12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5

Analysis

max time kernel
191s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe
Size

72KB
MD5

248643b8f3d27c37ec8ea9f828fc817a
SHA1

0a52d024902e0c6c45f9fad2cb01d3ed56aedba2
SHA256

12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5
SHA512

41a52c3fded064eeddd5a215dbf6e692d6a53d05a56948f4fed172c301b4c0afdcc00d1b06b15a0d96d9b3f76240032cbe81a8f15122c12edc4d14d228be3e89
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oG6:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrn

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1544	System Restore.exe
3528	backup.exe
4640	backup.exe
2580	backup.exe
3504	backup.exe
4268	backup.exe
2816	data.exe
4656	backup.exe
740	update.exe
2304	update.exe
4408	backup.exe
1748	backup.exe
3644	backup.exe
3096	backup.exe
3624	backup.exe
884	backup.exe
4652	backup.exe
3488	backup.exe
2676	backup.exe
2400	backup.exe
4676	backup.exe
4284	backup.exe
744	backup.exe
3168	backup.exe
1840	data.exe
1468	update.exe
4728	backup.exe
4952	backup.exe
4136	backup.exe
3912	backup.exe
3336	backup.exe
3728	backup.exe
4144	backup.exe
4608	backup.exe
5048	backup.exe
336	backup.exe
4948	backup.exe
3348	backup.exe
4436	backup.exe
3544	backup.exe
3416	backup.exe
5032	backup.exe
3056	backup.exe
5052	backup.exe
4852	backup.exe
3160	backup.exe
2216	backup.exe
2796	backup.exe
4528	backup.exe
4672	backup.exe
3644	backup.exe
4032	update.exe
1036	backup.exe
4468	backup.exe
3260	backup.exe
2944	data.exe
1536	data.exe
4992	update.exe
3276	data.exe
4776	data.exe
3492	data.exe
2164	backup.exe
4264	backup.exe
4676	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\data.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	update.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\data.exe	backup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe
1544	System Restore.exe
3528	backup.exe
4640	backup.exe
2580	backup.exe
3504	backup.exe
4268	backup.exe
2816	data.exe
4656	backup.exe
740	update.exe
2304	update.exe
4408	backup.exe
1748	backup.exe
3644	backup.exe
3096	backup.exe
3624	backup.exe
884	backup.exe
4652	backup.exe
3488	backup.exe
2676	backup.exe
2400	backup.exe
4676	backup.exe
4284	backup.exe
1840	data.exe
3168	backup.exe
744	backup.exe
1468	update.exe
4728	backup.exe
4136	backup.exe
4952	backup.exe
3912	backup.exe
3336	backup.exe
3728	backup.exe
4608	backup.exe
4144	backup.exe
5048	backup.exe
336	backup.exe
4948	backup.exe
3348	backup.exe
4436	backup.exe
3544	backup.exe
3416	backup.exe
5032	backup.exe
5052	backup.exe
4852	backup.exe
3056	backup.exe
3160	backup.exe
2796	backup.exe
2216	backup.exe
4528	backup.exe
4672	backup.exe
3644	backup.exe
4032	update.exe
1036	backup.exe
4468	backup.exe
3260	backup.exe
1536	data.exe
3276	data.exe
4264	backup.exe
4676	backup.exe
2164	backup.exe
4776	data.exe
2944	data.exe
4992	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1544	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	81
PID 5084 wrote to memory of 1544	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	81
PID 5084 wrote to memory of 1544	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	81
PID 5084 wrote to memory of 3528	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	82
PID 5084 wrote to memory of 3528	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	82
PID 5084 wrote to memory of 3528	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	82
PID 5084 wrote to memory of 4640	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	83
PID 5084 wrote to memory of 4640	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	83
PID 5084 wrote to memory of 4640	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	83
PID 5084 wrote to memory of 2580	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	84
PID 5084 wrote to memory of 2580	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	84
PID 5084 wrote to memory of 2580	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	84
PID 5084 wrote to memory of 3504	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	85
PID 5084 wrote to memory of 3504	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	85
PID 5084 wrote to memory of 3504	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	85
PID 5084 wrote to memory of 4268	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	86
PID 5084 wrote to memory of 4268	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	86
PID 5084 wrote to memory of 4268	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	86
PID 5084 wrote to memory of 2816	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	87
PID 5084 wrote to memory of 2816	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	87
PID 5084 wrote to memory of 2816	5084	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe	87
PID 1544 wrote to memory of 4656	1544	System Restore.exe	88
PID 1544 wrote to memory of 4656	1544	System Restore.exe	88
PID 1544 wrote to memory of 4656	1544	System Restore.exe	88
PID 4656 wrote to memory of 740	4656	backup.exe	89
PID 4656 wrote to memory of 740	4656	backup.exe	89
PID 4656 wrote to memory of 740	4656	backup.exe	89
PID 4656 wrote to memory of 2304	4656	backup.exe	90
PID 4656 wrote to memory of 2304	4656	backup.exe	90
PID 4656 wrote to memory of 2304	4656	backup.exe	90
PID 4656 wrote to memory of 4408	4656	backup.exe	91
PID 4656 wrote to memory of 4408	4656	backup.exe	91
PID 4656 wrote to memory of 4408	4656	backup.exe	91
PID 4408 wrote to memory of 1748	4408	backup.exe	92
PID 4408 wrote to memory of 1748	4408	backup.exe	92
PID 4408 wrote to memory of 1748	4408	backup.exe	92
PID 1748 wrote to memory of 3644	1748	backup.exe	93
PID 1748 wrote to memory of 3644	1748	backup.exe	93
PID 1748 wrote to memory of 3644	1748	backup.exe	93
PID 4408 wrote to memory of 3096	4408	backup.exe	94
PID 4408 wrote to memory of 3096	4408	backup.exe	94
PID 4408 wrote to memory of 3096	4408	backup.exe	94
PID 3096 wrote to memory of 3624	3096	backup.exe	95
PID 3096 wrote to memory of 3624	3096	backup.exe	95
PID 3096 wrote to memory of 3624	3096	backup.exe	95
PID 3096 wrote to memory of 884	3096	backup.exe	96
PID 3096 wrote to memory of 884	3096	backup.exe	96
PID 3096 wrote to memory of 884	3096	backup.exe	96
PID 884 wrote to memory of 4652	884	backup.exe	97
PID 884 wrote to memory of 4652	884	backup.exe	97
PID 884 wrote to memory of 4652	884	backup.exe	97
PID 884 wrote to memory of 3488	884	backup.exe	98
PID 884 wrote to memory of 3488	884	backup.exe	98
PID 884 wrote to memory of 3488	884	backup.exe	98
PID 3488 wrote to memory of 2676	3488	backup.exe	99
PID 3488 wrote to memory of 2676	3488	backup.exe	99
PID 3488 wrote to memory of 2676	3488	backup.exe	99
PID 3488 wrote to memory of 2400	3488	backup.exe	100
PID 3488 wrote to memory of 2400	3488	backup.exe	100
PID 3488 wrote to memory of 2400	3488	backup.exe	100
PID 3488 wrote to memory of 4676	3488	backup.exe	101
PID 3488 wrote to memory of 4676	3488	backup.exe	101
PID 3488 wrote to memory of 4676	3488	backup.exe	101
PID 3096 wrote to memory of 4284	3096	backup.exe	106

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe
"C:\Users\Admin\AppData\Local\Temp\12b90be58b21ad68d015784d1bf97acd6fbdd40491b94033096c35c935d075f5.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5084
- C:\Users\Admin\AppData\Local\Temp\3249709040\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\3249709040\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\3249709040\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4656
  - - C:\odt\update.exe
      C:\odt\update.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:740
  - - C:\PerfLogs\update.exe
      C:\PerfLogs\update.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2304
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3644
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3096
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3624
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4652
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3488
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2676
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2400
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4676
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3168
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4144
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5048
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3544
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5052
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4676
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5048
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        
        PID:1092
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3220
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1468
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4728
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3912
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3348
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3416
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3160
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3644
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\update.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4216
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:4268
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:2984
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4148
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:680
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4284
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4136
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4608
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4436
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5032
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4852
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Program Files\Common Files\System\ado\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\update.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4032
        
        C:\Program Files\Common Files\System\ado\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\update.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2888
        
        C:\Program Files\Common Files\System\de-DE\data.exe
        
        "C:\Program Files\Common Files\System\de-DE\data.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4824
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2892
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2872
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:744
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3728
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4948
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4992
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4592
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4448
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4348
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4252
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:1332
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3260
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1036
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4264
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1388
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3156
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1496
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:5096
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2912
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4504
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:3136
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:3648
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:2476
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:5040
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:4224
  - - C:\Program Files (x86)\data.exe
      "C:\Program Files (x86)\data.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1840
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4952
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3336
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:336
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:3744
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:1956
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
    - - C:\Program Files (x86)\Common Files\data.exe
        
        "C:\Program Files (x86)\Common Files\data.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4776
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:3224
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3856
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        System policy modification
        
        PID:1656
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3012
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:4296
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Drops file in Program Files directory
        
        PID:3884
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:4952
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:572
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4628
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:4240
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2060
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        System policy modification
        
        PID:2348
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2640
  - - C:\Users\data.exe
      C:\Users\data.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      PID:3492
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3180
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2620
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:4740
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2440
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:3852
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:744
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        System policy modification
        
        PID:3360
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        
        PID:2352
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        
        PID:2796
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3528
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3504
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\update.exe

Filesize
72KB

MD5
de408f437917e48d881441811298c56f

SHA1
10e51e83e25cb259512fe8152ed83e1969850242

SHA256
cbb91ac651c3d9ad64ba0de2ef11ee52bade8533f698bd9fdf971946539a4525

SHA512
99182908bdcf53161f401ea3beb63d7c5615741e198dc3a08badada3b4326837a95072f30b6d0b29622f0527ad9631ddb757f2d8d89d8b58d58cc93ac14b30ee

Download Submit
C:\PerfLogs\update.exe

Filesize
72KB

MD5
de408f437917e48d881441811298c56f

SHA1
10e51e83e25cb259512fe8152ed83e1969850242

SHA256
cbb91ac651c3d9ad64ba0de2ef11ee52bade8533f698bd9fdf971946539a4525

SHA512
99182908bdcf53161f401ea3beb63d7c5615741e198dc3a08badada3b4326837a95072f30b6d0b29622f0527ad9631ddb757f2d8d89d8b58d58cc93ac14b30ee

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
e85215886d2caf2bea8750cde1ca3d6e

SHA1
9d69a0b83628c2ad067df606f1773613861275e4

SHA256
1a1c02db06b4ffe2dda17414a0dbbfbd1a2ad6227b8a23f2d81d3404491095a6

SHA512
c3954533795619534df652040c95f7c60908dd0679844128dcf3b09accfa761ebdc6c56d8146147baa463aaf9877af1c869b692788b94ccc2ed0172f266f95c0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
e85215886d2caf2bea8750cde1ca3d6e

SHA1
9d69a0b83628c2ad067df606f1773613861275e4

SHA256
1a1c02db06b4ffe2dda17414a0dbbfbd1a2ad6227b8a23f2d81d3404491095a6

SHA512
c3954533795619534df652040c95f7c60908dd0679844128dcf3b09accfa761ebdc6c56d8146147baa463aaf9877af1c869b692788b94ccc2ed0172f266f95c0

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
751e23fb8def2da02243c5c8c1623e7d

SHA1
63b6945b96679e3bf603bb25ac366604a8f612ba

SHA256
f1a2f45cdf5a1327fc6ff20e5ccdaf7bc11d37e70b9ed72f92a7626808d7c32b

SHA512
1f8c16dc45eb0473f86e48e8307399e5762a97c7f8c354b3767b263e2566bbf39c3bd864a13d6fa37e5e6933d75ed3114d720b91626d89741be3ab94ed517d7e

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
751e23fb8def2da02243c5c8c1623e7d

SHA1
63b6945b96679e3bf603bb25ac366604a8f612ba

SHA256
f1a2f45cdf5a1327fc6ff20e5ccdaf7bc11d37e70b9ed72f92a7626808d7c32b

SHA512
1f8c16dc45eb0473f86e48e8307399e5762a97c7f8c354b3767b263e2566bbf39c3bd864a13d6fa37e5e6933d75ed3114d720b91626d89741be3ab94ed517d7e

Download Submit
C:\Program Files (x86)\data.exe

Filesize
72KB

MD5
780765fd98eb7bd60cb8997a8ec80fb8

SHA1
4e166ad874d1efbc20226bdc3f73f222f4d3e193

SHA256
64c6e06d3ba8f2f13f5142e84fd32915513cd4422c9e355dad424dc47dee5164

SHA512
c044d9f95315ffb113559c6897d18835ca9429e71953b16874a6eab8a9286dd4bbccc9931ef2145f8c67e866c17eb9dd959adde9419c29104d604e0a258f304b

Download Submit
C:\Program Files (x86)\data.exe

Filesize
72KB

MD5
780765fd98eb7bd60cb8997a8ec80fb8

SHA1
4e166ad874d1efbc20226bdc3f73f222f4d3e193

SHA256
64c6e06d3ba8f2f13f5142e84fd32915513cd4422c9e355dad424dc47dee5164

SHA512
c044d9f95315ffb113559c6897d18835ca9429e71953b16874a6eab8a9286dd4bbccc9931ef2145f8c67e866c17eb9dd959adde9419c29104d604e0a258f304b

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b1b18a6a16f4e80ce37f37c798146497

SHA1
1c0b0d9f6309be49ff43f9e3e7face9fb07522d0

SHA256
912d3bddb59ab7f503a4533ce0cb149d25984e63d129e06c019aecc79940c7be

SHA512
1290bbbde2987f348db04a5da088ec74fcaef75a6ad0bd88094ce605e620cf7ca00d28ea3875397b001f1b1b40f4aa146df18d88fe2120ed281c4bfb2aac54db

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b1b18a6a16f4e80ce37f37c798146497

SHA1
1c0b0d9f6309be49ff43f9e3e7face9fb07522d0

SHA256
912d3bddb59ab7f503a4533ce0cb149d25984e63d129e06c019aecc79940c7be

SHA512
1290bbbde2987f348db04a5da088ec74fcaef75a6ad0bd88094ce605e620cf7ca00d28ea3875397b001f1b1b40f4aa146df18d88fe2120ed281c4bfb2aac54db

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ba61cb442c0d1dc12cc62b8a7a33a3a9

SHA1
9aa2562cc11e908cfaff3fffd68b9a146af60947

SHA256
bea9b4495c9cf040e76768e2a1ca26e9619a7aa06b345b994053014c0d8583c5

SHA512
e3a64ab0ab11a5b0fb7363c85cf659e9e12cc55aa69bb8a96322f0797bd958a0e39b95c93da6b51c8d55cac7125f5e7f2322bae6a49438aacec291d95a4c8745

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ba61cb442c0d1dc12cc62b8a7a33a3a9

SHA1
9aa2562cc11e908cfaff3fffd68b9a146af60947

SHA256
bea9b4495c9cf040e76768e2a1ca26e9619a7aa06b345b994053014c0d8583c5

SHA512
e3a64ab0ab11a5b0fb7363c85cf659e9e12cc55aa69bb8a96322f0797bd958a0e39b95c93da6b51c8d55cac7125f5e7f2322bae6a49438aacec291d95a4c8745

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
b1b18a6a16f4e80ce37f37c798146497

SHA1
1c0b0d9f6309be49ff43f9e3e7face9fb07522d0

SHA256
912d3bddb59ab7f503a4533ce0cb149d25984e63d129e06c019aecc79940c7be

SHA512
1290bbbde2987f348db04a5da088ec74fcaef75a6ad0bd88094ce605e620cf7ca00d28ea3875397b001f1b1b40f4aa146df18d88fe2120ed281c4bfb2aac54db

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
b1b18a6a16f4e80ce37f37c798146497

SHA1
1c0b0d9f6309be49ff43f9e3e7face9fb07522d0

SHA256
912d3bddb59ab7f503a4533ce0cb149d25984e63d129e06c019aecc79940c7be

SHA512
1290bbbde2987f348db04a5da088ec74fcaef75a6ad0bd88094ce605e620cf7ca00d28ea3875397b001f1b1b40f4aa146df18d88fe2120ed281c4bfb2aac54db

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
f857da6cc367b28f08fd4a8ec623376b

SHA1
d065ac7a69ed8c3bbdec0631d679556de570fad5

SHA256
ebd0953d2992b956ed23925e2893b6322ce7cb49c5a78612bb6d8e86359807b4

SHA512
b50a4122831f5c0e68ca79df693bdb71eaf7991fbff26114fa775338f679fbcd5d637656cc10cfc545e55c987ed35ac6aab07c7d7eaaf82a3f40bff8e1ab878f

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
f857da6cc367b28f08fd4a8ec623376b

SHA1
d065ac7a69ed8c3bbdec0631d679556de570fad5

SHA256
ebd0953d2992b956ed23925e2893b6322ce7cb49c5a78612bb6d8e86359807b4

SHA512
b50a4122831f5c0e68ca79df693bdb71eaf7991fbff26114fa775338f679fbcd5d637656cc10cfc545e55c987ed35ac6aab07c7d7eaaf82a3f40bff8e1ab878f

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
451116b5c518637b6bf44be65b9d3835

SHA1
9df30fc89c288e9f6094789b3fada5172c08e775

SHA256
a8df0dbcf5aa659e62b0636d9ad50ef4c3547df68faa4eac55f0df7780459c00

SHA512
c2282d4b23aa0796bcfbdc0867989db8e3dcfc978c9bb7c0f3e9014e665184185e291f78c20c82c5b02678f5e31006434a4e94bee44907a67d4c484eb4f8d6e7

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
451116b5c518637b6bf44be65b9d3835

SHA1
9df30fc89c288e9f6094789b3fada5172c08e775

SHA256
a8df0dbcf5aa659e62b0636d9ad50ef4c3547df68faa4eac55f0df7780459c00

SHA512
c2282d4b23aa0796bcfbdc0867989db8e3dcfc978c9bb7c0f3e9014e665184185e291f78c20c82c5b02678f5e31006434a4e94bee44907a67d4c484eb4f8d6e7

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ba61cb442c0d1dc12cc62b8a7a33a3a9

SHA1
9aa2562cc11e908cfaff3fffd68b9a146af60947

SHA256
bea9b4495c9cf040e76768e2a1ca26e9619a7aa06b345b994053014c0d8583c5

SHA512
e3a64ab0ab11a5b0fb7363c85cf659e9e12cc55aa69bb8a96322f0797bd958a0e39b95c93da6b51c8d55cac7125f5e7f2322bae6a49438aacec291d95a4c8745

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ba61cb442c0d1dc12cc62b8a7a33a3a9

SHA1
9aa2562cc11e908cfaff3fffd68b9a146af60947

SHA256
bea9b4495c9cf040e76768e2a1ca26e9619a7aa06b345b994053014c0d8583c5

SHA512
e3a64ab0ab11a5b0fb7363c85cf659e9e12cc55aa69bb8a96322f0797bd958a0e39b95c93da6b51c8d55cac7125f5e7f2322bae6a49438aacec291d95a4c8745

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
24033e5514a5b2cd3738683b6459fd9f

SHA1
5e5ab5823e73d132f5a912b35296bd082f28cfa1

SHA256
b66fa351c0be2975f407ca8facf5bf29c09cccf2c1e62e08e98543952d35bc1e

SHA512
37a38a7fcdc96877547e735415eb71c13ba08d3efb82dd1514398ab38d53938440f1401233bf5e7a572f259277b7d460c86109af1a40cd376f7ff91a9c59206a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
24033e5514a5b2cd3738683b6459fd9f

SHA1
5e5ab5823e73d132f5a912b35296bd082f28cfa1

SHA256
b66fa351c0be2975f407ca8facf5bf29c09cccf2c1e62e08e98543952d35bc1e

SHA512
37a38a7fcdc96877547e735415eb71c13ba08d3efb82dd1514398ab38d53938440f1401233bf5e7a572f259277b7d460c86109af1a40cd376f7ff91a9c59206a

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
6ecff3f7b88aec0fdbbb2b44b12fadc2

SHA1
255b9e43fe13c6f7503a6e027656a3cc6712d623

SHA256
bf751f29c6a1f91993bedb089c2d11826948eea6f8c7fe4fb8b5f6fc004bda57

SHA512
a716591a07629f76289a0bfb8191d132bd9667cafe71a2dd05dc3f5c41055d86a21d88e631c4dec9f56eea50e192b6bc39e37941c7194a65c29a86c7afcb18c1

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
6ecff3f7b88aec0fdbbb2b44b12fadc2

SHA1
255b9e43fe13c6f7503a6e027656a3cc6712d623

SHA256
bf751f29c6a1f91993bedb089c2d11826948eea6f8c7fe4fb8b5f6fc004bda57

SHA512
a716591a07629f76289a0bfb8191d132bd9667cafe71a2dd05dc3f5c41055d86a21d88e631c4dec9f56eea50e192b6bc39e37941c7194a65c29a86c7afcb18c1

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe

Filesize
72KB

MD5
6ecff3f7b88aec0fdbbb2b44b12fadc2

SHA1
255b9e43fe13c6f7503a6e027656a3cc6712d623

SHA256
bf751f29c6a1f91993bedb089c2d11826948eea6f8c7fe4fb8b5f6fc004bda57

SHA512
a716591a07629f76289a0bfb8191d132bd9667cafe71a2dd05dc3f5c41055d86a21d88e631c4dec9f56eea50e192b6bc39e37941c7194a65c29a86c7afcb18c1

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe

Filesize
72KB

MD5
6ecff3f7b88aec0fdbbb2b44b12fadc2

SHA1
255b9e43fe13c6f7503a6e027656a3cc6712d623

SHA256
bf751f29c6a1f91993bedb089c2d11826948eea6f8c7fe4fb8b5f6fc004bda57

SHA512
a716591a07629f76289a0bfb8191d132bd9667cafe71a2dd05dc3f5c41055d86a21d88e631c4dec9f56eea50e192b6bc39e37941c7194a65c29a86c7afcb18c1

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe

Filesize
72KB

MD5
e9ca8cc7c7a0b38030a2a1752dd41566

SHA1
f0ae4892db691bf3ff8abfbebb9bf73edb9390d2

SHA256
65bd28df62f63933f92bd731894ddf6342129292f32b061ec05151ddbefd8373

SHA512
7cab2b36ffa68829c36fb2177a69a244fc25a6a749f68777ff4114b274a50263dbdef6ba59a160a9cc2cffd01fb6ae7224c8c9c47748e283098941a307bee4bf

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe

Filesize
72KB

MD5
e9ca8cc7c7a0b38030a2a1752dd41566

SHA1
f0ae4892db691bf3ff8abfbebb9bf73edb9390d2

SHA256
65bd28df62f63933f92bd731894ddf6342129292f32b061ec05151ddbefd8373

SHA512
7cab2b36ffa68829c36fb2177a69a244fc25a6a749f68777ff4114b274a50263dbdef6ba59a160a9cc2cffd01fb6ae7224c8c9c47748e283098941a307bee4bf

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
b1b18a6a16f4e80ce37f37c798146497

SHA1
1c0b0d9f6309be49ff43f9e3e7face9fb07522d0

SHA256
912d3bddb59ab7f503a4533ce0cb149d25984e63d129e06c019aecc79940c7be

SHA512
1290bbbde2987f348db04a5da088ec74fcaef75a6ad0bd88094ce605e620cf7ca00d28ea3875397b001f1b1b40f4aa146df18d88fe2120ed281c4bfb2aac54db

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
b1b18a6a16f4e80ce37f37c798146497

SHA1
1c0b0d9f6309be49ff43f9e3e7face9fb07522d0

SHA256
912d3bddb59ab7f503a4533ce0cb149d25984e63d129e06c019aecc79940c7be

SHA512
1290bbbde2987f348db04a5da088ec74fcaef75a6ad0bd88094ce605e620cf7ca00d28ea3875397b001f1b1b40f4aa146df18d88fe2120ed281c4bfb2aac54db

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
482384d07094ab54ae7da217ac95ae49

SHA1
1ebf43e166096b1348a4fa1fd0ff9aa7d9137970

SHA256
d33a705cf007c7793ae14460828f484b8b3f4a72916fe52845b053f497d07aa4

SHA512
dd1906246667360be33d5d28b6f9b133d8d2ad321eeddaa2326e415137a3e1edc1a20279a24033456ccbfe85d367336755048f9af3702cac61d937592b1b3fbd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
482384d07094ab54ae7da217ac95ae49

SHA1
1ebf43e166096b1348a4fa1fd0ff9aa7d9137970

SHA256
d33a705cf007c7793ae14460828f484b8b3f4a72916fe52845b053f497d07aa4

SHA512
dd1906246667360be33d5d28b6f9b133d8d2ad321eeddaa2326e415137a3e1edc1a20279a24033456ccbfe85d367336755048f9af3702cac61d937592b1b3fbd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
24033e5514a5b2cd3738683b6459fd9f

SHA1
5e5ab5823e73d132f5a912b35296bd082f28cfa1

SHA256
b66fa351c0be2975f407ca8facf5bf29c09cccf2c1e62e08e98543952d35bc1e

SHA512
37a38a7fcdc96877547e735415eb71c13ba08d3efb82dd1514398ab38d53938440f1401233bf5e7a572f259277b7d460c86109af1a40cd376f7ff91a9c59206a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
24033e5514a5b2cd3738683b6459fd9f

SHA1
5e5ab5823e73d132f5a912b35296bd082f28cfa1

SHA256
b66fa351c0be2975f407ca8facf5bf29c09cccf2c1e62e08e98543952d35bc1e

SHA512
37a38a7fcdc96877547e735415eb71c13ba08d3efb82dd1514398ab38d53938440f1401233bf5e7a572f259277b7d460c86109af1a40cd376f7ff91a9c59206a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
2b0826a2dc54e6cbada4d8f92207b3dd

SHA1
9ae88ad1f283fcff53ed91423f0879a5a20408c1

SHA256
724c88b8d2fb331c86daaf5605f2384693144743eb650144291bac2182d41814

SHA512
9381cd3c8a9e65bd5d56495619ae0228df5c16e65df71a1e887cc9f596808b92d990e141261c04293e34874655993d65e46e79cc30ab3c19e27c35c67af5d1fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
2b0826a2dc54e6cbada4d8f92207b3dd

SHA1
9ae88ad1f283fcff53ed91423f0879a5a20408c1

SHA256
724c88b8d2fb331c86daaf5605f2384693144743eb650144291bac2182d41814

SHA512
9381cd3c8a9e65bd5d56495619ae0228df5c16e65df71a1e887cc9f596808b92d990e141261c04293e34874655993d65e46e79cc30ab3c19e27c35c67af5d1fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
2b0826a2dc54e6cbada4d8f92207b3dd

SHA1
9ae88ad1f283fcff53ed91423f0879a5a20408c1

SHA256
724c88b8d2fb331c86daaf5605f2384693144743eb650144291bac2182d41814

SHA512
9381cd3c8a9e65bd5d56495619ae0228df5c16e65df71a1e887cc9f596808b92d990e141261c04293e34874655993d65e46e79cc30ab3c19e27c35c67af5d1fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
2b0826a2dc54e6cbada4d8f92207b3dd

SHA1
9ae88ad1f283fcff53ed91423f0879a5a20408c1

SHA256
724c88b8d2fb331c86daaf5605f2384693144743eb650144291bac2182d41814

SHA512
9381cd3c8a9e65bd5d56495619ae0228df5c16e65df71a1e887cc9f596808b92d990e141261c04293e34874655993d65e46e79cc30ab3c19e27c35c67af5d1fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
6c28961a1274bd25703074462bccc15b

SHA1
bc7153f23a3248cc2e94e9c8b684989c9c45ea7d

SHA256
973660a3a1e933654f1af4ee8c56da329aea9311e4e228a70830040bc8117ab8

SHA512
8e999b1255337ec57e1f43adec21ab79abeace9d4bf2f84eaa1b8673d7ac933347c52af866e726e2ed1aad9bc215c1a6b9b6f7169b1a88f6d6e51e110e9fc051

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
6c28961a1274bd25703074462bccc15b

SHA1
bc7153f23a3248cc2e94e9c8b684989c9c45ea7d

SHA256
973660a3a1e933654f1af4ee8c56da329aea9311e4e228a70830040bc8117ab8

SHA512
8e999b1255337ec57e1f43adec21ab79abeace9d4bf2f84eaa1b8673d7ac933347c52af866e726e2ed1aad9bc215c1a6b9b6f7169b1a88f6d6e51e110e9fc051

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
7bd7494466ad4f15bf0aa1494666921a

SHA1
d83e2ccc2f0a9cf65b9c7dcf78680935b5385491

SHA256
3593815f162e25a74673a6d94b18a234f0fb9c879f08b6f5d66931de5fd8a71a

SHA512
f73ab5ce78d7a0acee89dfa3bee6fcf8b722e1eb8d8dcd75cb9db794856e2c580537726570b7079ddd97e599f41e75c80bacb9a5f4e99ba3b8202349ef62cbe9

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
4264b9bc01be87029e79d5c5fa7180fa

SHA1
e2a2e48f66dfbb5072eb1be4a1d525fb63e2b3e4

SHA256
b02170cdd2211e407eb718a84b9ac881df4cf0f3ebedf6b1577668acb80f6836

SHA512
5a582e425dd29f486664c5d2773522426ffc339ef5157760a70b1904d102f3fabadc48a1b3d0f412928c0b5cb4217ebf91109448f582e4103ffc07df6afc7fe7

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
dd94aa27b70e223061a1b52a7b5a28e4

SHA1
64ccad1bab0ea3dae483218ae9295e4d68fbd462

SHA256
6be439a261c0943da5a5f5ef1e990824ce910a5eedb5bc195549023fb6d81e43

SHA512
39cc3f10d0728c306614acdbdc5b76cfd226dbfda9278928dc4bfd8fe61a6aa08aa964aaffd85486a04b73d2e36ab53b5181225ef6e1375664ee7c1aceef881e

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
dd94aa27b70e223061a1b52a7b5a28e4

SHA1
64ccad1bab0ea3dae483218ae9295e4d68fbd462

SHA256
6be439a261c0943da5a5f5ef1e990824ce910a5eedb5bc195549023fb6d81e43

SHA512
39cc3f10d0728c306614acdbdc5b76cfd226dbfda9278928dc4bfd8fe61a6aa08aa964aaffd85486a04b73d2e36ab53b5181225ef6e1375664ee7c1aceef881e

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
319af7764f8d5854335013663439d64f

SHA1
7f8e4d493083a5594d943fb44bfce51cd0b25acf

SHA256
3b205cfbef971e279ad634220a64b6d5135223457908c782724c9222eda7762e

SHA512
c876b55402e70e0bd41e6121b120205c442f8bb5f5ceec0b6f5343d1d683aa134d60e3c1e1b527def791d7d8418a6261dae07a835ab99b8ca09e635c4e13f92c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
319af7764f8d5854335013663439d64f

SHA1
7f8e4d493083a5594d943fb44bfce51cd0b25acf

SHA256
3b205cfbef971e279ad634220a64b6d5135223457908c782724c9222eda7762e

SHA512
c876b55402e70e0bd41e6121b120205c442f8bb5f5ceec0b6f5343d1d683aa134d60e3c1e1b527def791d7d8418a6261dae07a835ab99b8ca09e635c4e13f92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3249709040\System Restore.exe

Filesize
72KB

MD5
a38139ace84c30bf60ffe8771e08251f

SHA1
13f88842d0fc25812acb639b96c5b731f20f43f9

SHA256
0c1e3dd98cec74239dd4b2c7f011b6e52408aa81741f276b658ee512713eada4

SHA512
3b185be1f07f4d138d59ae6bf1bf5892eaa5444649c2ea065285e30654b6b66c300c41c6bc5f85c40751a9497a201b2e6332e21fb36f855a3cb3fda8ab4e07ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3249709040\System Restore.exe

Filesize
72KB

MD5
a38139ace84c30bf60ffe8771e08251f

SHA1
13f88842d0fc25812acb639b96c5b731f20f43f9

SHA256
0c1e3dd98cec74239dd4b2c7f011b6e52408aa81741f276b658ee512713eada4

SHA512
3b185be1f07f4d138d59ae6bf1bf5892eaa5444649c2ea065285e30654b6b66c300c41c6bc5f85c40751a9497a201b2e6332e21fb36f855a3cb3fda8ab4e07ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a38139ace84c30bf60ffe8771e08251f

SHA1
13f88842d0fc25812acb639b96c5b731f20f43f9

SHA256
0c1e3dd98cec74239dd4b2c7f011b6e52408aa81741f276b658ee512713eada4

SHA512
3b185be1f07f4d138d59ae6bf1bf5892eaa5444649c2ea065285e30654b6b66c300c41c6bc5f85c40751a9497a201b2e6332e21fb36f855a3cb3fda8ab4e07ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a38139ace84c30bf60ffe8771e08251f

SHA1
13f88842d0fc25812acb639b96c5b731f20f43f9

SHA256
0c1e3dd98cec74239dd4b2c7f011b6e52408aa81741f276b658ee512713eada4

SHA512
3b185be1f07f4d138d59ae6bf1bf5892eaa5444649c2ea065285e30654b6b66c300c41c6bc5f85c40751a9497a201b2e6332e21fb36f855a3cb3fda8ab4e07ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a99452d3440d757ee8d7e876885e44b0

SHA1
2a348661c9d7d2da24bdc6e700b1ba88bb33f301

SHA256
2817eb12949d4877433f21d9486d3c1757bbc67cbbf1a9d13e8a80a2740acaeb

SHA512
f56495135b77fa14eadf49976eaa1ecffb0c6b6c35af0d92131ea1b3190f6f54df0cf6b1c403a4d72755924f2259af05e434cb795b38d85c6fc177498580e68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a99452d3440d757ee8d7e876885e44b0

SHA1
2a348661c9d7d2da24bdc6e700b1ba88bb33f301

SHA256
2817eb12949d4877433f21d9486d3c1757bbc67cbbf1a9d13e8a80a2740acaeb

SHA512
f56495135b77fa14eadf49976eaa1ecffb0c6b6c35af0d92131ea1b3190f6f54df0cf6b1c403a4d72755924f2259af05e434cb795b38d85c6fc177498580e68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a99452d3440d757ee8d7e876885e44b0

SHA1
2a348661c9d7d2da24bdc6e700b1ba88bb33f301

SHA256
2817eb12949d4877433f21d9486d3c1757bbc67cbbf1a9d13e8a80a2740acaeb

SHA512
f56495135b77fa14eadf49976eaa1ecffb0c6b6c35af0d92131ea1b3190f6f54df0cf6b1c403a4d72755924f2259af05e434cb795b38d85c6fc177498580e68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a99452d3440d757ee8d7e876885e44b0

SHA1
2a348661c9d7d2da24bdc6e700b1ba88bb33f301

SHA256
2817eb12949d4877433f21d9486d3c1757bbc67cbbf1a9d13e8a80a2740acaeb

SHA512
f56495135b77fa14eadf49976eaa1ecffb0c6b6c35af0d92131ea1b3190f6f54df0cf6b1c403a4d72755924f2259af05e434cb795b38d85c6fc177498580e68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
a38139ace84c30bf60ffe8771e08251f

SHA1
13f88842d0fc25812acb639b96c5b731f20f43f9

SHA256
0c1e3dd98cec74239dd4b2c7f011b6e52408aa81741f276b658ee512713eada4

SHA512
3b185be1f07f4d138d59ae6bf1bf5892eaa5444649c2ea065285e30654b6b66c300c41c6bc5f85c40751a9497a201b2e6332e21fb36f855a3cb3fda8ab4e07ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
a38139ace84c30bf60ffe8771e08251f

SHA1
13f88842d0fc25812acb639b96c5b731f20f43f9

SHA256
0c1e3dd98cec74239dd4b2c7f011b6e52408aa81741f276b658ee512713eada4

SHA512
3b185be1f07f4d138d59ae6bf1bf5892eaa5444649c2ea065285e30654b6b66c300c41c6bc5f85c40751a9497a201b2e6332e21fb36f855a3cb3fda8ab4e07ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a38139ace84c30bf60ffe8771e08251f

SHA1
13f88842d0fc25812acb639b96c5b731f20f43f9

SHA256
0c1e3dd98cec74239dd4b2c7f011b6e52408aa81741f276b658ee512713eada4

SHA512
3b185be1f07f4d138d59ae6bf1bf5892eaa5444649c2ea065285e30654b6b66c300c41c6bc5f85c40751a9497a201b2e6332e21fb36f855a3cb3fda8ab4e07ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a38139ace84c30bf60ffe8771e08251f

SHA1
13f88842d0fc25812acb639b96c5b731f20f43f9

SHA256
0c1e3dd98cec74239dd4b2c7f011b6e52408aa81741f276b658ee512713eada4

SHA512
3b185be1f07f4d138d59ae6bf1bf5892eaa5444649c2ea065285e30654b6b66c300c41c6bc5f85c40751a9497a201b2e6332e21fb36f855a3cb3fda8ab4e07ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
a99452d3440d757ee8d7e876885e44b0

SHA1
2a348661c9d7d2da24bdc6e700b1ba88bb33f301

SHA256
2817eb12949d4877433f21d9486d3c1757bbc67cbbf1a9d13e8a80a2740acaeb

SHA512
f56495135b77fa14eadf49976eaa1ecffb0c6b6c35af0d92131ea1b3190f6f54df0cf6b1c403a4d72755924f2259af05e434cb795b38d85c6fc177498580e68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
a99452d3440d757ee8d7e876885e44b0

SHA1
2a348661c9d7d2da24bdc6e700b1ba88bb33f301

SHA256
2817eb12949d4877433f21d9486d3c1757bbc67cbbf1a9d13e8a80a2740acaeb

SHA512
f56495135b77fa14eadf49976eaa1ecffb0c6b6c35af0d92131ea1b3190f6f54df0cf6b1c403a4d72755924f2259af05e434cb795b38d85c6fc177498580e68e

Download Submit
C:\backup.exe

Filesize
72KB

MD5
67c31b9d9322e14a25d23f77c1ed011c

SHA1
eb350332a75fa00d6b1d23de867356b2a6f017cd

SHA256
68a77ae7e9bd6c5fc628241f55bde1cb2e702dd6c76abfdb22418d9b6e02b571

SHA512
039e6ca8badcfd7d30dc099a3ce0362fb902b72e1cfeb978929ee2399bf147a44b2c02d95b43e79584afacb014c2bf196e25345cf9ec986a5128d7116211aa4a

Download Submit
C:\backup.exe

Filesize
72KB

MD5
67c31b9d9322e14a25d23f77c1ed011c

SHA1
eb350332a75fa00d6b1d23de867356b2a6f017cd

SHA256
68a77ae7e9bd6c5fc628241f55bde1cb2e702dd6c76abfdb22418d9b6e02b571

SHA512
039e6ca8badcfd7d30dc099a3ce0362fb902b72e1cfeb978929ee2399bf147a44b2c02d95b43e79584afacb014c2bf196e25345cf9ec986a5128d7116211aa4a

Download Submit
C:\odt\update.exe

Filesize
72KB

MD5
adcd1a2f9379ebf91ae743343458efd3

SHA1
a8cd41d33c0c6e80997f7eb1bb2dab0855ded066

SHA256
98fd7afdc6447ffdb6f105480bcb3666cd10fabb6999056cfd29c85d2e824316

SHA512
ee7bb6b70ae5d090a2eeacafcc9ca799416e20bdf7b2d2dd3a674d2f06f4678f516202252df611b2698794a09264fff0e3c43eb239a6952ae50b12a763375663

Download Submit
C:\odt\update.exe

Filesize
72KB

MD5
adcd1a2f9379ebf91ae743343458efd3

SHA1
a8cd41d33c0c6e80997f7eb1bb2dab0855ded066

SHA256
98fd7afdc6447ffdb6f105480bcb3666cd10fabb6999056cfd29c85d2e824316

SHA512
ee7bb6b70ae5d090a2eeacafcc9ca799416e20bdf7b2d2dd3a674d2f06f4678f516202252df611b2698794a09264fff0e3c43eb239a6952ae50b12a763375663

Download Submit
memory/336-303-0x0000000000000000-mapping.dmp

Download
memory/740-174-0x0000000000000000-mapping.dmp

Download
memory/744-241-0x0000000000000000-mapping.dmp

Download
memory/884-209-0x0000000000000000-mapping.dmp

Download
memory/1036-354-0x0000000000000000-mapping.dmp

Download
memory/1468-243-0x0000000000000000-mapping.dmp

Download
memory/1536-361-0x0000000000000000-mapping.dmp

Download
memory/1544-134-0x0000000000000000-mapping.dmp

Download
memory/1748-189-0x0000000000000000-mapping.dmp

Download
memory/1840-240-0x0000000000000000-mapping.dmp

Download
memory/2164-366-0x0000000000000000-mapping.dmp

Download
memory/2216-336-0x0000000000000000-mapping.dmp

Download
memory/2304-179-0x0000000000000000-mapping.dmp

Download
memory/2400-229-0x0000000000000000-mapping.dmp

Download
memory/2580-149-0x0000000000000000-mapping.dmp

Download
memory/2676-224-0x0000000000000000-mapping.dmp

Download
memory/2796-337-0x0000000000000000-mapping.dmp

Download
memory/2816-164-0x0000000000000000-mapping.dmp

Download
memory/2888-367-0x0000000000000000-mapping.dmp

Download
memory/2944-360-0x0000000000000000-mapping.dmp

Download
memory/3056-323-0x0000000000000000-mapping.dmp

Download
memory/3096-199-0x0000000000000000-mapping.dmp

Download
memory/3160-332-0x0000000000000000-mapping.dmp

Download
memory/3168-242-0x0000000000000000-mapping.dmp

Download
memory/3260-359-0x0000000000000000-mapping.dmp

Download
memory/3276-363-0x0000000000000000-mapping.dmp

Download
memory/3336-279-0x0000000000000000-mapping.dmp

Download
memory/3348-306-0x0000000000000000-mapping.dmp

Download
memory/3416-318-0x0000000000000000-mapping.dmp

Download
memory/3488-219-0x0000000000000000-mapping.dmp

Download
memory/3492-357-0x0000000000000000-mapping.dmp

Download
memory/3504-154-0x0000000000000000-mapping.dmp

Download
memory/3528-139-0x0000000000000000-mapping.dmp

Download
memory/3544-308-0x0000000000000000-mapping.dmp

Download
memory/3624-204-0x0000000000000000-mapping.dmp

Download
memory/3644-194-0x0000000000000000-mapping.dmp

Download
memory/3644-348-0x0000000000000000-mapping.dmp

Download
memory/3728-281-0x0000000000000000-mapping.dmp

Download
memory/3912-280-0x0000000000000000-mapping.dmp

Download
memory/4032-351-0x0000000000000000-mapping.dmp

Download
memory/4136-270-0x0000000000000000-mapping.dmp

Download
memory/4144-282-0x0000000000000000-mapping.dmp

Download
memory/4268-159-0x0000000000000000-mapping.dmp

Download
memory/4284-239-0x0000000000000000-mapping.dmp

Download
memory/4408-184-0x0000000000000000-mapping.dmp

Download
memory/4436-307-0x0000000000000000-mapping.dmp

Download
memory/4468-358-0x0000000000000000-mapping.dmp

Download
memory/4528-342-0x0000000000000000-mapping.dmp

Download
memory/4608-291-0x0000000000000000-mapping.dmp

Download
memory/4640-144-0x0000000000000000-mapping.dmp

Download
memory/4652-214-0x0000000000000000-mapping.dmp

Download
memory/4656-169-0x0000000000000000-mapping.dmp

Download
memory/4672-343-0x0000000000000000-mapping.dmp

Download
memory/4676-365-0x0000000000000000-mapping.dmp

Download
memory/4676-234-0x0000000000000000-mapping.dmp

Download
memory/4728-264-0x0000000000000000-mapping.dmp

Download
memory/4776-364-0x0000000000000000-mapping.dmp

Download
memory/4852-326-0x0000000000000000-mapping.dmp

Download
memory/4948-304-0x0000000000000000-mapping.dmp

Download
memory/4952-269-0x0000000000000000-mapping.dmp

Download
memory/4992-362-0x0000000000000000-mapping.dmp

Download
memory/5032-319-0x0000000000000000-mapping.dmp

Download
memory/5048-300-0x0000000000000000-mapping.dmp

Download
memory/5052-325-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads