371b2c4dc6de5bf32d55067e94c3e82cda29a7f89f684cb95d64e94513ce98912e432

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
ef5b12eba1bd930151894bf911dc488e

SHA1
ef1427d40b576730e22c6abedf14ac86245b25b4

SHA256
913462a156e227584cf779380715e5402b4c7bb5282aced8741431fee3f40ef7

SHA512
f94cdc98086d0b12ee44c65465847b2391af16cdfdfe725627aeaf6637372a001fd160d1e5c9ba285f1e4d5e48a19567116f745087bcbc00b16d97702c580a52

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
ef5b12eba1bd930151894bf911dc488e

SHA1
ef1427d40b576730e22c6abedf14ac86245b25b4

SHA256
913462a156e227584cf779380715e5402b4c7bb5282aced8741431fee3f40ef7

SHA512
f94cdc98086d0b12ee44c65465847b2391af16cdfdfe725627aeaf6637372a001fd160d1e5c9ba285f1e4d5e48a19567116f745087bcbc00b16d97702c580a52

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
48635a959df56e6d391d1572925f3393

SHA1
6c1741cb874e3b7da0fd32d746cf2ad56c64dd99

SHA256
8595077df43ffa61c0214f182cc25692ec66670f6e1bf83927094924c5f62160

SHA512
8b2be3d070a89fec83a613342f38089e1e14fd37a32bd5b2f79a31141ce12f3d0e7a2d2040729bf95188a5670c39fc0b47296da981e6a70dde60c2d27eb7de00

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
48635a959df56e6d391d1572925f3393

SHA1
6c1741cb874e3b7da0fd32d746cf2ad56c64dd99

SHA256
8595077df43ffa61c0214f182cc25692ec66670f6e1bf83927094924c5f62160

SHA512
8b2be3d070a89fec83a613342f38089e1e14fd37a32bd5b2f79a31141ce12f3d0e7a2d2040729bf95188a5670c39fc0b47296da981e6a70dde60c2d27eb7de00

Download Submit
C:\Program Files (x86)\System Restore.exe

Filesize
72KB

MD5
97b3bcafbedeef46469a6ffdea615321

SHA1
3ddbe3590fb28c42af0a062b6c8f8257bb182526

SHA256
b179964f153dba89df9676b57939b6b4476cb480bb8296a1b6b8e51f7af96767

SHA512
459e48d85ec46d62a2139f09007fc13c47227512005bfd6da6fd1652154611459eeb84e777ca4b8455a1b57317803f3a6341cb1a8830044415cf8e22a4efa6a1

Download Submit
C:\Program Files (x86)\System Restore.exe

Filesize
72KB

MD5
97b3bcafbedeef46469a6ffdea615321

SHA1
3ddbe3590fb28c42af0a062b6c8f8257bb182526

SHA256
b179964f153dba89df9676b57939b6b4476cb480bb8296a1b6b8e51f7af96767

SHA512
459e48d85ec46d62a2139f09007fc13c47227512005bfd6da6fd1652154611459eeb84e777ca4b8455a1b57317803f3a6341cb1a8830044415cf8e22a4efa6a1

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
31dc9b1ff7da37bc595d1d55ea9856b3

SHA1
5628254e068bbfdcde30fbf68f39f4974a36304a

SHA256
13435d018c047f15daa9a3dad8c538ca70e20c45e5a29795d94fa1a2fd4ccbfc

SHA512
07b75ebb53d1a3205ed6f01f115679f67674828b5e684538c9934394d7e536667abe65fcceecb7e4378549ef7d6daa3e9dd486483840580517abeed30986f33a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
31dc9b1ff7da37bc595d1d55ea9856b3

SHA1
5628254e068bbfdcde30fbf68f39f4974a36304a

SHA256
13435d018c047f15daa9a3dad8c538ca70e20c45e5a29795d94fa1a2fd4ccbfc

SHA512
07b75ebb53d1a3205ed6f01f115679f67674828b5e684538c9934394d7e536667abe65fcceecb7e4378549ef7d6daa3e9dd486483840580517abeed30986f33a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
a19d7c9a980013750c1a35ebec298db5

SHA1
cf3c028297cff6a09fd8ca652553a8b38782787a

SHA256
cc858719f61afdbe35ca68b1887535d2e36d948bbd1e42fd9561b41c5001fb74

SHA512
df37b99f0ed26a2ec65d71da79a71417609c61ec1f9a884b6ebad045e96e22251d94809bd6c3ae71b8a344ab57317bdb9db0a92bf9cf01f2180b7eea419d5ebd

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
a19d7c9a980013750c1a35ebec298db5

SHA1
cf3c028297cff6a09fd8ca652553a8b38782787a

SHA256
cc858719f61afdbe35ca68b1887535d2e36d948bbd1e42fd9561b41c5001fb74

SHA512
df37b99f0ed26a2ec65d71da79a71417609c61ec1f9a884b6ebad045e96e22251d94809bd6c3ae71b8a344ab57317bdb9db0a92bf9cf01f2180b7eea419d5ebd

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
7eb47d60a31fd5f7cb3432fbcc0826bf

SHA1
1b8a03871aa910f7fa1efc42fa2182e01914022c

SHA256
8fb0ec9dec99e5ccdc79accc3a4a38c643f6b0e39ef3879eab57eaed4d4b0edd

SHA512
98f9c57bb6bf32a2ad2ae76e5a6285c811bfc053eb176a4ddc79f88e8993bb127a7f7410a9da930db7db7efd292aaa6813f4cfb9d43e59a571a5f687e73849aa

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
7eb47d60a31fd5f7cb3432fbcc0826bf

SHA1
1b8a03871aa910f7fa1efc42fa2182e01914022c

SHA256
8fb0ec9dec99e5ccdc79accc3a4a38c643f6b0e39ef3879eab57eaed4d4b0edd

SHA512
98f9c57bb6bf32a2ad2ae76e5a6285c811bfc053eb176a4ddc79f88e8993bb127a7f7410a9da930db7db7efd292aaa6813f4cfb9d43e59a571a5f687e73849aa

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
a19d7c9a980013750c1a35ebec298db5

SHA1
cf3c028297cff6a09fd8ca652553a8b38782787a

SHA256
cc858719f61afdbe35ca68b1887535d2e36d948bbd1e42fd9561b41c5001fb74

SHA512
df37b99f0ed26a2ec65d71da79a71417609c61ec1f9a884b6ebad045e96e22251d94809bd6c3ae71b8a344ab57317bdb9db0a92bf9cf01f2180b7eea419d5ebd

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
a19d7c9a980013750c1a35ebec298db5

SHA1
cf3c028297cff6a09fd8ca652553a8b38782787a

SHA256
cc858719f61afdbe35ca68b1887535d2e36d948bbd1e42fd9561b41c5001fb74

SHA512
df37b99f0ed26a2ec65d71da79a71417609c61ec1f9a884b6ebad045e96e22251d94809bd6c3ae71b8a344ab57317bdb9db0a92bf9cf01f2180b7eea419d5ebd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
6085fc4ed7df7f3b9d882f4f74d26d4a

SHA1
f9926ce72b7048349ba78ee10889778d21c129a8

SHA256
40441a01b144a14a709e609672c9120dc4e91b3ebc7be2486a0f5f6e72008f85

SHA512
e132ffb28a592780ef642b734deaec04b51c972793fc90c0975ef33e889d1ca8ce90b6101758a59d7545098b7915c6dff3c53ce923c4a20661d45d18cc6f65f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
6085fc4ed7df7f3b9d882f4f74d26d4a

SHA1
f9926ce72b7048349ba78ee10889778d21c129a8

SHA256
40441a01b144a14a709e609672c9120dc4e91b3ebc7be2486a0f5f6e72008f85

SHA512
e132ffb28a592780ef642b734deaec04b51c972793fc90c0975ef33e889d1ca8ce90b6101758a59d7545098b7915c6dff3c53ce923c4a20661d45d18cc6f65f4

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
7cecad730a7276bdb4a20b07b4c8c71a

SHA1
92b4d5e233663380ad87a9c2ced330e2839f10b9

SHA256
abdf28009bb31e6e0f0fe10d842ef3d7bbffa0caae4bfea3614c72d004e0ed11

SHA512
93e696da5e6c5e1062a3797792b10833d74efc8060750bd2953c7daf86243de94570c30cb4e3712b8511a15b96d31b43b55066ce15e8d765e0d71a8fddb26666

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
7cecad730a7276bdb4a20b07b4c8c71a

SHA1
92b4d5e233663380ad87a9c2ced330e2839f10b9

SHA256
abdf28009bb31e6e0f0fe10d842ef3d7bbffa0caae4bfea3614c72d004e0ed11

SHA512
93e696da5e6c5e1062a3797792b10833d74efc8060750bd2953c7daf86243de94570c30cb4e3712b8511a15b96d31b43b55066ce15e8d765e0d71a8fddb26666

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
d52362266ecf6d5c6c0a5a25d8ad4ea7

SHA1
1d3662298462bbc6d7e8f9841a7721d72b8243b9

SHA256
9697b1dab61b8214ab6bd08b1e8fac0de4792ad2c730e1dd2bd3d0b5b1883ed0

SHA512
a16339fd742a3cb281f35e1a93db60c74fa9dd2adca4ff2573a7ee65c1711614789be58542142630f53d379e1cefcfa83458fa633b3c75dbd8cd0402b1424caa

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
d52362266ecf6d5c6c0a5a25d8ad4ea7

SHA1
1d3662298462bbc6d7e8f9841a7721d72b8243b9

SHA256
9697b1dab61b8214ab6bd08b1e8fac0de4792ad2c730e1dd2bd3d0b5b1883ed0

SHA512
a16339fd742a3cb281f35e1a93db60c74fa9dd2adca4ff2573a7ee65c1711614789be58542142630f53d379e1cefcfa83458fa633b3c75dbd8cd0402b1424caa

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe

Filesize
72KB

MD5
2e97b7121dbb9e3a00f47d17096fc3da

SHA1
42ad5c49714fea984da530dc66d26352fc0692b5

SHA256
a44d5e25a97b45eb9885ef6a07ad205562dc444d1d503d194e30b50f07c4690d

SHA512
01dc9c64633062d6732f497ccbb67030a6d64021439576362fce38110072dc76b0143c8cc4da2c2e0f030f9c59db88b217cee0e8df329521b42bab3d1d07f142

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe

Filesize
72KB

MD5
2e97b7121dbb9e3a00f47d17096fc3da

SHA1
42ad5c49714fea984da530dc66d26352fc0692b5

SHA256
a44d5e25a97b45eb9885ef6a07ad205562dc444d1d503d194e30b50f07c4690d

SHA512
01dc9c64633062d6732f497ccbb67030a6d64021439576362fce38110072dc76b0143c8cc4da2c2e0f030f9c59db88b217cee0e8df329521b42bab3d1d07f142

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe

Filesize
72KB

MD5
610f50ab45054c00f09b9a41d3c9beaa

SHA1
af2ce27d3afda29ecfdddb4b28b49f2d310533f9

SHA256
b14d0fe64b09869bac4c1c1208780c171e1d9e2cf9d65e511d7af5d11e5b25e9

SHA512
c41942e46fa0d50b939c6abace816c85a440c5fac49f325cc4f9beb4699880a93abc1d2387e9399dc324301e224430e98efd17ce83340cc92dc4b8fb5fa8b6d1

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe

Filesize
72KB

MD5
610f50ab45054c00f09b9a41d3c9beaa

SHA1
af2ce27d3afda29ecfdddb4b28b49f2d310533f9

SHA256
b14d0fe64b09869bac4c1c1208780c171e1d9e2cf9d65e511d7af5d11e5b25e9

SHA512
c41942e46fa0d50b939c6abace816c85a440c5fac49f325cc4f9beb4699880a93abc1d2387e9399dc324301e224430e98efd17ce83340cc92dc4b8fb5fa8b6d1

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
b9c7b2245dbd65744deaf87a82c1c8d5

SHA1
d5682ed76827f6ce422a88fcefc325c15dbe2ad4

SHA256
5653b887e44de287eee766e6a70a04825aaa50d76c13aad68c0131f1133be2d7

SHA512
684881afe393a87f72a7965f70e7fbf2e63389ea97cf9a15be013efa709e067d7022e5fbf1bfce452df5cb04d1afa093165a3973287f6efcfd8cfcb4f229d4d4

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
b9c7b2245dbd65744deaf87a82c1c8d5

SHA1
d5682ed76827f6ce422a88fcefc325c15dbe2ad4

SHA256
5653b887e44de287eee766e6a70a04825aaa50d76c13aad68c0131f1133be2d7

SHA512
684881afe393a87f72a7965f70e7fbf2e63389ea97cf9a15be013efa709e067d7022e5fbf1bfce452df5cb04d1afa093165a3973287f6efcfd8cfcb4f229d4d4

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
993d902288d9a7b437054e3fb9b17dfd

SHA1
1bdaa3cfca1a5a841fadd43d85c34dc0e4166802

SHA256
cbc47edefef0a6384266adda7e12efe13374e7d28f757ee1c3d0f1d02e58c598

SHA512
7fa46da071f1c30036d27881b2fbf910ea55218f76e6ff33e5afd520e7425bd6504c4954c953f74941469151b945ad91cbbc2d203c9e57d39405f5a002daded6

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
993d902288d9a7b437054e3fb9b17dfd

SHA1
1bdaa3cfca1a5a841fadd43d85c34dc0e4166802

SHA256
cbc47edefef0a6384266adda7e12efe13374e7d28f757ee1c3d0f1d02e58c598

SHA512
7fa46da071f1c30036d27881b2fbf910ea55218f76e6ff33e5afd520e7425bd6504c4954c953f74941469151b945ad91cbbc2d203c9e57d39405f5a002daded6

Download Submit
C:\Program Files\Internet Explorer\backup.exe

Filesize
72KB

MD5
0c8297dc9224ef7ec5e156bea465eea0

SHA1
62020c3bb4a26eda7081dd24fca3b44c093e8a36

SHA256
44df2c7996f351f75a5b93db9efdf2ff3c4d495acce1b6c2c529ee4b8fbf00ec

SHA512
01ab294042f965f878bb7a9bb22e6e485d493fa1cb6c088dbe3e6e48e719b43007450a36de8f40a7d3bbeaa594cc5027921bacb54ca5c3bf02b571b1b255800f

Download Submit
C:\Program Files\Internet Explorer\backup.exe

Filesize
72KB

MD5
0c8297dc9224ef7ec5e156bea465eea0

SHA1
62020c3bb4a26eda7081dd24fca3b44c093e8a36

SHA256
44df2c7996f351f75a5b93db9efdf2ff3c4d495acce1b6c2c529ee4b8fbf00ec

SHA512
01ab294042f965f878bb7a9bb22e6e485d493fa1cb6c088dbe3e6e48e719b43007450a36de8f40a7d3bbeaa594cc5027921bacb54ca5c3bf02b571b1b255800f

Download Submit
C:\Program Files\Internet Explorer\de-DE\backup.exe

Filesize
72KB

MD5
ca0f6b7c6b8b2032f5c186a996850bd0

SHA1
523e2e99a6c4d4292c26d66f2c98cf66645b8b1d

SHA256
f5041a1007be7302d797d4a73760057957d178af3da815de53372e8b18a6b534

SHA512
6bc9e7fcd22c2965efe5c222e3097a926e221c60469c38c37669dc6d182e01f6982fc067ec7a6512edf5940678471a13087be2ed4974fb7333ac409e3e22f9ba

Download Submit
C:\Program Files\Internet Explorer\de-DE\backup.exe

Filesize
72KB

MD5
ca0f6b7c6b8b2032f5c186a996850bd0

SHA1
523e2e99a6c4d4292c26d66f2c98cf66645b8b1d

SHA256
f5041a1007be7302d797d4a73760057957d178af3da815de53372e8b18a6b534

SHA512
6bc9e7fcd22c2965efe5c222e3097a926e221c60469c38c37669dc6d182e01f6982fc067ec7a6512edf5940678471a13087be2ed4974fb7333ac409e3e22f9ba

Download Submit
C:\Program Files\Internet Explorer\en-US\backup.exe

Filesize
72KB

MD5
3da81351137f760ffd39af8afe35c115

SHA1
372b03602c87f6c9f235d4780a53874ca6abf76f

SHA256
99213a17192870688749a75a39da39db9fe8bd4a572e0dc245f5f6f8cd489631

SHA512
6bbebea36ea0bd40f5bfed406ffe7f7d6f01422d0dc77f26e7d65196594bbc1cdd31c731292563e34599b6e8c1f4180ee0344daa543d50d0aa100fe9d248772a

Download Submit
C:\Program Files\Internet Explorer\en-US\backup.exe

Filesize
72KB

MD5
3da81351137f760ffd39af8afe35c115

SHA1
372b03602c87f6c9f235d4780a53874ca6abf76f

SHA256
99213a17192870688749a75a39da39db9fe8bd4a572e0dc245f5f6f8cd489631

SHA512
6bbebea36ea0bd40f5bfed406ffe7f7d6f01422d0dc77f26e7d65196594bbc1cdd31c731292563e34599b6e8c1f4180ee0344daa543d50d0aa100fe9d248772a

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
4fdc8f96820afe1fd44127f441c99dac

SHA1
37ba10eba8f577ae678f15a1946c93b9f2fb5b14

SHA256
a601abcf79d139a60b6f80f28ccd2655f94610e00223f97728576f9a50740441

SHA512
1d1bef88fa16d47bfdd19da7b2c92909ddf81b281a5513a7d6fc95b2567a9d20e3e2fb0700435ac893366fc9018292138581e46b5e6a1c63470ad0daedfb299f

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
4fdc8f96820afe1fd44127f441c99dac

SHA1
37ba10eba8f577ae678f15a1946c93b9f2fb5b14

SHA256
a601abcf79d139a60b6f80f28ccd2655f94610e00223f97728576f9a50740441

SHA512
1d1bef88fa16d47bfdd19da7b2c92909ddf81b281a5513a7d6fc95b2567a9d20e3e2fb0700435ac893366fc9018292138581e46b5e6a1c63470ad0daedfb299f

Download Submit
C:\Users\Admin\3D Objects\backup.exe

Filesize
72KB

MD5
c50787759612d684b0c5492238d31a9d

SHA1
4b0185c98dcd5f08387cf07b6db15fe31e9a304f

SHA256
d0ceba82b28cad78a9e6deb715c168f1a83dc40d1cb45c22d4cac29cde2c5e6c

SHA512
5cbff3b29036103e1d6d1c3d815b597fe94c3819ea14ea56c77f5932ee86b11b7ca046402c4967923bc4c2486a86a3fa1efa246dc90c16ba2e0db7b27b4bf538

Download Submit
C:\Users\Admin\3D Objects\backup.exe

Filesize
72KB

MD5
c50787759612d684b0c5492238d31a9d

SHA1
4b0185c98dcd5f08387cf07b6db15fe31e9a304f

SHA256
d0ceba82b28cad78a9e6deb715c168f1a83dc40d1cb45c22d4cac29cde2c5e6c

SHA512
5cbff3b29036103e1d6d1c3d815b597fe94c3819ea14ea56c77f5932ee86b11b7ca046402c4967923bc4c2486a86a3fa1efa246dc90c16ba2e0db7b27b4bf538

Download Submit
C:\Users\Admin\AppData\Local\Temp\2735428707\backup.exe

Filesize
72KB

MD5
dabcb99d8d40b8b7cc6828eb9f5ddb55

SHA1
698efacac7a17353c75377a62f977a8ad94f9867

SHA256
d082bf89ea75618c87f54548b80a18c04beae1a180acf5b71afa239d5221e8b0

SHA512
3ec69dd13e57622ef092c437ed49a0deec6cb6cdcbcbd908b75eef7c7c4964ef8bf21006cc820a31041bec6969eeb613a805bb2fe74689abd030b7c63dc93fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2735428707\backup.exe

Filesize
72KB

MD5
dabcb99d8d40b8b7cc6828eb9f5ddb55

SHA1
698efacac7a17353c75377a62f977a8ad94f9867

SHA256
d082bf89ea75618c87f54548b80a18c04beae1a180acf5b71afa239d5221e8b0

SHA512
3ec69dd13e57622ef092c437ed49a0deec6cb6cdcbcbd908b75eef7c7c4964ef8bf21006cc820a31041bec6969eeb613a805bb2fe74689abd030b7c63dc93fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
cbcb914dafaf4947742de8ddeb390762

SHA1
a3287b2ea0f704c3a2804acdd341950b5d0de7c8

SHA256
bfbd5ad3b2338756dba7e39ff4f43cd9b6f2d064f17039f831094f40acee6acb

SHA512
0f2cd860f03ddf4d8a29d5cae6e658c787aa2b4c4760b37eab942cd11d4e1272d8280135caa4c33298fcb8bf3c9b2cc58a69e3cb3b0d022bec1b4ff806db162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
cbcb914dafaf4947742de8ddeb390762

SHA1
a3287b2ea0f704c3a2804acdd341950b5d0de7c8

SHA256
bfbd5ad3b2338756dba7e39ff4f43cd9b6f2d064f17039f831094f40acee6acb

SHA512
0f2cd860f03ddf4d8a29d5cae6e658c787aa2b4c4760b37eab942cd11d4e1272d8280135caa4c33298fcb8bf3c9b2cc58a69e3cb3b0d022bec1b4ff806db162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
301fdd924b4bbd17d6d38de5127528c1

SHA1
03e2523bf237ad68cf23de25c3b3036599e34758

SHA256
981075e5e18164c5b2d7adb453a7a8451b04ebf62eaad1bd1c3559933bd9ea26

SHA512
26fe243e0ecc0cecc446c7765e71a5dbc36a53b20b8b4926defc132f03b1d238cc334b2b179b13558405694eddc43fe069359d0457c301ba30d1cd3c43c597f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
301fdd924b4bbd17d6d38de5127528c1

SHA1
03e2523bf237ad68cf23de25c3b3036599e34758

SHA256
981075e5e18164c5b2d7adb453a7a8451b04ebf62eaad1bd1c3559933bd9ea26

SHA512
26fe243e0ecc0cecc446c7765e71a5dbc36a53b20b8b4926defc132f03b1d238cc334b2b179b13558405694eddc43fe069359d0457c301ba30d1cd3c43c597f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
301fdd924b4bbd17d6d38de5127528c1

SHA1
03e2523bf237ad68cf23de25c3b3036599e34758

SHA256
981075e5e18164c5b2d7adb453a7a8451b04ebf62eaad1bd1c3559933bd9ea26

SHA512
26fe243e0ecc0cecc446c7765e71a5dbc36a53b20b8b4926defc132f03b1d238cc334b2b179b13558405694eddc43fe069359d0457c301ba30d1cd3c43c597f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
301fdd924b4bbd17d6d38de5127528c1

SHA1
03e2523bf237ad68cf23de25c3b3036599e34758

SHA256
981075e5e18164c5b2d7adb453a7a8451b04ebf62eaad1bd1c3559933bd9ea26

SHA512
26fe243e0ecc0cecc446c7765e71a5dbc36a53b20b8b4926defc132f03b1d238cc334b2b179b13558405694eddc43fe069359d0457c301ba30d1cd3c43c597f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
cbcb914dafaf4947742de8ddeb390762

SHA1
a3287b2ea0f704c3a2804acdd341950b5d0de7c8

SHA256
bfbd5ad3b2338756dba7e39ff4f43cd9b6f2d064f17039f831094f40acee6acb

SHA512
0f2cd860f03ddf4d8a29d5cae6e658c787aa2b4c4760b37eab942cd11d4e1272d8280135caa4c33298fcb8bf3c9b2cc58a69e3cb3b0d022bec1b4ff806db162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
cbcb914dafaf4947742de8ddeb390762

SHA1
a3287b2ea0f704c3a2804acdd341950b5d0de7c8

SHA256
bfbd5ad3b2338756dba7e39ff4f43cd9b6f2d064f17039f831094f40acee6acb

SHA512
0f2cd860f03ddf4d8a29d5cae6e658c787aa2b4c4760b37eab942cd11d4e1272d8280135caa4c33298fcb8bf3c9b2cc58a69e3cb3b0d022bec1b4ff806db162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cbcb914dafaf4947742de8ddeb390762

SHA1
a3287b2ea0f704c3a2804acdd341950b5d0de7c8

SHA256
bfbd5ad3b2338756dba7e39ff4f43cd9b6f2d064f17039f831094f40acee6acb

SHA512
0f2cd860f03ddf4d8a29d5cae6e658c787aa2b4c4760b37eab942cd11d4e1272d8280135caa4c33298fcb8bf3c9b2cc58a69e3cb3b0d022bec1b4ff806db162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cbcb914dafaf4947742de8ddeb390762

SHA1
a3287b2ea0f704c3a2804acdd341950b5d0de7c8

SHA256
bfbd5ad3b2338756dba7e39ff4f43cd9b6f2d064f17039f831094f40acee6acb

SHA512
0f2cd860f03ddf4d8a29d5cae6e658c787aa2b4c4760b37eab942cd11d4e1272d8280135caa4c33298fcb8bf3c9b2cc58a69e3cb3b0d022bec1b4ff806db162c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
b4a2efe9384744980d97397fc9182d35

SHA1
4c09a1d51ab5c005ffbe476dbc5c426f30a99bcc

SHA256
69f0ed67d3a052463cb1b823b43e417a324aa657d22b87164c749e8b6698eccf

SHA512
3678bc62cfbb3658e8df77d900c081312066c831fcd8e5f7b2f6e068c38bc36ccd14d5c6bf20cf1a81a6330e3b0a723c3ec7042c6e901ea385a992bff4e8122b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
b4a2efe9384744980d97397fc9182d35

SHA1
4c09a1d51ab5c005ffbe476dbc5c426f30a99bcc

SHA256
69f0ed67d3a052463cb1b823b43e417a324aa657d22b87164c749e8b6698eccf

SHA512
3678bc62cfbb3658e8df77d900c081312066c831fcd8e5f7b2f6e068c38bc36ccd14d5c6bf20cf1a81a6330e3b0a723c3ec7042c6e901ea385a992bff4e8122b

Download Submit
C:\Users\Admin\backup.exe

Filesize
72KB

MD5
de2957f467c6eaa0403f694054e327ab

SHA1
6fbe7cc9e9b4926d1a6002ea49ac0a01ce0e7fa4

SHA256
78586961b4228b7b8070cbd77cc131c4d7737c379fc40d642fcd19fef864d6a8

SHA512
497dc4966934f1b7f97a5937e50306fd90ab63cc071d4fbbba236b66d40c5c32a964f41db8d40f160f2093e7e2eb62101de76e701ca61b71ea0d588581fe8006

Download Submit
C:\Users\Admin\backup.exe

Filesize
72KB

MD5
de2957f467c6eaa0403f694054e327ab

SHA1
6fbe7cc9e9b4926d1a6002ea49ac0a01ce0e7fa4

SHA256
78586961b4228b7b8070cbd77cc131c4d7737c379fc40d642fcd19fef864d6a8

SHA512
497dc4966934f1b7f97a5937e50306fd90ab63cc071d4fbbba236b66d40c5c32a964f41db8d40f160f2093e7e2eb62101de76e701ca61b71ea0d588581fe8006

Download Submit
C:\Users\backup.exe

Filesize
72KB

MD5
4a627f923d5edcc5ca4a2b946a30d6f7

SHA1
81eea49e056e80496f37dab380f9518742b8e1a0

SHA256
da83d825eb3dfbb6df483334c003508fe82689599fa7c111d905d712ee43c0da

SHA512
17b9e5144919316d01d53bb7aa01951610764499235fac7eddbde9dd4c0beafdc222c74800cde8cb6275b8d866549fea7384d1213fb91456a0114cd15c52c2ed

Download Submit
C:\Users\backup.exe

Filesize
72KB

MD5
4a627f923d5edcc5ca4a2b946a30d6f7

SHA1
81eea49e056e80496f37dab380f9518742b8e1a0

SHA256
da83d825eb3dfbb6df483334c003508fe82689599fa7c111d905d712ee43c0da

SHA512
17b9e5144919316d01d53bb7aa01951610764499235fac7eddbde9dd4c0beafdc222c74800cde8cb6275b8d866549fea7384d1213fb91456a0114cd15c52c2ed

Download Submit
C:\backup.exe

Filesize
72KB

MD5
88874fef40bc63af8e8385ff72b31226

SHA1
f39edea3dfb97c94ff6fb26ae26b46c37e8274c7

SHA256
c143892e0dc7aaf6db6bdc35e8ed34982eb4c7512122b7a9e4219b8af946079c

SHA512
ebb040fc8aa3fde278177c21319da7d2e81139b2a2ec107bee2b57803df1efa7734773c441c4e3eaebffc6670e05c156b89a33ca0e070e0c657921b2218a5280

Download Submit
C:\backup.exe

Filesize
72KB

MD5
88874fef40bc63af8e8385ff72b31226

SHA1
f39edea3dfb97c94ff6fb26ae26b46c37e8274c7

SHA256
c143892e0dc7aaf6db6bdc35e8ed34982eb4c7512122b7a9e4219b8af946079c

SHA512
ebb040fc8aa3fde278177c21319da7d2e81139b2a2ec107bee2b57803df1efa7734773c441c4e3eaebffc6670e05c156b89a33ca0e070e0c657921b2218a5280

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
b7cf276057ac3f863a44320ab2a1664c

SHA1
f29a43040cffe50df0449bf7e445bfb1f2e42bda

SHA256
7807435b055985f5ffc2a55a4f354c387bb0878034e3e6a2461a4433d50b6938

SHA512
4f3b39eb6a0cb92e6392e7ae6deb45dc6470095bc0f0216a7e3b6bc0dbd109f3cb31a6fe1b82b7c9638e0f34fa7098ee56d01182ec831ab18eddd5c9ac2639d3

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
b7cf276057ac3f863a44320ab2a1664c

SHA1
f29a43040cffe50df0449bf7e445bfb1f2e42bda

SHA256
7807435b055985f5ffc2a55a4f354c387bb0878034e3e6a2461a4433d50b6938

SHA512
4f3b39eb6a0cb92e6392e7ae6deb45dc6470095bc0f0216a7e3b6bc0dbd109f3cb31a6fe1b82b7c9638e0f34fa7098ee56d01182ec831ab18eddd5c9ac2639d3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads