a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5

Analysis

max time kernel
286s
max time network
352s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe
Size

72KB
MD5

a520459ae9493ede7bab6ec66a7079b5
SHA1

354fa1b74c68781079fdfa572aa3575959615850
SHA256

a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5
SHA512

1d1612e5c172ff342cc33ee9a60c27ddb8731be36fb9e944bf8455e4b6cf9a17e4aadd5995d71ddb71f6933566f821289059ad26c7072354716fb8ea671f03f8
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGr:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrW

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 58 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
4408	backup.exe
616	backup.exe
1836	backup.exe
824	backup.exe
4336	backup.exe
1304	backup.exe
1616	backup.exe
1476	backup.exe
3316	backup.exe
4392	update.exe
3784	backup.exe
3012	backup.exe
2520	backup.exe
644	backup.exe
3540	backup.exe
1020	backup.exe
780	backup.exe
3764	backup.exe
3476	backup.exe
2896	backup.exe
3160	backup.exe
4988	System Restore.exe
3804	backup.exe
2560	System Restore.exe
2196	backup.exe
4572	backup.exe
4576	backup.exe
2652	backup.exe
4976	backup.exe
4688	backup.exe
2012	backup.exe
2840	backup.exe
4032	backup.exe
1380	backup.exe
4164	System Restore.exe
392	update.exe
1624	backup.exe
2032	backup.exe
3680	backup.exe
2088	backup.exe
1552	backup.exe
736	backup.exe
4348	backup.exe
3964	backup.exe
2072	backup.exe
1832	backup.exe
2200	backup.exe
2124	backup.exe
544	System Restore.exe
3332	backup.exe
1732	data.exe
3856	backup.exe
868	backup.exe
2932	backup.exe
1160	backup.exe
2968	backup.exe
2172	backup.exe
2000	backup.exe
4892	backup.exe
2320	backup.exe
4376	backup.exe
4660	backup.exe
2756	backup.exe
3676	backup.exe

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe
4408	backup.exe
616	backup.exe
1836	backup.exe
824	backup.exe
4336	backup.exe
1304	backup.exe
1616	backup.exe
1476	backup.exe
3316	backup.exe
4392	update.exe
3784	backup.exe
3012	backup.exe
2520	backup.exe
644	backup.exe
3540	backup.exe
1020	backup.exe
780	backup.exe
3764	backup.exe
3476	backup.exe
2896	backup.exe
3160	backup.exe
4988	System Restore.exe
3804	backup.exe
2196	backup.exe
2560	System Restore.exe
4576	backup.exe
4572	backup.exe
2652	backup.exe
4688	backup.exe
4976	backup.exe
2840	backup.exe
2012	backup.exe
4032	backup.exe
1380	backup.exe
4164	System Restore.exe
392	update.exe
1624	backup.exe
2032	backup.exe
2088	backup.exe
3680	backup.exe
1552	backup.exe
4348	backup.exe
736	backup.exe
3964	backup.exe
1832	backup.exe
2072	backup.exe
2124	backup.exe
2200	backup.exe
544	System Restore.exe
1732	data.exe
3332	backup.exe
868	backup.exe
3856	backup.exe
2932	backup.exe
1160	backup.exe
2968	backup.exe
2172	backup.exe
2000	backup.exe
4892	backup.exe
2320	backup.exe
4376	backup.exe
4660	backup.exe
2756	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4408	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	82
PID 4808 wrote to memory of 4408	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	82
PID 4808 wrote to memory of 4408	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	82
PID 4808 wrote to memory of 616	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	83
PID 4808 wrote to memory of 616	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	83
PID 4808 wrote to memory of 616	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	83
PID 4408 wrote to memory of 1836	4408	backup.exe	84
PID 4408 wrote to memory of 1836	4408	backup.exe	84
PID 4408 wrote to memory of 1836	4408	backup.exe	84
PID 4808 wrote to memory of 824	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	85
PID 4808 wrote to memory of 824	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	85
PID 4808 wrote to memory of 824	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	85
PID 1836 wrote to memory of 4336	1836	backup.exe	86
PID 1836 wrote to memory of 4336	1836	backup.exe	86
PID 1836 wrote to memory of 4336	1836	backup.exe	86
PID 1836 wrote to memory of 1304	1836	backup.exe	87
PID 1836 wrote to memory of 1304	1836	backup.exe	87
PID 1836 wrote to memory of 1304	1836	backup.exe	87
PID 4808 wrote to memory of 1616	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	88
PID 4808 wrote to memory of 1616	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	88
PID 4808 wrote to memory of 1616	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	88
PID 4808 wrote to memory of 1476	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	89
PID 4808 wrote to memory of 1476	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	89
PID 4808 wrote to memory of 1476	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	89
PID 1836 wrote to memory of 3316	1836	backup.exe	90
PID 1836 wrote to memory of 3316	1836	backup.exe	90
PID 1836 wrote to memory of 3316	1836	backup.exe	90
PID 4808 wrote to memory of 4392	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	91
PID 4808 wrote to memory of 4392	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	91
PID 4808 wrote to memory of 4392	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	91
PID 3316 wrote to memory of 3784	3316	backup.exe	92
PID 3316 wrote to memory of 3784	3316	backup.exe	92
PID 3316 wrote to memory of 3784	3316	backup.exe	92
PID 3784 wrote to memory of 2520	3784	backup.exe	93
PID 3784 wrote to memory of 2520	3784	backup.exe	93
PID 3784 wrote to memory of 2520	3784	backup.exe	93
PID 4808 wrote to memory of 3012	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	94
PID 4808 wrote to memory of 3012	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	94
PID 4808 wrote to memory of 3012	4808	a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe	94
PID 3316 wrote to memory of 644	3316	backup.exe	95
PID 3316 wrote to memory of 644	3316	backup.exe	95
PID 3316 wrote to memory of 644	3316	backup.exe	95
PID 644 wrote to memory of 3540	644	backup.exe	96
PID 644 wrote to memory of 3540	644	backup.exe	96
PID 644 wrote to memory of 3540	644	backup.exe	96
PID 644 wrote to memory of 1020	644	backup.exe	97
PID 644 wrote to memory of 1020	644	backup.exe	97
PID 644 wrote to memory of 1020	644	backup.exe	97
PID 1020 wrote to memory of 780	1020	backup.exe	98
PID 1020 wrote to memory of 780	1020	backup.exe	98
PID 1020 wrote to memory of 780	1020	backup.exe	98
PID 1020 wrote to memory of 3764	1020	backup.exe	99
PID 1020 wrote to memory of 3764	1020	backup.exe	99
PID 1020 wrote to memory of 3764	1020	backup.exe	99
PID 3764 wrote to memory of 3476	3764	backup.exe	100
PID 3764 wrote to memory of 3476	3764	backup.exe	100
PID 3764 wrote to memory of 3476	3764	backup.exe	100
PID 3764 wrote to memory of 2896	3764	backup.exe	101
PID 3764 wrote to memory of 2896	3764	backup.exe	101
PID 3764 wrote to memory of 2896	3764	backup.exe	101
PID 3764 wrote to memory of 3160	3764	backup.exe	102
PID 3764 wrote to memory of 3160	3764	backup.exe	102
PID 3764 wrote to memory of 3160	3764	backup.exe	102
PID 3764 wrote to memory of 4988	3764	backup.exe	103

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe
"C:\Users\Admin\AppData\Local\Temp\a86a9907fd13d21e207058684b41a153941a94dc43857c7eddacc3fb05dd9fe5.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\20289159\backup.exe
  C:\Users\Admin\AppData\Local\Temp\20289159\backup.exe C:\Users\Admin\AppData\Local\Temp\20289159\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4408
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1836
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4336
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1304
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3316
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3784
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2520
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:644
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3540
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1020
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:780
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3764
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3476
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2896
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3160
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4988
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3804
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4572
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4688
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1380
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3680
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3964
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:868
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2172
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4376
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2196
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4976
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4164
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2088
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2200
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2968
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:4180
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2320
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2652
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4032
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4348
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3332
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3856
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4660
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4576
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2840
        
        C:\Program Files\Google\Chrome\Application\update.exe
        
        "C:\Program Files\Google\Chrome\Application\update.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:392
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1552
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2932
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:796
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1688
  - - C:\Program Files (x86)\System Restore.exe
      "C:\Program Files (x86)\System Restore.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2560
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2012
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2072
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4892
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:384
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:3448
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:4668
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:616
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:824
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4392
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2c4db890d1253388c953fc121175943e

SHA1
0c5cd9167cfe51e72e967de6bd4749a465f42fde

SHA256
cf4b86faef72eae30786549599ea06b796fc0a3486a029ae032d2cff681f6486

SHA512
c71f15119a0cda052f0c27f4251150b71bf7a6bbf4b96f8dd42e66d9aa2a93bcb3367475576520a0e3efef78a2cf7cb26ad87d29c4a0adbeb1aa1139a378bf68

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2c4db890d1253388c953fc121175943e

SHA1
0c5cd9167cfe51e72e967de6bd4749a465f42fde

SHA256
cf4b86faef72eae30786549599ea06b796fc0a3486a029ae032d2cff681f6486

SHA512
c71f15119a0cda052f0c27f4251150b71bf7a6bbf4b96f8dd42e66d9aa2a93bcb3367475576520a0e3efef78a2cf7cb26ad87d29c4a0adbeb1aa1139a378bf68

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
2f5fe2b3cba83101d7de7b4839e4dd66

SHA1
07028df374f744447a7ca2ba2e768bab16890bbf

SHA256
b9cf9470a753efd736cf8ac5294b09edf059dde27baaeac177a68ca46d88acd2

SHA512
da669de67b1201a900cbc397e2ed738ef7a2ef65659cffffe457782ec4cb19753689efffad343bf106c4b31d687dd5411e6a0571d63d6d7d530304121cbf8caf

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
2f5fe2b3cba83101d7de7b4839e4dd66

SHA1
07028df374f744447a7ca2ba2e768bab16890bbf

SHA256
b9cf9470a753efd736cf8ac5294b09edf059dde27baaeac177a68ca46d88acd2

SHA512
da669de67b1201a900cbc397e2ed738ef7a2ef65659cffffe457782ec4cb19753689efffad343bf106c4b31d687dd5411e6a0571d63d6d7d530304121cbf8caf

Download Submit
C:\Program Files (x86)\System Restore.exe

Filesize
72KB

MD5
4690e840ec4cef42d8c23ae746786b3a

SHA1
869bb5541a4e560e0cf6f1c7b1128a462673ed26

SHA256
e3aab6f614d0fb482b2b3ef7c78ea0ff5753127040790e3ba78353621b73880f

SHA512
78a30d3796d5f1c5184c93844d7fab01a0cc85fb858a26e051e4798b54b4a782e530d03c3c37a136c3cfe17087a9803d79e76e7bbf4cbae4403eb550414a3009

Download Submit
C:\Program Files (x86)\System Restore.exe

Filesize
72KB

MD5
4690e840ec4cef42d8c23ae746786b3a

SHA1
869bb5541a4e560e0cf6f1c7b1128a462673ed26

SHA256
e3aab6f614d0fb482b2b3ef7c78ea0ff5753127040790e3ba78353621b73880f

SHA512
78a30d3796d5f1c5184c93844d7fab01a0cc85fb858a26e051e4798b54b4a782e530d03c3c37a136c3cfe17087a9803d79e76e7bbf4cbae4403eb550414a3009

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
4944480fec89ba2f38a6dbfd84cadab1

SHA1
565dca669156a747be158880df2079d219cd7e99

SHA256
c3b885b0259c8c3c642366ea16bac04436011797b1114efc37998da08333cdb9

SHA512
186eade655571e87c68e7e41a327d266cd6fd5bd3727b3c14ad127245a799ef639fedb1ad769f40bf16be8cabf579371bcf27d16723bc626af358d64ac1fd7d6

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
4944480fec89ba2f38a6dbfd84cadab1

SHA1
565dca669156a747be158880df2079d219cd7e99

SHA256
c3b885b0259c8c3c642366ea16bac04436011797b1114efc37998da08333cdb9

SHA512
186eade655571e87c68e7e41a327d266cd6fd5bd3727b3c14ad127245a799ef639fedb1ad769f40bf16be8cabf579371bcf27d16723bc626af358d64ac1fd7d6

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
caccdada170888024d1ca266f7d3e697

SHA1
1bb0840d5bcdb304a00058c21ed02d4179e07992

SHA256
09fe71485450b8aefe633623f02efa74ff8f55be9b8a4ca5dd566b76fe1425c7

SHA512
ab79c63d31ecd0072a2ed23cdb7883d58268304a1a3fbb7e062d5b36685872efe9532fbc380b1e8f7a336413b900cbf8ad15225e94747a7a88c513b12c2c1031

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
caccdada170888024d1ca266f7d3e697

SHA1
1bb0840d5bcdb304a00058c21ed02d4179e07992

SHA256
09fe71485450b8aefe633623f02efa74ff8f55be9b8a4ca5dd566b76fe1425c7

SHA512
ab79c63d31ecd0072a2ed23cdb7883d58268304a1a3fbb7e062d5b36685872efe9532fbc380b1e8f7a336413b900cbf8ad15225e94747a7a88c513b12c2c1031

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
e8d98090bfb5a15aa18645b552e8b750

SHA1
19cc228d81051be88b7a999ab0637d5e7d635427

SHA256
9dd38c878fb8071957d964ccd307f1050f99ff5f8cd18149dc68500c691c1cf9

SHA512
711969b903047572a69d5ff3ab1dd5ddd8b1681dad6b22ec4452f2e1de136f77483db96b4993e902bba0cf46b038cad30115fc2d508726dbed98858376f9e59b

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
e8d98090bfb5a15aa18645b552e8b750

SHA1
19cc228d81051be88b7a999ab0637d5e7d635427

SHA256
9dd38c878fb8071957d964ccd307f1050f99ff5f8cd18149dc68500c691c1cf9

SHA512
711969b903047572a69d5ff3ab1dd5ddd8b1681dad6b22ec4452f2e1de136f77483db96b4993e902bba0cf46b038cad30115fc2d508726dbed98858376f9e59b

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
62c8e71721bf7d36354cc1deb37c0a5d

SHA1
f70d5d8644885ca767bf41bb5bcde73130edcf73

SHA256
fe5f11a6a94c3527810ee062ebc41bf727acb5c806b27117cdb0f62af5d76f6a

SHA512
076e881ee398a920ceb89982d80a4f765f4ef996b9538af3ead3acb9c8021d5a91a7ee990968a3f9ca931d07031aed8b9863ef4ce7f5b7d3781899e7ae49c9cb

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
62c8e71721bf7d36354cc1deb37c0a5d

SHA1
f70d5d8644885ca767bf41bb5bcde73130edcf73

SHA256
fe5f11a6a94c3527810ee062ebc41bf727acb5c806b27117cdb0f62af5d76f6a

SHA512
076e881ee398a920ceb89982d80a4f765f4ef996b9538af3ead3acb9c8021d5a91a7ee990968a3f9ca931d07031aed8b9863ef4ce7f5b7d3781899e7ae49c9cb

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
864d658f4022aeeefe4ea0e573d2968f

SHA1
f44fe02482f5c72e81cbcd490c0268df2bef9633

SHA256
a4b60efcb14cdbd7a6cddedfe5594bf54fa109b4a0f96c3d1f0fdd21efcfb349

SHA512
cc4582ef173b32e5cd96fc3d611aa0dd12495e4ddddc7f4923276e217ad24a95143b503f7497708a8eebdb21f6852b981cbdcb7f258198a22cd2e0b207915248

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
b4554ad030d9d565c2af443c774e11f0

SHA1
6fddb339d138321b5f2d29fd2b2119584dfe9e51

SHA256
05550dfc46e9452da9108fc702f8b04c4a28984e5e6e373c248438fbf9db0e71

SHA512
cff21a66294c2d1834823916f667d494d90dcb99a423310b606b9ea3e495cfb9a14dfe53bc927b8c03faf0748eb6c9851b74734a2b52c7867c04aba53757a868

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
b4554ad030d9d565c2af443c774e11f0

SHA1
6fddb339d138321b5f2d29fd2b2119584dfe9e51

SHA256
05550dfc46e9452da9108fc702f8b04c4a28984e5e6e373c248438fbf9db0e71

SHA512
cff21a66294c2d1834823916f667d494d90dcb99a423310b606b9ea3e495cfb9a14dfe53bc927b8c03faf0748eb6c9851b74734a2b52c7867c04aba53757a868

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
13516ffdcc485846cdd9330293689d71

SHA1
fc38a801dfeff05db9fce071160e98397f3c0db5

SHA256
b30020d568425605a5d2dbf9b712298c7264396aea06818fe51ee2c246a5370e

SHA512
0928c99d20297435f6b5c713b90025c6e7635b5efd9e29e424d36ee59a8e7d9396913de033fabd0923732f425c2ecb1ca0ac0676a53467d5f5c67bf06efb2220

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
13516ffdcc485846cdd9330293689d71

SHA1
fc38a801dfeff05db9fce071160e98397f3c0db5

SHA256
b30020d568425605a5d2dbf9b712298c7264396aea06818fe51ee2c246a5370e

SHA512
0928c99d20297435f6b5c713b90025c6e7635b5efd9e29e424d36ee59a8e7d9396913de033fabd0923732f425c2ecb1ca0ac0676a53467d5f5c67bf06efb2220

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
d5d640e12f7d285211856f15e5bb34c8

SHA1
779d033e774524e3ac898b6cad075dfed4251a59

SHA256
7440ad3e318eb0a250b8cccffa65c7f28c9602dbc3dcd3345aa54cad56cceafd

SHA512
faffec438a869022799e99f54ed1d09c2d470bcc9c9a907b5625bcf2c7cd50d493e6e14b442363f1f8e8cab0a95cd15a94d6530cab36147290ba5eccf583631f

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
d5d640e12f7d285211856f15e5bb34c8

SHA1
779d033e774524e3ac898b6cad075dfed4251a59

SHA256
7440ad3e318eb0a250b8cccffa65c7f28c9602dbc3dcd3345aa54cad56cceafd

SHA512
faffec438a869022799e99f54ed1d09c2d470bcc9c9a907b5625bcf2c7cd50d493e6e14b442363f1f8e8cab0a95cd15a94d6530cab36147290ba5eccf583631f

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
4b42d2394dc36badfeaba91170d50925

SHA1
954f4231650a930704bc65ad89ef82ef085168c1

SHA256
00b16a301b5aa0e5fd7cc49cd99aea74a3729cd0e6da081e32f2b9456350dc25

SHA512
d36840e07e63cc77251b285b7c5cd5c9c2629557dc57567274aff82a603e66388721763a551bccf590498a5b6854a62cb83a5db74d3fcc5a13bd3b6f3d2d74cb

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
4b42d2394dc36badfeaba91170d50925

SHA1
954f4231650a930704bc65ad89ef82ef085168c1

SHA256
00b16a301b5aa0e5fd7cc49cd99aea74a3729cd0e6da081e32f2b9456350dc25

SHA512
d36840e07e63cc77251b285b7c5cd5c9c2629557dc57567274aff82a603e66388721763a551bccf590498a5b6854a62cb83a5db74d3fcc5a13bd3b6f3d2d74cb

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
a2e95b5f5c6f3a067a589899d6723cad

SHA1
f5a7269971a6267552e3783d9e936c18e7204f6b

SHA256
b19d02292ff0508b341197d667e9f1a092bcbe8cf1fb15a36fdbc900a86b7657

SHA512
10e4c14fe6b3b5c0ee4b0620583be72390bb15c5abccd39bc2247fc0478974746b8b524564665f918589da91642461f24220d515aad973c4d7ce51bca03a9c17

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
a2e95b5f5c6f3a067a589899d6723cad

SHA1
f5a7269971a6267552e3783d9e936c18e7204f6b

SHA256
b19d02292ff0508b341197d667e9f1a092bcbe8cf1fb15a36fdbc900a86b7657

SHA512
10e4c14fe6b3b5c0ee4b0620583be72390bb15c5abccd39bc2247fc0478974746b8b524564665f918589da91642461f24220d515aad973c4d7ce51bca03a9c17

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
8a753bed9e56ada7aadc6ea21664b6b0

SHA1
056dc2cf4e0d3b6e62cd2d1799b1c909152f740e

SHA256
70f20c2d7748f4617318dd2aff6bb82ee7e101345f9ed79f481a647bdb25717f

SHA512
aacb9c7bc0c21dc40b0a951406b308e624a3d7d409697ef025a6e2ff246eef28ee2f060bbbd713aa398cc975d12fcc7baacd4d5fca2c9d9090ef89a7ef788991

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
8a753bed9e56ada7aadc6ea21664b6b0

SHA1
056dc2cf4e0d3b6e62cd2d1799b1c909152f740e

SHA256
70f20c2d7748f4617318dd2aff6bb82ee7e101345f9ed79f481a647bdb25717f

SHA512
aacb9c7bc0c21dc40b0a951406b308e624a3d7d409697ef025a6e2ff246eef28ee2f060bbbd713aa398cc975d12fcc7baacd4d5fca2c9d9090ef89a7ef788991

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
13516ffdcc485846cdd9330293689d71

SHA1
fc38a801dfeff05db9fce071160e98397f3c0db5

SHA256
b30020d568425605a5d2dbf9b712298c7264396aea06818fe51ee2c246a5370e

SHA512
0928c99d20297435f6b5c713b90025c6e7635b5efd9e29e424d36ee59a8e7d9396913de033fabd0923732f425c2ecb1ca0ac0676a53467d5f5c67bf06efb2220

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
13516ffdcc485846cdd9330293689d71

SHA1
fc38a801dfeff05db9fce071160e98397f3c0db5

SHA256
b30020d568425605a5d2dbf9b712298c7264396aea06818fe51ee2c246a5370e

SHA512
0928c99d20297435f6b5c713b90025c6e7635b5efd9e29e424d36ee59a8e7d9396913de033fabd0923732f425c2ecb1ca0ac0676a53467d5f5c67bf06efb2220

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
b49bcb998d2ed2d28a2f143cdfdbe4b7

SHA1
1c568c90deed36a876c214f1fc32a44215924810

SHA256
b293020935a3f8200625368193d2d2eaa275fa9174ce4e344ee8e6929f03251f

SHA512
d0189a92606a27be22e5a6161f8c049dfd5b464a4902cdd00cae09b0c51f1e4ca553c8632c95b6541f4a65b7ed5c424d2a7ddf5277e6d7c0d7659f3a1172cb52

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
b49bcb998d2ed2d28a2f143cdfdbe4b7

SHA1
1c568c90deed36a876c214f1fc32a44215924810

SHA256
b293020935a3f8200625368193d2d2eaa275fa9174ce4e344ee8e6929f03251f

SHA512
d0189a92606a27be22e5a6161f8c049dfd5b464a4902cdd00cae09b0c51f1e4ca553c8632c95b6541f4a65b7ed5c424d2a7ddf5277e6d7c0d7659f3a1172cb52

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
b49bcb998d2ed2d28a2f143cdfdbe4b7

SHA1
1c568c90deed36a876c214f1fc32a44215924810

SHA256
b293020935a3f8200625368193d2d2eaa275fa9174ce4e344ee8e6929f03251f

SHA512
d0189a92606a27be22e5a6161f8c049dfd5b464a4902cdd00cae09b0c51f1e4ca553c8632c95b6541f4a65b7ed5c424d2a7ddf5277e6d7c0d7659f3a1172cb52

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
b49bcb998d2ed2d28a2f143cdfdbe4b7

SHA1
1c568c90deed36a876c214f1fc32a44215924810

SHA256
b293020935a3f8200625368193d2d2eaa275fa9174ce4e344ee8e6929f03251f

SHA512
d0189a92606a27be22e5a6161f8c049dfd5b464a4902cdd00cae09b0c51f1e4ca553c8632c95b6541f4a65b7ed5c424d2a7ddf5277e6d7c0d7659f3a1172cb52

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe

Filesize
72KB

MD5
b49bcb998d2ed2d28a2f143cdfdbe4b7

SHA1
1c568c90deed36a876c214f1fc32a44215924810

SHA256
b293020935a3f8200625368193d2d2eaa275fa9174ce4e344ee8e6929f03251f

SHA512
d0189a92606a27be22e5a6161f8c049dfd5b464a4902cdd00cae09b0c51f1e4ca553c8632c95b6541f4a65b7ed5c424d2a7ddf5277e6d7c0d7659f3a1172cb52

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe

Filesize
72KB

MD5
b49bcb998d2ed2d28a2f143cdfdbe4b7

SHA1
1c568c90deed36a876c214f1fc32a44215924810

SHA256
b293020935a3f8200625368193d2d2eaa275fa9174ce4e344ee8e6929f03251f

SHA512
d0189a92606a27be22e5a6161f8c049dfd5b464a4902cdd00cae09b0c51f1e4ca553c8632c95b6541f4a65b7ed5c424d2a7ddf5277e6d7c0d7659f3a1172cb52

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
b49bcb998d2ed2d28a2f143cdfdbe4b7

SHA1
1c568c90deed36a876c214f1fc32a44215924810

SHA256
b293020935a3f8200625368193d2d2eaa275fa9174ce4e344ee8e6929f03251f

SHA512
d0189a92606a27be22e5a6161f8c049dfd5b464a4902cdd00cae09b0c51f1e4ca553c8632c95b6541f4a65b7ed5c424d2a7ddf5277e6d7c0d7659f3a1172cb52

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
b49bcb998d2ed2d28a2f143cdfdbe4b7

SHA1
1c568c90deed36a876c214f1fc32a44215924810

SHA256
b293020935a3f8200625368193d2d2eaa275fa9174ce4e344ee8e6929f03251f

SHA512
d0189a92606a27be22e5a6161f8c049dfd5b464a4902cdd00cae09b0c51f1e4ca553c8632c95b6541f4a65b7ed5c424d2a7ddf5277e6d7c0d7659f3a1172cb52

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
0abb21a39bcb2c0a33e129f55b972af2

SHA1
34a5fd92c621c37d55b81851de24d7e6ace8e0ab

SHA256
18e50e149a3bb05c601e60e6281f4d81816b2365a86fc6b68e72b46bfef65fe6

SHA512
bd9fe76d4c363982c5ccf89d5e2e716f0d131f4e397d23ec82301a1028c855141a2bc205e6a4b72551268d143678e9db2019f8fda4e0333eaa4fa82de62735ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
0abb21a39bcb2c0a33e129f55b972af2

SHA1
34a5fd92c621c37d55b81851de24d7e6ace8e0ab

SHA256
18e50e149a3bb05c601e60e6281f4d81816b2365a86fc6b68e72b46bfef65fe6

SHA512
bd9fe76d4c363982c5ccf89d5e2e716f0d131f4e397d23ec82301a1028c855141a2bc205e6a4b72551268d143678e9db2019f8fda4e0333eaa4fa82de62735ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
5193ddeb20ffa0b82220f505ed567acc

SHA1
e8bca817701d731d0e1fa4af9359a435a4eef25e

SHA256
a5cfd380fc5ddb1e5b028e6fd5b60b590f79569870a8c97e414dba70bfc6fef5

SHA512
df67e32f449d78216a14d11beab0c6e61d6c73ff6b1bc5b53f5a2bab9d2894449542a2fc6c763c43f64dc3e853dde321c836ff8d962da0c45e6adfffab5d304a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
5193ddeb20ffa0b82220f505ed567acc

SHA1
e8bca817701d731d0e1fa4af9359a435a4eef25e

SHA256
a5cfd380fc5ddb1e5b028e6fd5b60b590f79569870a8c97e414dba70bfc6fef5

SHA512
df67e32f449d78216a14d11beab0c6e61d6c73ff6b1bc5b53f5a2bab9d2894449542a2fc6c763c43f64dc3e853dde321c836ff8d962da0c45e6adfffab5d304a

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
15ad2fdeb9a0c301627475565414c947

SHA1
9b81af6f4f670079c502b8a6ec1423a906825059

SHA256
fd1fc1517145c5013de7835b2bcdf53b79e82aff0125510533659b00bc48a7fa

SHA512
392873abd055b2191594d19048cd0e592de56fb040f31262c03d67ff712e5e01123bc6690182c1e03eb29599244679bf82dcc900522cd946df40b8d216063069

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
3987983ff56695c924104f8bce5d0f12

SHA1
964fea3f188aacf9c4c74e8d092cb199998413f3

SHA256
d818d01ab08781590840add1019665d41a659c58390ac52c4128f414c738ddf9

SHA512
02b6782985ef6111830e7b5cc2015f72d6881554f87a2399de3b5794494dafba1cdfb82553a7e77067e04c2e6cf48984fc252324b0c2efbd447c93c907a62ebd

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
3987983ff56695c924104f8bce5d0f12

SHA1
964fea3f188aacf9c4c74e8d092cb199998413f3

SHA256
d818d01ab08781590840add1019665d41a659c58390ac52c4128f414c738ddf9

SHA512
02b6782985ef6111830e7b5cc2015f72d6881554f87a2399de3b5794494dafba1cdfb82553a7e77067e04c2e6cf48984fc252324b0c2efbd447c93c907a62ebd

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
fc86aeed2554f855c10a9da2b2c04aaf

SHA1
e05a76f0b91c53526776b23fc81ec9b27b498a88

SHA256
07ff7b7b610b7c5c78b77e783845f0e6dee93746dbf94b4036ca1e3285fe1b92

SHA512
b50b99b6ed3468dce5cfa2f63dfe3260c194661c26ddb52ba58f1220fd0a266c389264fa5d85473170ec3da0297419ce68d61f162822a8383872efe0b452e5ef

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
fc86aeed2554f855c10a9da2b2c04aaf

SHA1
e05a76f0b91c53526776b23fc81ec9b27b498a88

SHA256
07ff7b7b610b7c5c78b77e783845f0e6dee93746dbf94b4036ca1e3285fe1b92

SHA512
b50b99b6ed3468dce5cfa2f63dfe3260c194661c26ddb52ba58f1220fd0a266c389264fa5d85473170ec3da0297419ce68d61f162822a8383872efe0b452e5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\20289159\backup.exe

Filesize
72KB

MD5
dae14c1af9db96b39cc33a8c12f905e5

SHA1
c3fb744c8f708afde54a04dff8fb027722920cb5

SHA256
e1bec7ebaddd821ae198581290df8264bae5bbf1bcb96e9261143cefdab4824e

SHA512
2d2382bbd69447d599450b557486a59e9424f727fd35f01684573e1e1591f724858194bcb11c38676d288f2edfa72a493846d42e97b658eb224605157819e50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\20289159\backup.exe

Filesize
72KB

MD5
dae14c1af9db96b39cc33a8c12f905e5

SHA1
c3fb744c8f708afde54a04dff8fb027722920cb5

SHA256
e1bec7ebaddd821ae198581290df8264bae5bbf1bcb96e9261143cefdab4824e

SHA512
2d2382bbd69447d599450b557486a59e9424f727fd35f01684573e1e1591f724858194bcb11c38676d288f2edfa72a493846d42e97b658eb224605157819e50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
468812eba0e89f64109d0f1e658d7df7

SHA1
257bb93b7ae7348c0db958cdd2732650828d1bc8

SHA256
e53c83330a8a57b4c05212b660ef229608b333ec0317fa2a153503c8d0fb6b0f

SHA512
82e9510d51d2c74078be284b1eeaab60ccada194af68a14b20018462356fe3e255e4b19f2774f5efe7f22a5832c137cd345499838d6e6a9f90ee1b3d8c1b3688

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
468812eba0e89f64109d0f1e658d7df7

SHA1
257bb93b7ae7348c0db958cdd2732650828d1bc8

SHA256
e53c83330a8a57b4c05212b660ef229608b333ec0317fa2a153503c8d0fb6b0f

SHA512
82e9510d51d2c74078be284b1eeaab60ccada194af68a14b20018462356fe3e255e4b19f2774f5efe7f22a5832c137cd345499838d6e6a9f90ee1b3d8c1b3688

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
468812eba0e89f64109d0f1e658d7df7

SHA1
257bb93b7ae7348c0db958cdd2732650828d1bc8

SHA256
e53c83330a8a57b4c05212b660ef229608b333ec0317fa2a153503c8d0fb6b0f

SHA512
82e9510d51d2c74078be284b1eeaab60ccada194af68a14b20018462356fe3e255e4b19f2774f5efe7f22a5832c137cd345499838d6e6a9f90ee1b3d8c1b3688

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
468812eba0e89f64109d0f1e658d7df7

SHA1
257bb93b7ae7348c0db958cdd2732650828d1bc8

SHA256
e53c83330a8a57b4c05212b660ef229608b333ec0317fa2a153503c8d0fb6b0f

SHA512
82e9510d51d2c74078be284b1eeaab60ccada194af68a14b20018462356fe3e255e4b19f2774f5efe7f22a5832c137cd345499838d6e6a9f90ee1b3d8c1b3688

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
038f75177340993744b162e2ca16459e

SHA1
15de212640ec40c66c17fb8cf6be21e1ed03cc96

SHA256
db71a8b316ab172a02ebd6c6686709ed24a34141712739a6c0ec269def918085

SHA512
279e475bd3e637e19a01e3a00e5fcc958baa2182f0f219aecfdd05eb39d56c4835ea49d98cf3aa3f4626fdb7f01a69a59e3c53945dc77f073080965d1892c1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
038f75177340993744b162e2ca16459e

SHA1
15de212640ec40c66c17fb8cf6be21e1ed03cc96

SHA256
db71a8b316ab172a02ebd6c6686709ed24a34141712739a6c0ec269def918085

SHA512
279e475bd3e637e19a01e3a00e5fcc958baa2182f0f219aecfdd05eb39d56c4835ea49d98cf3aa3f4626fdb7f01a69a59e3c53945dc77f073080965d1892c1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
c38c417888b43cf68c8196b3dcaa185f

SHA1
ebe5f52b3efebb555911c67a1ea0fed4321035b4

SHA256
963b46652ec874c377b92e7ae2b3819b841408fc809e06d98284bb43429339b0

SHA512
d779a5900e9ca13371dbc1ccdb76587b68f70fa23b785af40a74f2f1129e10b1ead459d26f5ab395e3ee0bca19fd6e4c753d20e80c79efafd20b3e8fe17d5c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
c38c417888b43cf68c8196b3dcaa185f

SHA1
ebe5f52b3efebb555911c67a1ea0fed4321035b4

SHA256
963b46652ec874c377b92e7ae2b3819b841408fc809e06d98284bb43429339b0

SHA512
d779a5900e9ca13371dbc1ccdb76587b68f70fa23b785af40a74f2f1129e10b1ead459d26f5ab395e3ee0bca19fd6e4c753d20e80c79efafd20b3e8fe17d5c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
468812eba0e89f64109d0f1e658d7df7

SHA1
257bb93b7ae7348c0db958cdd2732650828d1bc8

SHA256
e53c83330a8a57b4c05212b660ef229608b333ec0317fa2a153503c8d0fb6b0f

SHA512
82e9510d51d2c74078be284b1eeaab60ccada194af68a14b20018462356fe3e255e4b19f2774f5efe7f22a5832c137cd345499838d6e6a9f90ee1b3d8c1b3688

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
468812eba0e89f64109d0f1e658d7df7

SHA1
257bb93b7ae7348c0db958cdd2732650828d1bc8

SHA256
e53c83330a8a57b4c05212b660ef229608b333ec0317fa2a153503c8d0fb6b0f

SHA512
82e9510d51d2c74078be284b1eeaab60ccada194af68a14b20018462356fe3e255e4b19f2774f5efe7f22a5832c137cd345499838d6e6a9f90ee1b3d8c1b3688

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
038f75177340993744b162e2ca16459e

SHA1
15de212640ec40c66c17fb8cf6be21e1ed03cc96

SHA256
db71a8b316ab172a02ebd6c6686709ed24a34141712739a6c0ec269def918085

SHA512
279e475bd3e637e19a01e3a00e5fcc958baa2182f0f219aecfdd05eb39d56c4835ea49d98cf3aa3f4626fdb7f01a69a59e3c53945dc77f073080965d1892c1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
038f75177340993744b162e2ca16459e

SHA1
15de212640ec40c66c17fb8cf6be21e1ed03cc96

SHA256
db71a8b316ab172a02ebd6c6686709ed24a34141712739a6c0ec269def918085

SHA512
279e475bd3e637e19a01e3a00e5fcc958baa2182f0f219aecfdd05eb39d56c4835ea49d98cf3aa3f4626fdb7f01a69a59e3c53945dc77f073080965d1892c1bc

Download Submit
C:\backup.exe

Filesize
72KB

MD5
6feb11fa18a2a1496f385131d26b9a9e

SHA1
618b022b05adb58ec512bf5b502e08fa264f47cc

SHA256
b10a4b7b5fcec94ae70e2cb732a70ff0d66d05e21957d221b8ac310234cf4bf3

SHA512
32adbf2942ec4d3044c92c434f23fab6e1a988496870449a9fd4ca67473c4d3beb8ef8249dcb8d9e31519bf34852d06b2b73c1353014650b36470b1d41f9a755

Download Submit
C:\backup.exe

Filesize
72KB

MD5
6feb11fa18a2a1496f385131d26b9a9e

SHA1
618b022b05adb58ec512bf5b502e08fa264f47cc

SHA256
b10a4b7b5fcec94ae70e2cb732a70ff0d66d05e21957d221b8ac310234cf4bf3

SHA512
32adbf2942ec4d3044c92c434f23fab6e1a988496870449a9fd4ca67473c4d3beb8ef8249dcb8d9e31519bf34852d06b2b73c1353014650b36470b1d41f9a755

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
2c4db890d1253388c953fc121175943e

SHA1
0c5cd9167cfe51e72e967de6bd4749a465f42fde

SHA256
cf4b86faef72eae30786549599ea06b796fc0a3486a029ae032d2cff681f6486

SHA512
c71f15119a0cda052f0c27f4251150b71bf7a6bbf4b96f8dd42e66d9aa2a93bcb3367475576520a0e3efef78a2cf7cb26ad87d29c4a0adbeb1aa1139a378bf68

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
2c4db890d1253388c953fc121175943e

SHA1
0c5cd9167cfe51e72e967de6bd4749a465f42fde

SHA256
cf4b86faef72eae30786549599ea06b796fc0a3486a029ae032d2cff681f6486

SHA512
c71f15119a0cda052f0c27f4251150b71bf7a6bbf4b96f8dd42e66d9aa2a93bcb3367475576520a0e3efef78a2cf7cb26ad87d29c4a0adbeb1aa1139a378bf68

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads