1a2aaf3a773cd8d26d0c775463408557c19060888a0493258e5fdb5e84e39ffa

Analysis

max time kernel
230s
max time network
240s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe
Size

72KB
MD5

958002ab1d9f0027c1e1e1cfc1cb0b90
SHA1

5fdc6da36921e288f83e6b7b5f12daf020dc104c
SHA256

1a2aaf3a773cd8d26d0c775463408557c19060888a0493258e5fdb5e84e39ffa
SHA512

403e47478a8c61a99983da6b676ac395d7864ab8b425d51ca4f2d676c0a536e4249ee3af769943eb41d525195d7cfde390080aa519507786d47ca7cc549aca49
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd0xdrr:HeT7BVwxfvqguKcN

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
3108	backup.exe
5100	backup.exe
1816	backup.exe
4464	backup.exe
3436	backup.exe
4844	System Restore.exe
1876	backup.exe
1108	backup.exe
4488	backup.exe
4028	backup.exe
1576	backup.exe
1092	backup.exe
5056	backup.exe
628	backup.exe
3988	backup.exe
4212	backup.exe
2404	backup.exe
400	backup.exe
1324	backup.exe
4272	backup.exe
3000	backup.exe
2972	backup.exe
4332	backup.exe
3832	backup.exe
724	backup.exe
1108	backup.exe
4444	data.exe
1576	backup.exe
2352	backup.exe
2768	backup.exe
2040	backup.exe
4484	data.exe
2204	backup.exe
1268	backup.exe
5092	backup.exe
2976	backup.exe
1636	backup.exe
4852	data.exe
4652	backup.exe
728	backup.exe
1664	backup.exe
3500	backup.exe
656	backup.exe
4436	backup.exe
2848	System Restore.exe
5044	backup.exe
3824	backup.exe
1692	backup.exe
1508	backup.exe
3624	backup.exe
3388	backup.exe
2164	backup.exe
4552	backup.exe
4688	backup.exe
264	backup.exe
2236	backup.exe
724	System Restore.exe
4848	backup.exe
2160	System Restore.exe
2548	backup.exe
2880	backup.exe
3832	backup.exe
4224	backup.exe
3084	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe	backup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	System Restore.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\System Restore.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	System Restore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe
3108	backup.exe
5100	backup.exe
1816	backup.exe
4464	backup.exe
3436	backup.exe
4844	System Restore.exe
1876	backup.exe
1108	backup.exe
4028	backup.exe
4488	backup.exe
1576	backup.exe
1092	backup.exe
5056	backup.exe
628	backup.exe
3988	backup.exe
4212	backup.exe
2404	backup.exe
400	backup.exe
4272	backup.exe
3000	backup.exe
2972	backup.exe
1324	backup.exe
3832	backup.exe
4332	backup.exe
724	backup.exe
1108	backup.exe
4444	data.exe
1576	backup.exe
5092	backup.exe
2352	backup.exe
4484	data.exe
1268	backup.exe
2204	backup.exe
2768	backup.exe
2040	backup.exe
2976	backup.exe
4852	data.exe
4652	backup.exe
1664	backup.exe
5044	backup.exe
4436	backup.exe
2848	System Restore.exe
3624	backup.exe
728	backup.exe
3824	backup.exe
656	backup.exe
1692	backup.exe
1508	backup.exe
3500	backup.exe
3388	backup.exe
2164	backup.exe
4552	backup.exe
4848	backup.exe
724	System Restore.exe
3832	backup.exe
2880	backup.exe
2160	System Restore.exe
264	backup.exe
3084	backup.exe
4688	backup.exe
2236	backup.exe
4224	backup.exe
2548	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 3108	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	91
PID 4664 wrote to memory of 3108	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	91
PID 4664 wrote to memory of 3108	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	91
PID 4664 wrote to memory of 5100	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	92
PID 4664 wrote to memory of 5100	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	92
PID 4664 wrote to memory of 5100	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	92
PID 4664 wrote to memory of 1816	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	93
PID 4664 wrote to memory of 1816	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	93
PID 4664 wrote to memory of 1816	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	93
PID 4664 wrote to memory of 4464	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	94
PID 4664 wrote to memory of 4464	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	94
PID 4664 wrote to memory of 4464	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	94
PID 4664 wrote to memory of 3436	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	95
PID 4664 wrote to memory of 3436	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	95
PID 4664 wrote to memory of 3436	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	95
PID 4664 wrote to memory of 4844	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	96
PID 4664 wrote to memory of 4844	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	96
PID 4664 wrote to memory of 4844	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	96
PID 4664 wrote to memory of 1876	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	98
PID 4664 wrote to memory of 1876	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	98
PID 4664 wrote to memory of 1876	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	98
PID 4664 wrote to memory of 1108	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	99
PID 4664 wrote to memory of 1108	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	99
PID 4664 wrote to memory of 1108	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	99
PID 4664 wrote to memory of 4488	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	100
PID 4664 wrote to memory of 4488	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	100
PID 4664 wrote to memory of 4488	4664	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe	100
PID 3108 wrote to memory of 4028	3108	backup.exe	101
PID 3108 wrote to memory of 4028	3108	backup.exe	101
PID 3108 wrote to memory of 4028	3108	backup.exe	101
PID 4028 wrote to memory of 1576	4028	backup.exe	102
PID 4028 wrote to memory of 1576	4028	backup.exe	102
PID 4028 wrote to memory of 1576	4028	backup.exe	102
PID 4488 wrote to memory of 1092	4488	backup.exe	103
PID 4488 wrote to memory of 1092	4488	backup.exe	103
PID 4488 wrote to memory of 1092	4488	backup.exe	103
PID 4028 wrote to memory of 5056	4028	backup.exe	104
PID 4028 wrote to memory of 5056	4028	backup.exe	104
PID 4028 wrote to memory of 5056	4028	backup.exe	104
PID 1092 wrote to memory of 628	1092	backup.exe	105
PID 1092 wrote to memory of 628	1092	backup.exe	105
PID 1092 wrote to memory of 628	1092	backup.exe	105
PID 4028 wrote to memory of 3988	4028	backup.exe	106
PID 4028 wrote to memory of 3988	4028	backup.exe	106
PID 4028 wrote to memory of 3988	4028	backup.exe	106
PID 4028 wrote to memory of 4212	4028	backup.exe	107
PID 4028 wrote to memory of 4212	4028	backup.exe	107
PID 4028 wrote to memory of 4212	4028	backup.exe	107
PID 3988 wrote to memory of 2404	3988	backup.exe	108
PID 3988 wrote to memory of 2404	3988	backup.exe	108
PID 3988 wrote to memory of 2404	3988	backup.exe	108
PID 4212 wrote to memory of 400	4212	backup.exe	109
PID 4212 wrote to memory of 400	4212	backup.exe	109
PID 4212 wrote to memory of 400	4212	backup.exe	109
PID 2404 wrote to memory of 1324	2404	backup.exe	111
PID 2404 wrote to memory of 1324	2404	backup.exe	111
PID 2404 wrote to memory of 1324	2404	backup.exe	111
PID 400 wrote to memory of 4272	400	backup.exe	112
PID 400 wrote to memory of 4272	400	backup.exe	112
PID 400 wrote to memory of 4272	400	backup.exe	112
PID 4028 wrote to memory of 3000	4028	backup.exe	114
PID 4028 wrote to memory of 3000	4028	backup.exe	114
PID 4028 wrote to memory of 3000	4028	backup.exe	114
PID 3988 wrote to memory of 2972	3988	backup.exe	113

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.958002ab1d9f0027c1e1e1cfc1cb0b90.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4664
- C:\Users\Admin\AppData\Local\Temp\{E8AE7625-4154-4713-92F0-00D2FC47E9A5}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{E8AE7625-4154-4713-92F0-00D2FC47E9A5}\backup.exe C:\Users\Admin\AppData\Local\Temp\{E8AE7625-4154-4713-92F0-00D2FC47E9A5}\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3108
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1576
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5056
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3988
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2404
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1324
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2972
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3832
      - C:\Program Files\Common Files\microsoft shared\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\data.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4444
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:656
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3084
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        System policy modification
        
        PID:2752
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        
        PID:4588
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        
        PID:4660
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        
        PID:2828
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2976
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2164
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4768
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:1212
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2360
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2064
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1576
      - C:\Program Files\Google\Chrome\data.exe
        
        "C:\Program Files\Google\Chrome\data.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4852
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3264
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        System policy modification
        
        PID:4824
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:448
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:4736
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:2476
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5044
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:264
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2132
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1820
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3152
      - C:\Program Files\Internet Explorer\images\System Restore.exe
        
        "C:\Program Files\Internet Explorer\images\System Restore.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1976
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:400
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4272
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2880
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Drops file in Program Files directory
        
        PID:1844
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3720
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        System policy modification
        
        PID:2120
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:2444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:4708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3480
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        Drops file in Windows directory
        
        PID:2948
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1820
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1108
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1268
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1636
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3388
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4688
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2968
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4860
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4232
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:2364
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3832
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:540
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Drops file in Program Files directory
        
        PID:364
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:1888
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:3132
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5092
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4652
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4436
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:4056
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4880
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:4644
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        
        PID:3636
    - - C:\Program Files (x86)\Internet Explorer\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\System Restore.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2848
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4224
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3780
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2352
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4176
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:1096
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3000
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4332
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2352
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1664
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4552
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2380
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        System policy modification
        
        PID:2668
      - C:\Users\Admin\Favorites\data.exe
        
        C:\Users\Admin\Favorites\data.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1872
    - - C:\Users\Public\data.exe
        
        C:\Users\Public\data.exe C:\Users\Public\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4484
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2548
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4868
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3588
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        System policy modification
        
        PID:728
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2768
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:728
    - - C:\Windows\appcompat\System Restore.exe
        
        "C:\Windows\appcompat\System Restore.exe" C:\Windows\appcompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:724
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        
        PID:2948
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:4428
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1836
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        System policy modification
        
        PID:2520
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
- C:\Users\Admin\AppData\Local\Temp\1089208526\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1089208526\backup.exe C:\Users\Admin\AppData\Local\Temp\1089208526\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4464
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3436
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4844
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:628

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
1⤵
- System policy modification
PID:3136

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
1⤵
- Modifies visibility of file extensions in Explorer
PID:5052

C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
"C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
1⤵
- Modifies visibility of file extensions in Explorer
PID:3972
- C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
  "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
  2⤵
  - System policy modification
  PID:4388

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
1⤵
- Modifies visibility of file extensions in Explorer
PID:1604

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
e268e1fb3937557f14533734d2f5f0f1

SHA1
c77194a6b1e5ebdc7cecde58b00d0905695c4cc3

SHA256
d64af6bc09d6b0f881c7444af906cc9cc4c12b8649636bb8043c8aac984d55cd

SHA512
1b716b3307be3270a620956434739ffdbf228d52f725e52542c5fdaf0323e13ff165cb81800f62d628d53562dea77a3279ef74736c43e88563fb6e5910d933fe

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
e268e1fb3937557f14533734d2f5f0f1

SHA1
c77194a6b1e5ebdc7cecde58b00d0905695c4cc3

SHA256
d64af6bc09d6b0f881c7444af906cc9cc4c12b8649636bb8043c8aac984d55cd

SHA512
1b716b3307be3270a620956434739ffdbf228d52f725e52542c5fdaf0323e13ff165cb81800f62d628d53562dea77a3279ef74736c43e88563fb6e5910d933fe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
e28e3373f87d2eddcb200805ba685f9f

SHA1
01bc040205ed4b30855b576b656c776f82648440

SHA256
00074c7aa0bce266ef70b3a94117f9f048285b91bbe4df03d83a38f58a44f19d

SHA512
827d6040a6fda1d58c9078d69d985a6956030e274fa14d493cf25d43051dc6277401b6178f3e343de9a6bd9c5df9137946d74dbda1837bedd25782d4652d4701

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
e28e3373f87d2eddcb200805ba685f9f

SHA1
01bc040205ed4b30855b576b656c776f82648440

SHA256
00074c7aa0bce266ef70b3a94117f9f048285b91bbe4df03d83a38f58a44f19d

SHA512
827d6040a6fda1d58c9078d69d985a6956030e274fa14d493cf25d43051dc6277401b6178f3e343de9a6bd9c5df9137946d74dbda1837bedd25782d4652d4701

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

Filesize
72KB

MD5
4d4182630e9425fcb771f5d071fccf16

SHA1
d76be447d52c1ee3c2f6110da14dfda912dfdab5

SHA256
28bc8779321d2d17b86f8e8ae1f0b45b1cbdad0bb47beabab05a27c89055259c

SHA512
c858e2876f79940927f02b9dd08649e32af2b89a7e050fdff1fa561c61ae6c1b219db531b5f76b95d928f52176122c108a104abd125e773f6f51beb8c94b55bf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

Filesize
72KB

MD5
4d4182630e9425fcb771f5d071fccf16

SHA1
d76be447d52c1ee3c2f6110da14dfda912dfdab5

SHA256
28bc8779321d2d17b86f8e8ae1f0b45b1cbdad0bb47beabab05a27c89055259c

SHA512
c858e2876f79940927f02b9dd08649e32af2b89a7e050fdff1fa561c61ae6c1b219db531b5f76b95d928f52176122c108a104abd125e773f6f51beb8c94b55bf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
1861c74f10bf9733587a0270e90485a8

SHA1
cac228c272f473702299dd18136b0ceb27c4ceb4

SHA256
72ff0babec3d0e76612c32f638c45bfb9ed0ff7caac6f200d93ca8e961841c2d

SHA512
5e3e5f5a2f538ac7f84fc654ae54fe1760dc24f04d4e849b367a03d19926af23ee9a53f80ef42dab65ebeece638602c6ca181686c426b7f782d9fad6d60165c3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
1861c74f10bf9733587a0270e90485a8

SHA1
cac228c272f473702299dd18136b0ceb27c4ceb4

SHA256
72ff0babec3d0e76612c32f638c45bfb9ed0ff7caac6f200d93ca8e961841c2d

SHA512
5e3e5f5a2f538ac7f84fc654ae54fe1760dc24f04d4e849b367a03d19926af23ee9a53f80ef42dab65ebeece638602c6ca181686c426b7f782d9fad6d60165c3

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
b2685da1f548345a92eef7d194ddb2b6

SHA1
af99f41657e106abb90e690da3fbfd13d224fc10

SHA256
b08394a203c59c93c98b8ccd655b57d1495f00a02826f7b76728693a7c3f5d03

SHA512
b69abd8421248860453846400ed191d413ddde5d83e76abebfb6333cb50c44c4c4b66835709472dd587882f4b16fd75560cb85d3da3c5ee9095a080cbbf0f6ab

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
b2685da1f548345a92eef7d194ddb2b6

SHA1
af99f41657e106abb90e690da3fbfd13d224fc10

SHA256
b08394a203c59c93c98b8ccd655b57d1495f00a02826f7b76728693a7c3f5d03

SHA512
b69abd8421248860453846400ed191d413ddde5d83e76abebfb6333cb50c44c4c4b66835709472dd587882f4b16fd75560cb85d3da3c5ee9095a080cbbf0f6ab

Download Submit
C:\Program Files (x86)\Common Files\backup.exe

Filesize
72KB

MD5
b86b107657f75ff703d75157a39e3325

SHA1
b4cc5a00a36024a6c8888aad98c6ad55fae827e1

SHA256
9760a97d58c65ed7eb3489c592b1ef6f873aacf17b71b6ad9ea673684193eebb

SHA512
fbd52e0c5d4729321d8044d362ca49cab127f6a6687a6883f63aa0fac6703a72ec0f9f234d7f4dda4c8c1fbd0b36859bab84a267b36f6801ec8c0226819d707d

Download Submit
C:\Program Files (x86)\Common Files\backup.exe

Filesize
72KB

MD5
b86b107657f75ff703d75157a39e3325

SHA1
b4cc5a00a36024a6c8888aad98c6ad55fae827e1

SHA256
9760a97d58c65ed7eb3489c592b1ef6f873aacf17b71b6ad9ea673684193eebb

SHA512
fbd52e0c5d4729321d8044d362ca49cab127f6a6687a6883f63aa0fac6703a72ec0f9f234d7f4dda4c8c1fbd0b36859bab84a267b36f6801ec8c0226819d707d

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
a60aa41c2977608a5f79f4f19c57994a

SHA1
069dd1110db13fbc922363ce04b863f01292b0df

SHA256
1999597f272a2700c6123bf58668de0d72a6cd7e1b97af91a1311cb1df7172a8

SHA512
fa6031166633827a628fc101eba1c1989831a4d2a92d1e8dc4bea8649ff6c4708642060902c95daef8c3a91ce67034bc0b93ef8b8e248352cd05237f76000bf5

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
a60aa41c2977608a5f79f4f19c57994a

SHA1
069dd1110db13fbc922363ce04b863f01292b0df

SHA256
1999597f272a2700c6123bf58668de0d72a6cd7e1b97af91a1311cb1df7172a8

SHA512
fa6031166633827a628fc101eba1c1989831a4d2a92d1e8dc4bea8649ff6c4708642060902c95daef8c3a91ce67034bc0b93ef8b8e248352cd05237f76000bf5

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9a76b727c4dd73401aadd9c785801c57

SHA1
f0b42fba0634c0666c67bcbcaff1413993680d97

SHA256
d82adb955c76c675bd07b5ca4996b736147ffa2e652703d7700bfa71f29b3859

SHA512
b4ddb9cf19a7a032b345044dbadf07b0b65e3b998a43e0eb55e7fdc874ce1e750f4647d815e26ac3b73085c77820b0104a4d50ef617db591e116152558980bd1

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9a76b727c4dd73401aadd9c785801c57

SHA1
f0b42fba0634c0666c67bcbcaff1413993680d97

SHA256
d82adb955c76c675bd07b5ca4996b736147ffa2e652703d7700bfa71f29b3859

SHA512
b4ddb9cf19a7a032b345044dbadf07b0b65e3b998a43e0eb55e7fdc874ce1e750f4647d815e26ac3b73085c77820b0104a4d50ef617db591e116152558980bd1

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
836ccacb8c4126a8afd209644ba98d52

SHA1
8fd627737f64560926bdcc97f2d12ce79dbcb1c7

SHA256
4781b50de2a78ab2bc778f60321c987b58063e4f0b8288e63559d46828569ee0

SHA512
bdfe2e9a16207fd0b8c35fa34862638cc0867f93f265e83be46b0a987bc5e0513b101c412ccff23213b077a33da4377b1c0c23e854e72ef9148559264d08a03c

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
836ccacb8c4126a8afd209644ba98d52

SHA1
8fd627737f64560926bdcc97f2d12ce79dbcb1c7

SHA256
4781b50de2a78ab2bc778f60321c987b58063e4f0b8288e63559d46828569ee0

SHA512
bdfe2e9a16207fd0b8c35fa34862638cc0867f93f265e83be46b0a987bc5e0513b101c412ccff23213b077a33da4377b1c0c23e854e72ef9148559264d08a03c

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
7e7e107a621b25c4de044336f6b4f399

SHA1
cca11c6627fafe3d37e8441fdae5096898b3952f

SHA256
c65071ff1d35256bc24bf5b001f7a62823ea986a3630c19ec448679d04ed337e

SHA512
aec83213c4871e9d4c52455bc4c04586e82e21766670c19545c7790940f2e9fa766973b2c6e818887d84a94c79de5160d8840f7db9ce1691ea385d930c0656f0

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
7e7e107a621b25c4de044336f6b4f399

SHA1
cca11c6627fafe3d37e8441fdae5096898b3952f

SHA256
c65071ff1d35256bc24bf5b001f7a62823ea986a3630c19ec448679d04ed337e

SHA512
aec83213c4871e9d4c52455bc4c04586e82e21766670c19545c7790940f2e9fa766973b2c6e818887d84a94c79de5160d8840f7db9ce1691ea385d930c0656f0

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
6e9fd0992036887308af5a3da0e3fe95

SHA1
43e48d447f41dfd5e41e93f8b5da3e187eebba66

SHA256
cc982fd86b5e1dd3388fc65d1bbc84c5746cdad0e9cad9eb13db8c8ac1b01dd1

SHA512
57eb550540c4964179c846efc0f242babf24fe1181de6514d24277a1303a2ca25c802c1bf39911e43ddf57ca2a6e38c4cbe8be67d878e425753d7cb98b4e4cc9

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
6e9fd0992036887308af5a3da0e3fe95

SHA1
43e48d447f41dfd5e41e93f8b5da3e187eebba66

SHA256
cc982fd86b5e1dd3388fc65d1bbc84c5746cdad0e9cad9eb13db8c8ac1b01dd1

SHA512
57eb550540c4964179c846efc0f242babf24fe1181de6514d24277a1303a2ca25c802c1bf39911e43ddf57ca2a6e38c4cbe8be67d878e425753d7cb98b4e4cc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
ebe48a27fdeebe585efb234268749b34

SHA1
db00695ba3b9507905f08aa815321541d959fb46

SHA256
ee653a694a3655fbbe5154ed24c6d26179858da82ee83cc68c08120bd73a2620

SHA512
82c8f256617cbfc014710e32a5fa73d4f5480050daafc3325e815fceddb4344cc36cd886e58cea693911ba6c6c7d74d291b69707e2a65f2dd831661b0b856c5c

Download Submit
C:\Program Files\Common Files\microsoft shared\data.exe

Filesize
72KB

MD5
dc7da3f00fc0259165fc3fe85cf6dd20

SHA1
f58bce6a72c63cc8f17ea451a1a309d14ba62e28

SHA256
a2b1fe9b71c1de3d2882367378eb4d71bd7ea00d867c0b6f71a79aff2aa666b5

SHA512
8b44fc8e9eed9c68e9a8e21bd0b9e89b662a879ae4c34fdba054ebca75500297d33f919ba981f6534084ff1867fff06d2979820db34747d93e31c42ca02b529b

Download Submit
C:\Program Files\Common Files\microsoft shared\data.exe

Filesize
72KB

MD5
dc7da3f00fc0259165fc3fe85cf6dd20

SHA1
f58bce6a72c63cc8f17ea451a1a309d14ba62e28

SHA256
a2b1fe9b71c1de3d2882367378eb4d71bd7ea00d867c0b6f71a79aff2aa666b5

SHA512
8b44fc8e9eed9c68e9a8e21bd0b9e89b662a879ae4c34fdba054ebca75500297d33f919ba981f6534084ff1867fff06d2979820db34747d93e31c42ca02b529b

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
7369c320b588577929a1d2414ac23e4d

SHA1
a31959b58e3630f5ba873247d7e7a70b29e55c5e

SHA256
97764cf87a1dda9a11c08bea6bb7c2ae75cd7e1ceb22855331b5d506ee39ae31

SHA512
0b49926a7a1d3504600b5a4842fb0069f382cfffbeda9eac55517cb8e6cb7a3bc86848e053aac31ac9adfab4cdf6b13c3353f6f7365af714f57abd8b3f326a6e

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
7369c320b588577929a1d2414ac23e4d

SHA1
a31959b58e3630f5ba873247d7e7a70b29e55c5e

SHA256
97764cf87a1dda9a11c08bea6bb7c2ae75cd7e1ceb22855331b5d506ee39ae31

SHA512
0b49926a7a1d3504600b5a4842fb0069f382cfffbeda9eac55517cb8e6cb7a3bc86848e053aac31ac9adfab4cdf6b13c3353f6f7365af714f57abd8b3f326a6e

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ac0754687ad3c4195a8fc11afe891bf0

SHA1
33ee90275758c3e2ce2ee34c011e9d8296dbc5b4

SHA256
482a1a41257265217554ceaf1168fa90620bf1e2720b197609b2c350d474d9c6

SHA512
d9574062be15e5e15702ea97f8867ed3c7aa5ee5d531b1bb7186ec6acf8ad75e37937239d2836d2925b62a3a1866de759786e0de2a258c35f22ee30b68c49e2c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ac0754687ad3c4195a8fc11afe891bf0

SHA1
33ee90275758c3e2ce2ee34c011e9d8296dbc5b4

SHA256
482a1a41257265217554ceaf1168fa90620bf1e2720b197609b2c350d474d9c6

SHA512
d9574062be15e5e15702ea97f8867ed3c7aa5ee5d531b1bb7186ec6acf8ad75e37937239d2836d2925b62a3a1866de759786e0de2a258c35f22ee30b68c49e2c

Download Submit
C:\Users\Admin\3D Objects\backup.exe

Filesize
72KB

MD5
a917e2e13b18ec149f17a62de771b36d

SHA1
537d53a0b0a7d94e29ef0ef12270156518696451

SHA256
4b4e0fc5c4736f6749cffd759c159a99e3f76a484c518f6d70fc08dd2e58f49d

SHA512
4d52e6b0bb2682078075f6b41f4e07c20f52eed245f376a1aa975bbc025cec432ba7b7c5c7f3d7d50f2c5d8cc2f1b55d3e76e2c00fa59fb6a49dd5007167ae1a

Download Submit
C:\Users\Admin\3D Objects\backup.exe

Filesize
72KB

MD5
a917e2e13b18ec149f17a62de771b36d

SHA1
537d53a0b0a7d94e29ef0ef12270156518696451

SHA256
4b4e0fc5c4736f6749cffd759c159a99e3f76a484c518f6d70fc08dd2e58f49d

SHA512
4d52e6b0bb2682078075f6b41f4e07c20f52eed245f376a1aa975bbc025cec432ba7b7c5c7f3d7d50f2c5d8cc2f1b55d3e76e2c00fa59fb6a49dd5007167ae1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089208526\backup.exe

Filesize
72KB

MD5
2a5968a7e1c6289fc1a024ba05af0d87

SHA1
153c4e7ffb7e1d02453b3bdf0cd6bfa9837a32b0

SHA256
3d1120a0cd1e816e81e961e54a7418e4a717ce665274eb9d1c18eeea31cbbcc0

SHA512
0b8f2a949c75977bbfc17b4a6880f437b08c06cb08bd3be442c29a1d946e423db6445d546244d640ffebc6ac118e9056ef301b28ab41e416d1e0aab75fc420d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089208526\backup.exe

Filesize
72KB

MD5
2a5968a7e1c6289fc1a024ba05af0d87

SHA1
153c4e7ffb7e1d02453b3bdf0cd6bfa9837a32b0

SHA256
3d1120a0cd1e816e81e961e54a7418e4a717ce665274eb9d1c18eeea31cbbcc0

SHA512
0b8f2a949c75977bbfc17b4a6880f437b08c06cb08bd3be442c29a1d946e423db6445d546244d640ffebc6ac118e9056ef301b28ab41e416d1e0aab75fc420d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089208526\backup.exe

Filesize
72KB

MD5
2a5968a7e1c6289fc1a024ba05af0d87

SHA1
153c4e7ffb7e1d02453b3bdf0cd6bfa9837a32b0

SHA256
3d1120a0cd1e816e81e961e54a7418e4a717ce665274eb9d1c18eeea31cbbcc0

SHA512
0b8f2a949c75977bbfc17b4a6880f437b08c06cb08bd3be442c29a1d946e423db6445d546244d640ffebc6ac118e9056ef301b28ab41e416d1e0aab75fc420d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
72KB

MD5
98fa8f6859a5527c2b7a2dac60234eed

SHA1
30642597b36d16e4d14c00d2ff731a82842b01c1

SHA256
57c81daf7c07603494df5be831a18059dbfe6334339bc1b71cf7f6614dad4e5d

SHA512
38cf73f340af77470e4af6d85febeb40fd235e5c87d45b36d6971e41b2b7a8a06e5ebb984d05c92f77168e6e5408d808e12ea69ea4efdfde08034d1f334a3c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
72KB

MD5
98fa8f6859a5527c2b7a2dac60234eed

SHA1
30642597b36d16e4d14c00d2ff731a82842b01c1

SHA256
57c81daf7c07603494df5be831a18059dbfe6334339bc1b71cf7f6614dad4e5d

SHA512
38cf73f340af77470e4af6d85febeb40fd235e5c87d45b36d6971e41b2b7a8a06e5ebb984d05c92f77168e6e5408d808e12ea69ea4efdfde08034d1f334a3c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
72KB

MD5
ec367079341be7b806d58aef81ba59e9

SHA1
2c0a403a301879fde219626d50e1e4f06ada2804

SHA256
b56b046366f9733af3b437ac1dde08d21c8bc8e99c8a6c0ec6d93a435a2eadce

SHA512
819527ecd7799921d4ad0c5452221650f86763e7fe7886895ae9dd57b7ec2b157a58c540c512700092c85d8d6f0c112b3160d108052be3d87614d8b005128008

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
72KB

MD5
ec367079341be7b806d58aef81ba59e9

SHA1
2c0a403a301879fde219626d50e1e4f06ada2804

SHA256
b56b046366f9733af3b437ac1dde08d21c8bc8e99c8a6c0ec6d93a435a2eadce

SHA512
819527ecd7799921d4ad0c5452221650f86763e7fe7886895ae9dd57b7ec2b157a58c540c512700092c85d8d6f0c112b3160d108052be3d87614d8b005128008

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
2a5968a7e1c6289fc1a024ba05af0d87

SHA1
153c4e7ffb7e1d02453b3bdf0cd6bfa9837a32b0

SHA256
3d1120a0cd1e816e81e961e54a7418e4a717ce665274eb9d1c18eeea31cbbcc0

SHA512
0b8f2a949c75977bbfc17b4a6880f437b08c06cb08bd3be442c29a1d946e423db6445d546244d640ffebc6ac118e9056ef301b28ab41e416d1e0aab75fc420d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
2a5968a7e1c6289fc1a024ba05af0d87

SHA1
153c4e7ffb7e1d02453b3bdf0cd6bfa9837a32b0

SHA256
3d1120a0cd1e816e81e961e54a7418e4a717ce665274eb9d1c18eeea31cbbcc0

SHA512
0b8f2a949c75977bbfc17b4a6880f437b08c06cb08bd3be442c29a1d946e423db6445d546244d640ffebc6ac118e9056ef301b28ab41e416d1e0aab75fc420d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a9f83e9efc237ba8cb38398fe3837715

SHA1
33d4212872f5d7d975ac3326c5083b97c41e130e

SHA256
26ff3e7444fc4290b3532e7242f0b66af00c707c3b4bad8c7797874854fa78ed

SHA512
1d875d2484297fc75a4ed9c99458112248b6caa97b23033d295f7a5e7b53225cdeb00b0ec7d99e82752420b65014e105b5d02c7aa4bc6fa7a7359ad0f9e42ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
21KB

MD5
bb35158bc7aec1c9f98fb5be8e1d18fd

SHA1
6e0815c77141308098da564ce3cb5e02a52c698e

SHA256
eb968b5bb4335c354ed17597c565f7d5527d257d5e883354bc9fefefdbb45168

SHA512
02da2110123b8f1886b1dc90731a4c9d4f7863b703647257ac7435faba62dbe40dec7dd8106cd41c97f172f995e9cf7ea6aa951b664a601553ccd73e7de2c4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E8AE7625-4154-4713-92F0-00D2FC47E9A5}\backup.exe

Filesize
72KB

MD5
2a5968a7e1c6289fc1a024ba05af0d87

SHA1
153c4e7ffb7e1d02453b3bdf0cd6bfa9837a32b0

SHA256
3d1120a0cd1e816e81e961e54a7418e4a717ce665274eb9d1c18eeea31cbbcc0

SHA512
0b8f2a949c75977bbfc17b4a6880f437b08c06cb08bd3be442c29a1d946e423db6445d546244d640ffebc6ac118e9056ef301b28ab41e416d1e0aab75fc420d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E8AE7625-4154-4713-92F0-00D2FC47E9A5}\backup.exe

Filesize
72KB

MD5
2a5968a7e1c6289fc1a024ba05af0d87

SHA1
153c4e7ffb7e1d02453b3bdf0cd6bfa9837a32b0

SHA256
3d1120a0cd1e816e81e961e54a7418e4a717ce665274eb9d1c18eeea31cbbcc0

SHA512
0b8f2a949c75977bbfc17b4a6880f437b08c06cb08bd3be442c29a1d946e423db6445d546244d640ffebc6ac118e9056ef301b28ab41e416d1e0aab75fc420d9

Download Submit
C:\Users\Admin\backup.exe

Filesize
72KB

MD5
df2856604a0d99b98fef27df19cb994a

SHA1
6354fd2cea5538d2704ff4c2f66b073f83c4995b

SHA256
4824e222bc3982a540765d60fa88d85d37cfd661a9fe1dabcb305b7814c83c5d

SHA512
20525ddff0113ddcbac0117564593a9721dd46d5937924aab8094a4d1d5cc78a8da24ed9c1d3bb23790d860f0a10a97d52ae61630becbebc011d8a2bb96658d7

Download Submit
C:\Users\Admin\backup.exe

Filesize
72KB

MD5
df2856604a0d99b98fef27df19cb994a

SHA1
6354fd2cea5538d2704ff4c2f66b073f83c4995b

SHA256
4824e222bc3982a540765d60fa88d85d37cfd661a9fe1dabcb305b7814c83c5d

SHA512
20525ddff0113ddcbac0117564593a9721dd46d5937924aab8094a4d1d5cc78a8da24ed9c1d3bb23790d860f0a10a97d52ae61630becbebc011d8a2bb96658d7

Download Submit
C:\Users\Public\data.exe

Filesize
72KB

MD5
6adbef2cea7d1bbb8b48446cfd8bf2b2

SHA1
fda5ff40c39d9612f419cc59ddf30a7d430a1461

SHA256
f0b2e369be0b9f87c63baf25eb85386cd5eb90caaa0a89b50121a207e9017d29

SHA512
e261dd1aaaa7b7334e609ca8f3b66207acc1f9fa724c0d207b732701edcd5590ba2f17131e4bff8d03033019b7293ec3df25194c59e5a72e0888078e4e1ee714

Download Submit
C:\Users\backup.exe

Filesize
72KB

MD5
c72ddeed3d6497be1031cb305d5d1b9d

SHA1
18bd6d5b3a24dd7121ef9b4aebc6caaba5336df1

SHA256
444131d648476c5a0f649d6f4515bd86436b9713053fdfcbe700eb61bf272ac4

SHA512
08d969468f0498222fd17fc4c9c1ee819bcde52275216879b01648c963911b6465968f15188a4da229b7e4c33adda42cc87c78af29045b00f32f6cdb895d43fc

Download Submit
C:\Users\backup.exe

Filesize
72KB

MD5
c72ddeed3d6497be1031cb305d5d1b9d

SHA1
18bd6d5b3a24dd7121ef9b4aebc6caaba5336df1

SHA256
444131d648476c5a0f649d6f4515bd86436b9713053fdfcbe700eb61bf272ac4

SHA512
08d969468f0498222fd17fc4c9c1ee819bcde52275216879b01648c963911b6465968f15188a4da229b7e4c33adda42cc87c78af29045b00f32f6cdb895d43fc

Download Submit
C:\Windows\backup.exe

Filesize
72KB

MD5
3255d70756c3350f33c95d01136b9bbb

SHA1
486a86c816a3ec5353e3899f833fc5312a59a14d

SHA256
ed081f96e7b4e4c4b709205205f8bc8d063110ae41f4e39d02453e292ec72fdf

SHA512
ed91d7a08c651695e659f40bfb68da544900218dee55e1ed986037a7bb6a681f5ea72a4a730fb6f9fbc396bffd26f06db0e906317ae06b1251f853536b49afc6

Download Submit
C:\Windows\backup.exe

Filesize
72KB

MD5
3255d70756c3350f33c95d01136b9bbb

SHA1
486a86c816a3ec5353e3899f833fc5312a59a14d

SHA256
ed081f96e7b4e4c4b709205205f8bc8d063110ae41f4e39d02453e292ec72fdf

SHA512
ed91d7a08c651695e659f40bfb68da544900218dee55e1ed986037a7bb6a681f5ea72a4a730fb6f9fbc396bffd26f06db0e906317ae06b1251f853536b49afc6

Download Submit
C:\backup.exe

Filesize
72KB

MD5
bfeaa1168a2be9c9180060a04f462cec

SHA1
1c2ffadd42029dcb512415913c0d0aa7ac34c6fb

SHA256
e3cb9dbbd64ebcb5dfa10beca01bfa8e9b1e38222baf0a0e106692e980fc5536

SHA512
37063eb010f1ea581310aac02b0fda6d2a5e766b0d3fe74e5f9feeaff4544c412ef77ce5ece9470b87335fba05ebd4f6d89ff78e2e4a82e7fb4be42afdb38e97

Download Submit
C:\backup.exe

Filesize
72KB

MD5
bfeaa1168a2be9c9180060a04f462cec

SHA1
1c2ffadd42029dcb512415913c0d0aa7ac34c6fb

SHA256
e3cb9dbbd64ebcb5dfa10beca01bfa8e9b1e38222baf0a0e106692e980fc5536

SHA512
37063eb010f1ea581310aac02b0fda6d2a5e766b0d3fe74e5f9feeaff4544c412ef77ce5ece9470b87335fba05ebd4f6d89ff78e2e4a82e7fb4be42afdb38e97

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
9c7a6fc49435b29aa24c09f7a62f3011

SHA1
26c98c3c10dd91ce277f7e7383ba1741c43dafdf

SHA256
ebb8d375aab4a8d502f4c6b34776c03a64689aa538b8d70e2720437c0476f034

SHA512
e0ddd62cbeda300c42c458e0da75bdb4117023df31517f6560a0d032fa144ddfb1cfc9c46075be265fa152e702fd9446c7822aee3d5254546ee8a4a1049fc771

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
9c7a6fc49435b29aa24c09f7a62f3011

SHA1
26c98c3c10dd91ce277f7e7383ba1741c43dafdf

SHA256
ebb8d375aab4a8d502f4c6b34776c03a64689aa538b8d70e2720437c0476f034

SHA512
e0ddd62cbeda300c42c458e0da75bdb4117023df31517f6560a0d032fa144ddfb1cfc9c46075be265fa152e702fd9446c7822aee3d5254546ee8a4a1049fc771

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads