82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0

Analysis

max time kernel
245s
max time network
268s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe
Size

72KB
MD5

6ee8901036273e80f7c593691800a76f
SHA1

d389a8b3a15f85f1be0ea791cf99850279331784
SHA256

82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0
SHA512

ca5450f21a81dea6edc013b048b2e9ba55661a1f7c54dfe60d5309028d6c1c92ab42a051848fd88eb032f09db317ec89bbe29d7d05154b427e36063ed74ab95a
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGc:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRr5

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe

Executes dropped EXE 64 IoCs

pid	Process
3584	backup.exe
3404	backup.exe
4412	backup.exe
4104	backup.exe
888	backup.exe
5064	backup.exe
2200	backup.exe
3828	update.exe
3556	backup.exe
2416	backup.exe
2316	backup.exe
2924	backup.exe
4580	backup.exe
3392	backup.exe
4524	backup.exe
4528	backup.exe
1164	System Restore.exe
1680	backup.exe
4556	backup.exe
4000	backup.exe
2136	backup.exe
1828	backup.exe
2336	backup.exe
4028	backup.exe
3724	backup.exe
2448	backup.exe
4920	backup.exe
4644	backup.exe
4560	backup.exe
3464	System Restore.exe
484	backup.exe
2480	backup.exe
2936	backup.exe
1260	backup.exe
2356	backup.exe
4216	backup.exe
5012	backup.exe
4940	backup.exe
2428	backup.exe
1312	backup.exe
4660	backup.exe
1940	backup.exe
2824	backup.exe
4408	backup.exe
3796	backup.exe
3756	backup.exe
3556	backup.exe
4116	backup.exe
1456	backup.exe
2316	backup.exe
2924	backup.exe
2588	backup.exe
1836	backup.exe
5072	backup.exe
4424	backup.exe
2176	backup.exe
5000	System Restore.exe
3208	backup.exe
3724	backup.exe
1692	backup.exe
3196	backup.exe
3236	backup.exe
4404	backup.exe
2100	System Restore.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\update.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe
3584	backup.exe
3404	backup.exe
4412	backup.exe
4104	backup.exe
888	backup.exe
5064	backup.exe
3828	update.exe
2200	backup.exe
3556	backup.exe
2416	backup.exe
2316	backup.exe
2924	backup.exe
4580	backup.exe
3392	backup.exe
4524	backup.exe
4528	backup.exe
1164	System Restore.exe
1680	backup.exe
4556	backup.exe
4000	backup.exe
2136	backup.exe
1828	backup.exe
2336	backup.exe
4028	backup.exe
3724	backup.exe
2448	backup.exe
4920	backup.exe
4644	backup.exe
4560	backup.exe
3464	System Restore.exe
484	backup.exe
2480	backup.exe
2936	backup.exe
1260	backup.exe
4216	backup.exe
2356	backup.exe
4940	backup.exe
5012	backup.exe
2428	backup.exe
1312	backup.exe
4408	backup.exe
3796	backup.exe
2824	backup.exe
4660	backup.exe
3756	backup.exe
1940	backup.exe
3556	backup.exe
4116	backup.exe
1456	backup.exe
2316	backup.exe
2924	backup.exe
1836	backup.exe
2588	backup.exe
5072	backup.exe
4424	backup.exe
2176	backup.exe
5000	System Restore.exe
3208	backup.exe
3724	backup.exe
1692	backup.exe
3196	backup.exe
3236	backup.exe
4404	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3584	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	81
PID 3600 wrote to memory of 3584	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	81
PID 3600 wrote to memory of 3584	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	81
PID 3600 wrote to memory of 3404	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	82
PID 3600 wrote to memory of 3404	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	82
PID 3600 wrote to memory of 3404	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	82
PID 3600 wrote to memory of 4412	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	83
PID 3600 wrote to memory of 4412	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	83
PID 3600 wrote to memory of 4412	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	83
PID 3584 wrote to memory of 4104	3584	backup.exe	84
PID 3584 wrote to memory of 4104	3584	backup.exe	84
PID 3584 wrote to memory of 4104	3584	backup.exe	84
PID 4104 wrote to memory of 888	4104	backup.exe	85
PID 4104 wrote to memory of 888	4104	backup.exe	85
PID 4104 wrote to memory of 888	4104	backup.exe	85
PID 3600 wrote to memory of 5064	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	86
PID 3600 wrote to memory of 5064	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	86
PID 3600 wrote to memory of 5064	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	86
PID 3600 wrote to memory of 3828	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	88
PID 3600 wrote to memory of 3828	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	88
PID 3600 wrote to memory of 3828	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	88
PID 4104 wrote to memory of 2200	4104	backup.exe	87
PID 4104 wrote to memory of 2200	4104	backup.exe	87
PID 4104 wrote to memory of 2200	4104	backup.exe	87
PID 4104 wrote to memory of 2416	4104	backup.exe	89
PID 4104 wrote to memory of 2416	4104	backup.exe	89
PID 4104 wrote to memory of 2416	4104	backup.exe	89
PID 3600 wrote to memory of 3556	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	90
PID 3600 wrote to memory of 3556	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	90
PID 3600 wrote to memory of 3556	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	90
PID 3600 wrote to memory of 2316	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	91
PID 3600 wrote to memory of 2316	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	91
PID 3600 wrote to memory of 2316	3600	82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe	91
PID 2416 wrote to memory of 2924	2416	backup.exe	92
PID 2416 wrote to memory of 2924	2416	backup.exe	92
PID 2416 wrote to memory of 2924	2416	backup.exe	92
PID 2924 wrote to memory of 4580	2924	backup.exe	93
PID 2924 wrote to memory of 4580	2924	backup.exe	93
PID 2924 wrote to memory of 4580	2924	backup.exe	93
PID 2416 wrote to memory of 3392	2416	backup.exe	94
PID 2416 wrote to memory of 3392	2416	backup.exe	94
PID 2416 wrote to memory of 3392	2416	backup.exe	94
PID 3392 wrote to memory of 4524	3392	backup.exe	95
PID 3392 wrote to memory of 4524	3392	backup.exe	95
PID 3392 wrote to memory of 4524	3392	backup.exe	95
PID 3392 wrote to memory of 4528	3392	backup.exe	96
PID 3392 wrote to memory of 4528	3392	backup.exe	96
PID 3392 wrote to memory of 4528	3392	backup.exe	96
PID 4528 wrote to memory of 1164	4528	backup.exe	97
PID 4528 wrote to memory of 1164	4528	backup.exe	97
PID 4528 wrote to memory of 1164	4528	backup.exe	97
PID 4528 wrote to memory of 1680	4528	backup.exe	98
PID 4528 wrote to memory of 1680	4528	backup.exe	98
PID 4528 wrote to memory of 1680	4528	backup.exe	98
PID 1680 wrote to memory of 4556	1680	backup.exe	99
PID 1680 wrote to memory of 4556	1680	backup.exe	99
PID 1680 wrote to memory of 4556	1680	backup.exe	99
PID 1680 wrote to memory of 4000	1680	backup.exe	100
PID 1680 wrote to memory of 4000	1680	backup.exe	100
PID 1680 wrote to memory of 4000	1680	backup.exe	100
PID 1680 wrote to memory of 2136	1680	backup.exe	101
PID 1680 wrote to memory of 2136	1680	backup.exe	101
PID 1680 wrote to memory of 2136	1680	backup.exe	101
PID 1680 wrote to memory of 1828	1680	backup.exe	102

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe
"C:\Users\Admin\AppData\Local\Temp\82bd618ba93333abe51770e9416a894390f2e834bb9638cccbc3ca853b9f3bd0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Local\Temp\1554202410\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1554202410\backup.exe C:\Users\Admin\AppData\Local\Temp\1554202410\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3584
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4104
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:888
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2200
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2416
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4580
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3392
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4524
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1680
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4556
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4000
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2336
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4028
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3724
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2448
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4920
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4644
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3464
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1260
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3756
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5072
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4888
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        System policy modification
        
        PID:2060
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2924
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:4008
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:3864
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3404
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4872
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:4660
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:3732
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4216
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4660
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2924
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5000
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4884
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5064
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        System policy modification
        
        PID:2380
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3592
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\System Restore.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:2100
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2536
        
        C:\Program Files\Common Files\microsoft shared\Stationery\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\update.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:3028
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4080
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2168
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:4140
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:4436
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5012
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3796
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1836
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3208
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4648
        
        C:\Program Files\Common Files\System\ado\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\data.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4244
        
        C:\Program Files\Common Files\System\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\System\de-DE\System Restore.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:3464
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:3232
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:5104
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2244
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1672
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:3028
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        System policy modification
        
        PID:3668
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2480
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2588
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4424
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4112
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        System policy modification
        
        PID:2304
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1968
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:3696
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:344
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:632
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1312
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2824
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3196
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4820
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        System policy modification
        
        PID:308
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        System policy modification
        
        PID:4408
      - C:\Program Files\Internet Explorer\ja-JP\data.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\data.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:4512
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1736
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:208
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        System policy modification
        
        PID:3612
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3724
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4788
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:4336
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\update.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:3392
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:4836
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3640
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:1360
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:420
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:4924
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2356
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4408
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:4964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:3668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:1788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3656
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:2804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:3940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:4780
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:4560
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2820
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:3388
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1200
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\data.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:760
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:632
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:1952
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:4536
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2268
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3196
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2372
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:4912
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:4404
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3600
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2176
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:4296
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:3608
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3236
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3492
      - C:\Users\Admin\Contacts\System Restore.exe
        
        "C:\Users\Admin\Contacts\System Restore.exe" C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1156
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1940
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:3272
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:4104
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2096
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:636
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:4364
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4664
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:952
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      System policy modification
      PID:5052
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:4664
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:4424
      - C:\Windows\appcompat\appraiser\update.exe
        
        C:\Windows\appcompat\appraiser\update.exe C:\Windows\appcompat\appraiser\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        System policy modification
        
        PID:2100
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:4820
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:1640
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3404
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4412
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5064
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3556
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
63472ceb6d70081d90e9adb4a11f1f3e

SHA1
9bc7c7090de09102bfc1e073a33329b1791887b0

SHA256
d2d524070772593d45757fe34db584b61fb59bf2b735db242a5fe72a663fbb95

SHA512
c166bba40369e41db312d72263c936b5320f10bf5f10cd85f9d9af541d520b2cc74996b6b72cbbf41e36dea3b3416a839a358f1e4d7924a0a441dab92e44f627

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
63472ceb6d70081d90e9adb4a11f1f3e

SHA1
9bc7c7090de09102bfc1e073a33329b1791887b0

SHA256
d2d524070772593d45757fe34db584b61fb59bf2b735db242a5fe72a663fbb95

SHA512
c166bba40369e41db312d72263c936b5320f10bf5f10cd85f9d9af541d520b2cc74996b6b72cbbf41e36dea3b3416a839a358f1e4d7924a0a441dab92e44f627

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
4bf1ba6561616382dc7a22622c26dffb

SHA1
013882189b8ce81474e5ccdb7d442836c6d985a6

SHA256
efa9707cc17c9a7c5cfb6b8e5b5aa4a347f25da5fa88ebfd5ab815a74c0f886c

SHA512
dd29446da8ce901e14e124c2d194f2bf83c99e68f5e0901f5a283f35ecd809e0433e2d1ec8385bb75af6b0a3e22a80dda13aaed43a5d342711c35ed616f417eb

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
4bf1ba6561616382dc7a22622c26dffb

SHA1
013882189b8ce81474e5ccdb7d442836c6d985a6

SHA256
efa9707cc17c9a7c5cfb6b8e5b5aa4a347f25da5fa88ebfd5ab815a74c0f886c

SHA512
dd29446da8ce901e14e124c2d194f2bf83c99e68f5e0901f5a283f35ecd809e0433e2d1ec8385bb75af6b0a3e22a80dda13aaed43a5d342711c35ed616f417eb

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
8b11b157d8656f0e72056866fc178466

SHA1
166b5142939e8193f1d0c9ef30b9c694f890c66c

SHA256
9b3eb627768c32d23d7dab9d097b5102478dcc5d93b6fdd86e5dca648daf12b8

SHA512
3e3c7ea3daa46bc418c7ffbdd39bb9c6d8d4b18d923b416cd81115a59d8e4a21dd70bd824f559df07612874649c83deefdb3ea70758eabfeca19487010e9532a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
8b11b157d8656f0e72056866fc178466

SHA1
166b5142939e8193f1d0c9ef30b9c694f890c66c

SHA256
9b3eb627768c32d23d7dab9d097b5102478dcc5d93b6fdd86e5dca648daf12b8

SHA512
3e3c7ea3daa46bc418c7ffbdd39bb9c6d8d4b18d923b416cd81115a59d8e4a21dd70bd824f559df07612874649c83deefdb3ea70758eabfeca19487010e9532a

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
4bf1ba6561616382dc7a22622c26dffb

SHA1
013882189b8ce81474e5ccdb7d442836c6d985a6

SHA256
efa9707cc17c9a7c5cfb6b8e5b5aa4a347f25da5fa88ebfd5ab815a74c0f886c

SHA512
dd29446da8ce901e14e124c2d194f2bf83c99e68f5e0901f5a283f35ecd809e0433e2d1ec8385bb75af6b0a3e22a80dda13aaed43a5d342711c35ed616f417eb

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
4bf1ba6561616382dc7a22622c26dffb

SHA1
013882189b8ce81474e5ccdb7d442836c6d985a6

SHA256
efa9707cc17c9a7c5cfb6b8e5b5aa4a347f25da5fa88ebfd5ab815a74c0f886c

SHA512
dd29446da8ce901e14e124c2d194f2bf83c99e68f5e0901f5a283f35ecd809e0433e2d1ec8385bb75af6b0a3e22a80dda13aaed43a5d342711c35ed616f417eb

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8b11b157d8656f0e72056866fc178466

SHA1
166b5142939e8193f1d0c9ef30b9c694f890c66c

SHA256
9b3eb627768c32d23d7dab9d097b5102478dcc5d93b6fdd86e5dca648daf12b8

SHA512
3e3c7ea3daa46bc418c7ffbdd39bb9c6d8d4b18d923b416cd81115a59d8e4a21dd70bd824f559df07612874649c83deefdb3ea70758eabfeca19487010e9532a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8b11b157d8656f0e72056866fc178466

SHA1
166b5142939e8193f1d0c9ef30b9c694f890c66c

SHA256
9b3eb627768c32d23d7dab9d097b5102478dcc5d93b6fdd86e5dca648daf12b8

SHA512
3e3c7ea3daa46bc418c7ffbdd39bb9c6d8d4b18d923b416cd81115a59d8e4a21dd70bd824f559df07612874649c83deefdb3ea70758eabfeca19487010e9532a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\System Restore.exe

Filesize
72KB

MD5
875ce27f8c895fc80900767c018e11ec

SHA1
71c10f5482d93a40e4a3640cad05bfff5b0866d1

SHA256
d54fc2d35805b4eb71673fee559adc18803dfe120f944f82ae32ed50ae49df77

SHA512
0e4e47cf0f48b6c5d83fa8ca2fad50f489d5b119a4f9c7ac7c5964412c12277500659c0d1ad3330d7ec1925d6e9d6d34f487c9f85cc40e75f7d46d50cd9c05cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\System Restore.exe

Filesize
72KB

MD5
875ce27f8c895fc80900767c018e11ec

SHA1
71c10f5482d93a40e4a3640cad05bfff5b0866d1

SHA256
d54fc2d35805b4eb71673fee559adc18803dfe120f944f82ae32ed50ae49df77

SHA512
0e4e47cf0f48b6c5d83fa8ca2fad50f489d5b119a4f9c7ac7c5964412c12277500659c0d1ad3330d7ec1925d6e9d6d34f487c9f85cc40e75f7d46d50cd9c05cc

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
4bf1ba6561616382dc7a22622c26dffb

SHA1
013882189b8ce81474e5ccdb7d442836c6d985a6

SHA256
efa9707cc17c9a7c5cfb6b8e5b5aa4a347f25da5fa88ebfd5ab815a74c0f886c

SHA512
dd29446da8ce901e14e124c2d194f2bf83c99e68f5e0901f5a283f35ecd809e0433e2d1ec8385bb75af6b0a3e22a80dda13aaed43a5d342711c35ed616f417eb

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
4bf1ba6561616382dc7a22622c26dffb

SHA1
013882189b8ce81474e5ccdb7d442836c6d985a6

SHA256
efa9707cc17c9a7c5cfb6b8e5b5aa4a347f25da5fa88ebfd5ab815a74c0f886c

SHA512
dd29446da8ce901e14e124c2d194f2bf83c99e68f5e0901f5a283f35ecd809e0433e2d1ec8385bb75af6b0a3e22a80dda13aaed43a5d342711c35ed616f417eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
e735981927a65d26cdaa4e70be418db9

SHA1
dd3f2c90056215ccb42a928d52a5fcd9f317fce9

SHA256
8b3439d528dc9d1517045d86eb5a7a13ec4f58afed86cf326d6112832bff6d35

SHA512
4daf4f4a5d62e9c8a976eb4ccede1347856c19e50f747e557144edc2992c37b3e011778e4f22c8b09b51be807ac5aea8a205e323416d02891f84510e6ce77fb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
e735981927a65d26cdaa4e70be418db9

SHA1
dd3f2c90056215ccb42a928d52a5fcd9f317fce9

SHA256
8b3439d528dc9d1517045d86eb5a7a13ec4f58afed86cf326d6112832bff6d35

SHA512
4daf4f4a5d62e9c8a976eb4ccede1347856c19e50f747e557144edc2992c37b3e011778e4f22c8b09b51be807ac5aea8a205e323416d02891f84510e6ce77fb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
32b17840958394004a19f6ee56df16e2

SHA1
83a525382cc22b1b7eb1318f0eb6d6232d84ac81

SHA256
7269a5b0bb6e2bd4d7f9e0e5f1436a5a363dc540d951c2733eae8bad23859dbc

SHA512
d57aec820074578dc938c474c7e812b914d20c26b57b3be67f7ad4f7813493751faa0991107924640e1e1cee48c0e9841ad2dfc005f39283c3589c9b25a40fb7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
32b17840958394004a19f6ee56df16e2

SHA1
83a525382cc22b1b7eb1318f0eb6d6232d84ac81

SHA256
7269a5b0bb6e2bd4d7f9e0e5f1436a5a363dc540d951c2733eae8bad23859dbc

SHA512
d57aec820074578dc938c474c7e812b914d20c26b57b3be67f7ad4f7813493751faa0991107924640e1e1cee48c0e9841ad2dfc005f39283c3589c9b25a40fb7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
e735981927a65d26cdaa4e70be418db9

SHA1
dd3f2c90056215ccb42a928d52a5fcd9f317fce9

SHA256
8b3439d528dc9d1517045d86eb5a7a13ec4f58afed86cf326d6112832bff6d35

SHA512
4daf4f4a5d62e9c8a976eb4ccede1347856c19e50f747e557144edc2992c37b3e011778e4f22c8b09b51be807ac5aea8a205e323416d02891f84510e6ce77fb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
e735981927a65d26cdaa4e70be418db9

SHA1
dd3f2c90056215ccb42a928d52a5fcd9f317fce9

SHA256
8b3439d528dc9d1517045d86eb5a7a13ec4f58afed86cf326d6112832bff6d35

SHA512
4daf4f4a5d62e9c8a976eb4ccede1347856c19e50f747e557144edc2992c37b3e011778e4f22c8b09b51be807ac5aea8a205e323416d02891f84510e6ce77fb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
e735981927a65d26cdaa4e70be418db9

SHA1
dd3f2c90056215ccb42a928d52a5fcd9f317fce9

SHA256
8b3439d528dc9d1517045d86eb5a7a13ec4f58afed86cf326d6112832bff6d35

SHA512
4daf4f4a5d62e9c8a976eb4ccede1347856c19e50f747e557144edc2992c37b3e011778e4f22c8b09b51be807ac5aea8a205e323416d02891f84510e6ce77fb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
e735981927a65d26cdaa4e70be418db9

SHA1
dd3f2c90056215ccb42a928d52a5fcd9f317fce9

SHA256
8b3439d528dc9d1517045d86eb5a7a13ec4f58afed86cf326d6112832bff6d35

SHA512
4daf4f4a5d62e9c8a976eb4ccede1347856c19e50f747e557144edc2992c37b3e011778e4f22c8b09b51be807ac5aea8a205e323416d02891f84510e6ce77fb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
ceee66353b63d38aebd1da8af96f7801

SHA1
cbeea71f084dc1112cd56f55e869a7055be268e7

SHA256
490af446b81dfeada7d745d5688202b7015dacd30a4c62c493d0967aab7377d5

SHA512
e80c9ea1120a2fe1df94f3af0132f9a68e201a36824163b639e53d6198dddd942672fa21c7866532188bb7fa1b8a606a1286d67579116d790f3c9b58e950b13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
ceee66353b63d38aebd1da8af96f7801

SHA1
cbeea71f084dc1112cd56f55e869a7055be268e7

SHA256
490af446b81dfeada7d745d5688202b7015dacd30a4c62c493d0967aab7377d5

SHA512
e80c9ea1120a2fe1df94f3af0132f9a68e201a36824163b639e53d6198dddd942672fa21c7866532188bb7fa1b8a606a1286d67579116d790f3c9b58e950b13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
ceee66353b63d38aebd1da8af96f7801

SHA1
cbeea71f084dc1112cd56f55e869a7055be268e7

SHA256
490af446b81dfeada7d745d5688202b7015dacd30a4c62c493d0967aab7377d5

SHA512
e80c9ea1120a2fe1df94f3af0132f9a68e201a36824163b639e53d6198dddd942672fa21c7866532188bb7fa1b8a606a1286d67579116d790f3c9b58e950b13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
ceee66353b63d38aebd1da8af96f7801

SHA1
cbeea71f084dc1112cd56f55e869a7055be268e7

SHA256
490af446b81dfeada7d745d5688202b7015dacd30a4c62c493d0967aab7377d5

SHA512
e80c9ea1120a2fe1df94f3af0132f9a68e201a36824163b639e53d6198dddd942672fa21c7866532188bb7fa1b8a606a1286d67579116d790f3c9b58e950b13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
ceee66353b63d38aebd1da8af96f7801

SHA1
cbeea71f084dc1112cd56f55e869a7055be268e7

SHA256
490af446b81dfeada7d745d5688202b7015dacd30a4c62c493d0967aab7377d5

SHA512
e80c9ea1120a2fe1df94f3af0132f9a68e201a36824163b639e53d6198dddd942672fa21c7866532188bb7fa1b8a606a1286d67579116d790f3c9b58e950b13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
ceee66353b63d38aebd1da8af96f7801

SHA1
cbeea71f084dc1112cd56f55e869a7055be268e7

SHA256
490af446b81dfeada7d745d5688202b7015dacd30a4c62c493d0967aab7377d5

SHA512
e80c9ea1120a2fe1df94f3af0132f9a68e201a36824163b639e53d6198dddd942672fa21c7866532188bb7fa1b8a606a1286d67579116d790f3c9b58e950b13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
ceee66353b63d38aebd1da8af96f7801

SHA1
cbeea71f084dc1112cd56f55e869a7055be268e7

SHA256
490af446b81dfeada7d745d5688202b7015dacd30a4c62c493d0967aab7377d5

SHA512
e80c9ea1120a2fe1df94f3af0132f9a68e201a36824163b639e53d6198dddd942672fa21c7866532188bb7fa1b8a606a1286d67579116d790f3c9b58e950b13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
ceee66353b63d38aebd1da8af96f7801

SHA1
cbeea71f084dc1112cd56f55e869a7055be268e7

SHA256
490af446b81dfeada7d745d5688202b7015dacd30a4c62c493d0967aab7377d5

SHA512
e80c9ea1120a2fe1df94f3af0132f9a68e201a36824163b639e53d6198dddd942672fa21c7866532188bb7fa1b8a606a1286d67579116d790f3c9b58e950b13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
ceee66353b63d38aebd1da8af96f7801

SHA1
cbeea71f084dc1112cd56f55e869a7055be268e7

SHA256
490af446b81dfeada7d745d5688202b7015dacd30a4c62c493d0967aab7377d5

SHA512
e80c9ea1120a2fe1df94f3af0132f9a68e201a36824163b639e53d6198dddd942672fa21c7866532188bb7fa1b8a606a1286d67579116d790f3c9b58e950b13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
ceee66353b63d38aebd1da8af96f7801

SHA1
cbeea71f084dc1112cd56f55e869a7055be268e7

SHA256
490af446b81dfeada7d745d5688202b7015dacd30a4c62c493d0967aab7377d5

SHA512
e80c9ea1120a2fe1df94f3af0132f9a68e201a36824163b639e53d6198dddd942672fa21c7866532188bb7fa1b8a606a1286d67579116d790f3c9b58e950b13f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
97302f7418ac90966fd475e180b5f98c

SHA1
d11eea4cb6a5fbea2408af87c5d973b55af54238

SHA256
b12a9fe2951d719c5803bcde098639696ce6ebca84a1b6ba0e59435eab8cea4d

SHA512
e016019352dcc3b942ed6cd55620c5f780004ca201280a483653f9350c97c634b7865031417b53b471670ae1e3bb7c985c57c10126f8e7a57cedd32a5203bf76

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
97302f7418ac90966fd475e180b5f98c

SHA1
d11eea4cb6a5fbea2408af87c5d973b55af54238

SHA256
b12a9fe2951d719c5803bcde098639696ce6ebca84a1b6ba0e59435eab8cea4d

SHA512
e016019352dcc3b942ed6cd55620c5f780004ca201280a483653f9350c97c634b7865031417b53b471670ae1e3bb7c985c57c10126f8e7a57cedd32a5203bf76

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
999f60ee423860412d9ef3195a4afbfd

SHA1
109a42549131f590f6ad822fe43b31d29d312bd2

SHA256
f9ba7af92f01e7b9902d4a9ae8000b52c6cd3e8fb7c4f864eaff2a3bd0121e7a

SHA512
0ec10dbecec8dc8585a8e2d0e6197d6af4f510c3597daeda2334fa2be30e2e0a19305f4f9832fd2f14efa4d4d21758792bcea38d58e9ac46328e588894522aae

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
999f60ee423860412d9ef3195a4afbfd

SHA1
109a42549131f590f6ad822fe43b31d29d312bd2

SHA256
f9ba7af92f01e7b9902d4a9ae8000b52c6cd3e8fb7c4f864eaff2a3bd0121e7a

SHA512
0ec10dbecec8dc8585a8e2d0e6197d6af4f510c3597daeda2334fa2be30e2e0a19305f4f9832fd2f14efa4d4d21758792bcea38d58e9ac46328e588894522aae

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
999f60ee423860412d9ef3195a4afbfd

SHA1
109a42549131f590f6ad822fe43b31d29d312bd2

SHA256
f9ba7af92f01e7b9902d4a9ae8000b52c6cd3e8fb7c4f864eaff2a3bd0121e7a

SHA512
0ec10dbecec8dc8585a8e2d0e6197d6af4f510c3597daeda2334fa2be30e2e0a19305f4f9832fd2f14efa4d4d21758792bcea38d58e9ac46328e588894522aae

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
999f60ee423860412d9ef3195a4afbfd

SHA1
109a42549131f590f6ad822fe43b31d29d312bd2

SHA256
f9ba7af92f01e7b9902d4a9ae8000b52c6cd3e8fb7c4f864eaff2a3bd0121e7a

SHA512
0ec10dbecec8dc8585a8e2d0e6197d6af4f510c3597daeda2334fa2be30e2e0a19305f4f9832fd2f14efa4d4d21758792bcea38d58e9ac46328e588894522aae

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\System Restore.exe

Filesize
72KB

MD5
999f60ee423860412d9ef3195a4afbfd

SHA1
109a42549131f590f6ad822fe43b31d29d312bd2

SHA256
f9ba7af92f01e7b9902d4a9ae8000b52c6cd3e8fb7c4f864eaff2a3bd0121e7a

SHA512
0ec10dbecec8dc8585a8e2d0e6197d6af4f510c3597daeda2334fa2be30e2e0a19305f4f9832fd2f14efa4d4d21758792bcea38d58e9ac46328e588894522aae

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\System Restore.exe

Filesize
72KB

MD5
999f60ee423860412d9ef3195a4afbfd

SHA1
109a42549131f590f6ad822fe43b31d29d312bd2

SHA256
f9ba7af92f01e7b9902d4a9ae8000b52c6cd3e8fb7c4f864eaff2a3bd0121e7a

SHA512
0ec10dbecec8dc8585a8e2d0e6197d6af4f510c3597daeda2334fa2be30e2e0a19305f4f9832fd2f14efa4d4d21758792bcea38d58e9ac46328e588894522aae

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
999f60ee423860412d9ef3195a4afbfd

SHA1
109a42549131f590f6ad822fe43b31d29d312bd2

SHA256
f9ba7af92f01e7b9902d4a9ae8000b52c6cd3e8fb7c4f864eaff2a3bd0121e7a

SHA512
0ec10dbecec8dc8585a8e2d0e6197d6af4f510c3597daeda2334fa2be30e2e0a19305f4f9832fd2f14efa4d4d21758792bcea38d58e9ac46328e588894522aae

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
999f60ee423860412d9ef3195a4afbfd

SHA1
109a42549131f590f6ad822fe43b31d29d312bd2

SHA256
f9ba7af92f01e7b9902d4a9ae8000b52c6cd3e8fb7c4f864eaff2a3bd0121e7a

SHA512
0ec10dbecec8dc8585a8e2d0e6197d6af4f510c3597daeda2334fa2be30e2e0a19305f4f9832fd2f14efa4d4d21758792bcea38d58e9ac46328e588894522aae

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
5d4da7ba672b89f91e24458dc56363d8

SHA1
2d797ba29434f04f4ef7fd3d886137ea8dcb74df

SHA256
7cdb83fe5adf68b7a0c087320cbd8217125dabb663e841b047d17560533f410d

SHA512
574d7a51de23f8f5aecae848ebe06e367e83c6e7833ae2c33ca0d26e9c62b2fad25b4a8aa9022c725654dc08cda560253b0718c5151c09ee70516e67ddc109b7

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
5d4da7ba672b89f91e24458dc56363d8

SHA1
2d797ba29434f04f4ef7fd3d886137ea8dcb74df

SHA256
7cdb83fe5adf68b7a0c087320cbd8217125dabb663e841b047d17560533f410d

SHA512
574d7a51de23f8f5aecae848ebe06e367e83c6e7833ae2c33ca0d26e9c62b2fad25b4a8aa9022c725654dc08cda560253b0718c5151c09ee70516e67ddc109b7

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
63472ceb6d70081d90e9adb4a11f1f3e

SHA1
9bc7c7090de09102bfc1e073a33329b1791887b0

SHA256
d2d524070772593d45757fe34db584b61fb59bf2b735db242a5fe72a663fbb95

SHA512
c166bba40369e41db312d72263c936b5320f10bf5f10cd85f9d9af541d520b2cc74996b6b72cbbf41e36dea3b3416a839a358f1e4d7924a0a441dab92e44f627

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
63472ceb6d70081d90e9adb4a11f1f3e

SHA1
9bc7c7090de09102bfc1e073a33329b1791887b0

SHA256
d2d524070772593d45757fe34db584b61fb59bf2b735db242a5fe72a663fbb95

SHA512
c166bba40369e41db312d72263c936b5320f10bf5f10cd85f9d9af541d520b2cc74996b6b72cbbf41e36dea3b3416a839a358f1e4d7924a0a441dab92e44f627

Download Submit
C:\Users\Admin\AppData\Local\Temp\1554202410\backup.exe

Filesize
72KB

MD5
589e97405e5c8cdf2de1351e6fe3df2e

SHA1
333b8ae2ef798279faa0b9e6c81fa3289ad29546

SHA256
05fe3a0f63a866d3799e269dd0dff4abce5b234ccb0882b8b6e75f08d2bba61b

SHA512
e49a950d33952ea936706c97798b401ec23dbb039ed377cda67cd8992c545ccd8f7652f4befacbf50d81fc77b0aa8d64b646f2618c320515b90effb14d4a7ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1554202410\backup.exe

Filesize
72KB

MD5
589e97405e5c8cdf2de1351e6fe3df2e

SHA1
333b8ae2ef798279faa0b9e6c81fa3289ad29546

SHA256
05fe3a0f63a866d3799e269dd0dff4abce5b234ccb0882b8b6e75f08d2bba61b

SHA512
e49a950d33952ea936706c97798b401ec23dbb039ed377cda67cd8992c545ccd8f7652f4befacbf50d81fc77b0aa8d64b646f2618c320515b90effb14d4a7ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
0c9e0167ccbf40e00bb5fd11431d47c8

SHA1
e6cfee88fd7649f8487d2120a397533d4a22a5f0

SHA256
348f27c996db9b1d0b55bbfe9ce4e45adeb5479987a10ebe6fb1551151f674a6

SHA512
e6ec2f6ed38a1b7bcfb21514882409c4084bf051aed3d03f3b341d31b27fe4d0505e3286a5e3bb9694012ae81deb96b0241774ef5222dc0759dafc13ef58a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
0c9e0167ccbf40e00bb5fd11431d47c8

SHA1
e6cfee88fd7649f8487d2120a397533d4a22a5f0

SHA256
348f27c996db9b1d0b55bbfe9ce4e45adeb5479987a10ebe6fb1551151f674a6

SHA512
e6ec2f6ed38a1b7bcfb21514882409c4084bf051aed3d03f3b341d31b27fe4d0505e3286a5e3bb9694012ae81deb96b0241774ef5222dc0759dafc13ef58a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
0c9e0167ccbf40e00bb5fd11431d47c8

SHA1
e6cfee88fd7649f8487d2120a397533d4a22a5f0

SHA256
348f27c996db9b1d0b55bbfe9ce4e45adeb5479987a10ebe6fb1551151f674a6

SHA512
e6ec2f6ed38a1b7bcfb21514882409c4084bf051aed3d03f3b341d31b27fe4d0505e3286a5e3bb9694012ae81deb96b0241774ef5222dc0759dafc13ef58a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
0c9e0167ccbf40e00bb5fd11431d47c8

SHA1
e6cfee88fd7649f8487d2120a397533d4a22a5f0

SHA256
348f27c996db9b1d0b55bbfe9ce4e45adeb5479987a10ebe6fb1551151f674a6

SHA512
e6ec2f6ed38a1b7bcfb21514882409c4084bf051aed3d03f3b341d31b27fe4d0505e3286a5e3bb9694012ae81deb96b0241774ef5222dc0759dafc13ef58a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
0c9e0167ccbf40e00bb5fd11431d47c8

SHA1
e6cfee88fd7649f8487d2120a397533d4a22a5f0

SHA256
348f27c996db9b1d0b55bbfe9ce4e45adeb5479987a10ebe6fb1551151f674a6

SHA512
e6ec2f6ed38a1b7bcfb21514882409c4084bf051aed3d03f3b341d31b27fe4d0505e3286a5e3bb9694012ae81deb96b0241774ef5222dc0759dafc13ef58a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
0c9e0167ccbf40e00bb5fd11431d47c8

SHA1
e6cfee88fd7649f8487d2120a397533d4a22a5f0

SHA256
348f27c996db9b1d0b55bbfe9ce4e45adeb5479987a10ebe6fb1551151f674a6

SHA512
e6ec2f6ed38a1b7bcfb21514882409c4084bf051aed3d03f3b341d31b27fe4d0505e3286a5e3bb9694012ae81deb96b0241774ef5222dc0759dafc13ef58a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
589e97405e5c8cdf2de1351e6fe3df2e

SHA1
333b8ae2ef798279faa0b9e6c81fa3289ad29546

SHA256
05fe3a0f63a866d3799e269dd0dff4abce5b234ccb0882b8b6e75f08d2bba61b

SHA512
e49a950d33952ea936706c97798b401ec23dbb039ed377cda67cd8992c545ccd8f7652f4befacbf50d81fc77b0aa8d64b646f2618c320515b90effb14d4a7ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
589e97405e5c8cdf2de1351e6fe3df2e

SHA1
333b8ae2ef798279faa0b9e6c81fa3289ad29546

SHA256
05fe3a0f63a866d3799e269dd0dff4abce5b234ccb0882b8b6e75f08d2bba61b

SHA512
e49a950d33952ea936706c97798b401ec23dbb039ed377cda67cd8992c545ccd8f7652f4befacbf50d81fc77b0aa8d64b646f2618c320515b90effb14d4a7ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
589e97405e5c8cdf2de1351e6fe3df2e

SHA1
333b8ae2ef798279faa0b9e6c81fa3289ad29546

SHA256
05fe3a0f63a866d3799e269dd0dff4abce5b234ccb0882b8b6e75f08d2bba61b

SHA512
e49a950d33952ea936706c97798b401ec23dbb039ed377cda67cd8992c545ccd8f7652f4befacbf50d81fc77b0aa8d64b646f2618c320515b90effb14d4a7ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
589e97405e5c8cdf2de1351e6fe3df2e

SHA1
333b8ae2ef798279faa0b9e6c81fa3289ad29546

SHA256
05fe3a0f63a866d3799e269dd0dff4abce5b234ccb0882b8b6e75f08d2bba61b

SHA512
e49a950d33952ea936706c97798b401ec23dbb039ed377cda67cd8992c545ccd8f7652f4befacbf50d81fc77b0aa8d64b646f2618c320515b90effb14d4a7ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
51ca1be4266a17a39e7355b522882bf6

SHA1
e6d216de4014e5d73878d9e5d372e7ea000bbd3e

SHA256
6720bf7e2472bc47602158b94b5ba71cfd992bec55e1ec07647860f72ba8e297

SHA512
42fcfa15d61aa571d03c82905453bfb2978480302e1bd78494474a1f8e51d0189af07eb7f297db24a17d6d0eb7b45680536ee25d6f651df4da08716e044138ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
51ca1be4266a17a39e7355b522882bf6

SHA1
e6d216de4014e5d73878d9e5d372e7ea000bbd3e

SHA256
6720bf7e2472bc47602158b94b5ba71cfd992bec55e1ec07647860f72ba8e297

SHA512
42fcfa15d61aa571d03c82905453bfb2978480302e1bd78494474a1f8e51d0189af07eb7f297db24a17d6d0eb7b45680536ee25d6f651df4da08716e044138ed

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9c6e7e9738668097c5751d6ed2b55aa7

SHA1
c12b39b3122b186f1e5d23359fc0d0887c793575

SHA256
8d9dfcfd679540a98e149b0d93751c276b67c20f922674c8bf74e710e8f052fd

SHA512
c77b47e49160da0913ac14a476fef7d4c1db644fb9bb766e4055029a2887150606d6d1c91983341f7d3cf609710bade9a87412631fc3f10beb2bd2f1ec043c50

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9c6e7e9738668097c5751d6ed2b55aa7

SHA1
c12b39b3122b186f1e5d23359fc0d0887c793575

SHA256
8d9dfcfd679540a98e149b0d93751c276b67c20f922674c8bf74e710e8f052fd

SHA512
c77b47e49160da0913ac14a476fef7d4c1db644fb9bb766e4055029a2887150606d6d1c91983341f7d3cf609710bade9a87412631fc3f10beb2bd2f1ec043c50

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
63472ceb6d70081d90e9adb4a11f1f3e

SHA1
9bc7c7090de09102bfc1e073a33329b1791887b0

SHA256
d2d524070772593d45757fe34db584b61fb59bf2b735db242a5fe72a663fbb95

SHA512
c166bba40369e41db312d72263c936b5320f10bf5f10cd85f9d9af541d520b2cc74996b6b72cbbf41e36dea3b3416a839a358f1e4d7924a0a441dab92e44f627

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
63472ceb6d70081d90e9adb4a11f1f3e

SHA1
9bc7c7090de09102bfc1e073a33329b1791887b0

SHA256
d2d524070772593d45757fe34db584b61fb59bf2b735db242a5fe72a663fbb95

SHA512
c166bba40369e41db312d72263c936b5320f10bf5f10cd85f9d9af541d520b2cc74996b6b72cbbf41e36dea3b3416a839a358f1e4d7924a0a441dab92e44f627

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads