63c7d13b03f220c9bc417f86bef5839fcaf0c452668e36046c02c3cdde714872

Analysis

max time kernel
211s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2023 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe
Size

122KB
MD5

1a83125b248cbcf3e6ea0b36f7e6b1f0
SHA1

6a0854ed013233470cbfea4ccf2d761f23c93062
SHA256

63c7d13b03f220c9bc417f86bef5839fcaf0c452668e36046c02c3cdde714872
SHA512

d4f9b9fda2dc31e0770875ea18db0432f84100cdf2b15a771897345c32480b5402d48ebbff36a962762b0de3335c08e833aad2de8866d78a4cb239d108ce184b
SSDEEP

1536:lvm1Fu8AjYaFwjRUdW7fmyY7aZYJVmy0KQbj6vbjuKoauGi4z:6u8ANCUdgfmD7zey0KUj6TjR9i4z

Score

10^/10

dropper evasion persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/2568-0-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022dfb-6.dat	family_berbew
behavioral2/files/0x0008000000022dfb-7.dat	family_berbew
behavioral2/files/0x0008000000022dfd-11.dat	family_berbew
behavioral2/files/0x0008000000022dfd-12.dat	family_berbew
behavioral2/files/0x0008000000022dfd-13.dat	family_berbew
behavioral2/memory/4492-22-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x000600000002147a-24.dat	family_berbew
behavioral2/memory/4812-23-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x000700000001e79b-20.dat	family_berbew
behavioral2/files/0x000600000002147a-25.dat	family_berbew
behavioral2/files/0x000700000001e79b-19.dat	family_berbew
behavioral2/files/0x0008000000022e01-32.dat	family_berbew
behavioral2/files/0x0008000000022e01-34.dat	family_berbew
behavioral2/files/0x0007000000022e07-36.dat	family_berbew
behavioral2/files/0x0007000000022e07-39.dat	family_berbew
behavioral2/files/0x0007000000022e08-44.dat	family_berbew
behavioral2/memory/1028-46-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e08-45.dat	family_berbew
behavioral2/files/0x0007000000022e09-55.dat	family_berbew
behavioral2/memory/3040-49-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e0a-57.dat	family_berbew
behavioral2/memory/440-59-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e0a-56.dat	family_berbew
behavioral2/files/0x0007000000022e09-53.dat	family_berbew
behavioral2/files/0x0007000000022e0b-65.dat	family_berbew
behavioral2/memory/492-68-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/memory/4792-69-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/memory/440-72-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e0c-74.dat	family_berbew
behavioral2/files/0x0007000000022e0c-71.dat	family_berbew
behavioral2/files/0x0007000000022e0b-66.dat	family_berbew
behavioral2/memory/2568-78-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/memory/4492-80-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e10-83.dat	family_berbew
behavioral2/memory/2664-85-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e1a-90.dat	family_berbew
behavioral2/memory/1324-93-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e1a-89.dat	family_berbew
behavioral2/memory/2372-88-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/memory/3184-99-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e1c-100.dat	family_berbew
behavioral2/files/0x0006000000022e1e-103.dat	family_berbew
behavioral2/files/0x0006000000022e1e-104.dat	family_berbew
behavioral2/files/0x0007000000022e1c-102.dat	family_berbew
behavioral2/files/0x0006000000022e10-87.dat	family_berbew
behavioral2/files/0x000b000000022e11-118.dat	family_berbew
behavioral2/files/0x0008000000022e18-116.dat	family_berbew
behavioral2/files/0x0008000000022e18-117.dat	family_berbew
behavioral2/files/0x000b000000022e11-115.dat	family_berbew
behavioral2/memory/4464-114-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/memory/1596-112-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e19-126.dat	family_berbew
behavioral2/files/0x0008000000022e19-128.dat	family_berbew
behavioral2/files/0x0008000000022e1b-130.dat	family_berbew
behavioral2/files/0x0008000000022e1b-129.dat	family_berbew
behavioral2/memory/1796-136-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/memory/2564-135-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/memory/3052-140-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/memory/4500-138-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x000a000000022e02-142.dat	family_berbew
behavioral2/files/0x000a000000022e02-141.dat	family_berbew
behavioral2/memory/4444-144-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e1d-149.dat	family_berbew

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
492	backup.exe
4812	backup.exe
4492	backup.exe
2372	backup.exe
1028	backup.exe
3040	backup.exe
2664	backup.exe
4792	backup.exe
440	backup.exe
4444	backup.exe
1324	System Restore.exe
4464	backup.exe
3184	backup.exe
4500	backup.exe
1596	backup.exe
4360	System Restore.exe
1796	backup.exe
2564	backup.exe
3052	backup.exe
764	backup.exe
3196	backup.exe
60	backup.exe
1100	backup.exe
4040	backup.exe
4648	backup.exe
5092	backup.exe
2808	backup.exe
5048	backup.exe
1196	backup.exe
4676	backup.exe
2564	backup.exe
4372	backup.exe
952	backup.exe
5080	backup.exe
2116	backup.exe
5008	backup.exe
64	backup.exe
3856	backup.exe
3860	backup.exe
5016	backup.exe
4792	backup.exe
1160	backup.exe
1564	backup.exe
2880	backup.exe
1840	backup.exe
4704	update.exe
1808	backup.exe
4260	backup.exe
3932	backup.exe
3040	backup.exe
4884	backup.exe
4040	backup.exe
2436	backup.exe
1128	backup.exe
3936	backup.exe
3388	backup.exe
3800	backup.exe
1340	backup.exe
2044	backup.exe
4188	backup.exe
4484	backup.exe
1496	backup.exe
4032	System Restore.exe
4304	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe	update.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\backup.exe	backup.exe
File opened for modification	C:\Program Files\ModifiableWindowsApps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\backup.exe	backup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe
492	backup.exe
4812	backup.exe
2372	backup.exe
4492	backup.exe
1028	backup.exe
3040	backup.exe
2664	backup.exe
4792	backup.exe
440	backup.exe
4444	backup.exe
1324	System Restore.exe
4464	backup.exe
3184	backup.exe
4500	backup.exe
1596	backup.exe
4360	System Restore.exe
1796	backup.exe
2564	backup.exe
3052	backup.exe
764	backup.exe
3196	backup.exe
60	backup.exe
1100	backup.exe
4040	backup.exe
4648	backup.exe
5092	backup.exe
2808	backup.exe
5048	backup.exe
1196	backup.exe
4676	backup.exe
4372	backup.exe
952	backup.exe
5080	backup.exe
2564	backup.exe
2116	backup.exe
3856	backup.exe
3860	backup.exe
5008	backup.exe
4792	backup.exe
1160	backup.exe
5016	backup.exe
64	backup.exe
1564	backup.exe
2880	backup.exe
1840	backup.exe
4704	update.exe
1808	backup.exe
4884	backup.exe
3932	backup.exe
4260	backup.exe
3040	backup.exe
4040	backup.exe
2436	backup.exe
3936	backup.exe
1128	backup.exe
1340	backup.exe
3800	backup.exe
3388	backup.exe
2044	backup.exe
4188	backup.exe
4032	System Restore.exe
4484	backup.exe
1496	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 492	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	88
PID 2568 wrote to memory of 492	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	88
PID 2568 wrote to memory of 492	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	88
PID 2568 wrote to memory of 4812	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	89
PID 2568 wrote to memory of 4812	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	89
PID 2568 wrote to memory of 4812	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	89
PID 492 wrote to memory of 4492	492	backup.exe	91
PID 492 wrote to memory of 4492	492	backup.exe	91
PID 492 wrote to memory of 4492	492	backup.exe	91
PID 2568 wrote to memory of 2372	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	92
PID 2568 wrote to memory of 2372	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	92
PID 2568 wrote to memory of 2372	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	92
PID 2568 wrote to memory of 1028	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	94
PID 2568 wrote to memory of 1028	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	94
PID 2568 wrote to memory of 1028	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	94
PID 4492 wrote to memory of 3040	4492	backup.exe	95
PID 4492 wrote to memory of 3040	4492	backup.exe	95
PID 4492 wrote to memory of 3040	4492	backup.exe	95
PID 2568 wrote to memory of 2664	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	96
PID 2568 wrote to memory of 2664	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	96
PID 2568 wrote to memory of 2664	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	96
PID 4492 wrote to memory of 4792	4492	backup.exe	97
PID 4492 wrote to memory of 4792	4492	backup.exe	97
PID 4492 wrote to memory of 4792	4492	backup.exe	97
PID 2568 wrote to memory of 440	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	98
PID 2568 wrote to memory of 440	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	98
PID 2568 wrote to memory of 440	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	98
PID 4492 wrote to memory of 4444	4492	backup.exe	99
PID 4492 wrote to memory of 4444	4492	backup.exe	99
PID 4492 wrote to memory of 4444	4492	backup.exe	99
PID 2568 wrote to memory of 1324	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	100
PID 2568 wrote to memory of 1324	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	100
PID 2568 wrote to memory of 1324	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	100
PID 4444 wrote to memory of 4464	4444	backup.exe	101
PID 4444 wrote to memory of 4464	4444	backup.exe	101
PID 4444 wrote to memory of 4464	4444	backup.exe	101
PID 2568 wrote to memory of 3184	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	102
PID 2568 wrote to memory of 3184	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	102
PID 2568 wrote to memory of 3184	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	102
PID 2568 wrote to memory of 4500	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	104
PID 2568 wrote to memory of 4500	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	104
PID 2568 wrote to memory of 4500	2568	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe	104
PID 4464 wrote to memory of 1596	4464	backup.exe	105
PID 4464 wrote to memory of 1596	4464	backup.exe	105
PID 4464 wrote to memory of 1596	4464	backup.exe	105
PID 4444 wrote to memory of 4360	4444	backup.exe	106
PID 4444 wrote to memory of 4360	4444	backup.exe	106
PID 4444 wrote to memory of 4360	4444	backup.exe	106
PID 4500 wrote to memory of 1796	4500	backup.exe	107
PID 4500 wrote to memory of 1796	4500	backup.exe	107
PID 4500 wrote to memory of 1796	4500	backup.exe	107
PID 1796 wrote to memory of 2564	1796	backup.exe	108
PID 1796 wrote to memory of 2564	1796	backup.exe	108
PID 1796 wrote to memory of 2564	1796	backup.exe	108
PID 4360 wrote to memory of 3052	4360	System Restore.exe	109
PID 4360 wrote to memory of 3052	4360	System Restore.exe	109
PID 4360 wrote to memory of 3052	4360	System Restore.exe	109
PID 4360 wrote to memory of 764	4360	System Restore.exe	110
PID 4360 wrote to memory of 764	4360	System Restore.exe	110
PID 4360 wrote to memory of 764	4360	System Restore.exe	110
PID 764 wrote to memory of 3196	764	backup.exe	111
PID 764 wrote to memory of 3196	764	backup.exe	111
PID 764 wrote to memory of 3196	764	backup.exe	111
PID 764 wrote to memory of 60	764	backup.exe	112

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1a83125b248cbcf3e6ea0b36f7e6b1f0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2568
- C:\Users\Admin\AppData\Local\Temp\{60EF4F01-6BA2-465D-8D76-56BA1257C2B7}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{60EF4F01-6BA2-465D-8D76-56BA1257C2B7}\backup.exe C:\Users\Admin\AppData\Local\Temp\{60EF4F01-6BA2-465D-8D76-56BA1257C2B7}\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4492
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3040
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4792
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4444
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1596
    - - C:\Program Files\Common Files\System Restore.exe
        
        "C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3052
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:764
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3196
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:60
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4040
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4648
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5048
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1196
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5016
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4260
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        System policy modification
        
        PID:3984
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:5024
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5080
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3860
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1808
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4900
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:4360
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3936
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3800
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        System policy modification
        
        PID:3788
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3504
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:2032
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4372
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3856
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2436
        
        C:\Program Files\Common Files\System\ado\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\update.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2556
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2036
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2232
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:960
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:4496
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:952
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2116
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4792
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4884
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2576
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4540
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:3636
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1340
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1160
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1128
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2696
      - C:\Program Files\Internet Explorer\es-ES\System Restore.exe
        
        "C:\Program Files\Internet Explorer\es-ES\System Restore.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        System policy modification
        
        PID:4784
      - C:\Program Files\Internet Explorer\fr-FR\System Restore.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\System Restore.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1684
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3932
      - C:\Program Files\Java\jdk-1.8\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:832
        
        C:\Program Files\Java\jdk-1.8\bin\update.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\update.exe" C:\Program Files\Java\jdk-1.8\bin\
        7⤵
        
        PID:3192
      - C:\Program Files\Java\jre-1.8\backup.exe
        
        "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3848
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3388
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:2692
      - C:\Program Files\Microsoft Office\root\data.exe
        
        "C:\Program Files\Microsoft Office\root\data.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:4816
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3800
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:4992
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4676
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5008
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:2004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:5088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:1376
    - - C:\Program Files (x86)\Common Files\update.exe
        
        "C:\Program Files (x86)\Common Files\update.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4704
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4188
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4280
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:3152
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:2456
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:1164
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4484
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:4796
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        System policy modification
        
        PID:4760
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:4888
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:64
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1840
      - C:\Users\Admin\3D Objects\System Restore.exe
        
        "C:\Users\Admin\3D Objects\System Restore.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4032
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4536
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:4304
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2880
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:648
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:2452
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        
        PID:4712
- C:\Users\Admin\AppData\Local\Temp\3700703260\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3700703260\backup.exe C:\Users\Admin\AppData\Local\Temp\3700703260\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4812
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1028
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:440
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3184
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
122KB

MD5
32dd09a6d729cb2f10277f4fdd28b64f

SHA1
20672b60982b54e74c8a4793eb065981d998aac2

SHA256
1a1e392da9ba73ff4682443524958549c37ee9671ebb9ae01ae2ae27990d7c5b

SHA512
7be8c3d2c8d9a6877424b96de5e7eaf37e36bd979f1fd86acc0c6360b1619ca03408c991ba18e301e07bb515de4bf71c793fe30ebd0ef2aa0aec583203f97239

Download Submit
C:\PerfLogs\backup.exe

Filesize
122KB

MD5
32dd09a6d729cb2f10277f4fdd28b64f

SHA1
20672b60982b54e74c8a4793eb065981d998aac2

SHA256
1a1e392da9ba73ff4682443524958549c37ee9671ebb9ae01ae2ae27990d7c5b

SHA512
7be8c3d2c8d9a6877424b96de5e7eaf37e36bd979f1fd86acc0c6360b1619ca03408c991ba18e301e07bb515de4bf71c793fe30ebd0ef2aa0aec583203f97239

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
122KB

MD5
51ea3f3654229594ef6fbdbc9c990fe6

SHA1
d6d46d52159cd9a2837cdfed4ca5b7a97c3eaa97

SHA256
cf6d239e65ea33c72af6826120ca1fbe822658d236515ea2e456fac6a94b122b

SHA512
72307a41dfb6a16a36996ef1c8703b6ef4e1eead03da733022534cafd24f0a76e231ea1c5fc3d4822ccb4fb64e339426aaed5344d1f900f248a9ff7bc42918cc

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
122KB

MD5
51ea3f3654229594ef6fbdbc9c990fe6

SHA1
d6d46d52159cd9a2837cdfed4ca5b7a97c3eaa97

SHA256
cf6d239e65ea33c72af6826120ca1fbe822658d236515ea2e456fac6a94b122b

SHA512
72307a41dfb6a16a36996ef1c8703b6ef4e1eead03da733022534cafd24f0a76e231ea1c5fc3d4822ccb4fb64e339426aaed5344d1f900f248a9ff7bc42918cc

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
4cc171986c3b3a5ca2a78a2c55595026

SHA1
12151b3192f0df0181189d3e00e677426e0b2f45

SHA256
2a71fd3f2c921ff8c497ad65eb5df509b3ffffc5b0ed6dc20071e25ec506adc5

SHA512
f0f2313d97b843a79267aa7f0af9e796e11e3aa3efdc01e39f453454171ec7a32050eebbc831d2f30de37c0a48ded0ee0b78c04427662f8f2ddd24b12ea0eeed

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
4cc171986c3b3a5ca2a78a2c55595026

SHA1
12151b3192f0df0181189d3e00e677426e0b2f45

SHA256
2a71fd3f2c921ff8c497ad65eb5df509b3ffffc5b0ed6dc20071e25ec506adc5

SHA512
f0f2313d97b843a79267aa7f0af9e796e11e3aa3efdc01e39f453454171ec7a32050eebbc831d2f30de37c0a48ded0ee0b78c04427662f8f2ddd24b12ea0eeed

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
1d77e2644f21c732b23659e86666cf46

SHA1
d27abeaf9c50567d597331477e1ea3de64216053

SHA256
20435b2bd0ffa3a3a4fdc448f1d54389745571c00f2c4308106cf27ae84dbdf4

SHA512
713af25d43a2ee53e5a7bc2eb6f75b40bbfe7f26051cef27f8189fbaf2c0948844fe6950cd5e4cf8b6f5be511acfb3c429fe2c9ed412037601a59e17993f12bf

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
1d77e2644f21c732b23659e86666cf46

SHA1
d27abeaf9c50567d597331477e1ea3de64216053

SHA256
20435b2bd0ffa3a3a4fdc448f1d54389745571c00f2c4308106cf27ae84dbdf4

SHA512
713af25d43a2ee53e5a7bc2eb6f75b40bbfe7f26051cef27f8189fbaf2c0948844fe6950cd5e4cf8b6f5be511acfb3c429fe2c9ed412037601a59e17993f12bf

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
122KB

MD5
414ce964dd982ff27d27976a4a250510

SHA1
525b53a00516b2c81da90d18bc7e245f61a7dedc

SHA256
cbf9efaf56f801f527642a6f5311ca5663823be503be19b36047bc1b5c8cc9b1

SHA512
36265f44d398ab0d446fd162183224bab102c87c8790b76490a20f34187a32ca4374f835f72fbc92e26bd0ba8b9e8fdf99f14ce73024609007aa888f73c91fa0

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
122KB

MD5
414ce964dd982ff27d27976a4a250510

SHA1
525b53a00516b2c81da90d18bc7e245f61a7dedc

SHA256
cbf9efaf56f801f527642a6f5311ca5663823be503be19b36047bc1b5c8cc9b1

SHA512
36265f44d398ab0d446fd162183224bab102c87c8790b76490a20f34187a32ca4374f835f72fbc92e26bd0ba8b9e8fdf99f14ce73024609007aa888f73c91fa0

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
122KB

MD5
b2bbc5f0ff14b4a1861b85497b6aeb43

SHA1
30b7e5e73d9f98089d0d01c4a136d223e75c792b

SHA256
2dcf5f3c43bb012ba94a467132966d98c74c44b41e543e4ffd13bde7b25bbf2d

SHA512
fbdcac4c095b3b4af7541d1def29f5210378e5df7ef502f1934be896d02d43db59ebd4365e58fe76ba4aaa07e97135ed14012fb9cc067e67246e43a43da51dfb

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
122KB

MD5
3ddf262aaf736fc1ee9c6b41f28ac134

SHA1
9486515b380e6e0898571a86890ca95b2063242a

SHA256
5587a8f5a4d9dc5ad98200a76cc91170a2a1cf072b17a25cb274f355b0bf626d

SHA512
9762a0e32539e17ae4ce6cdb36b6c8068950a7ceeece2935bbb89f6e97e6a78130afdceee796c30347f633297dd8c8f7d09850dd22073c8bce708b23b465643a

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
122KB

MD5
3ddf262aaf736fc1ee9c6b41f28ac134

SHA1
9486515b380e6e0898571a86890ca95b2063242a

SHA256
5587a8f5a4d9dc5ad98200a76cc91170a2a1cf072b17a25cb274f355b0bf626d

SHA512
9762a0e32539e17ae4ce6cdb36b6c8068950a7ceeece2935bbb89f6e97e6a78130afdceee796c30347f633297dd8c8f7d09850dd22073c8bce708b23b465643a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
122KB

MD5
8901b471d068a090a1dba08b6575204d

SHA1
e03259b4ce50a26bee96436476542ffd488a86da

SHA256
8673c7648d8bab75668ec6ac0453f1b2faf618a5854b82e0a8989dae10ed6985

SHA512
de9e11b0d3dc5d78f22becec57397aaf7847fcf5af68fad5425c35920fe14abdacfafc07f500ac884c18118b9f0b3aa62aa69b97d85bc72786f707a766323ca4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
122KB

MD5
8901b471d068a090a1dba08b6575204d

SHA1
e03259b4ce50a26bee96436476542ffd488a86da

SHA256
8673c7648d8bab75668ec6ac0453f1b2faf618a5854b82e0a8989dae10ed6985

SHA512
de9e11b0d3dc5d78f22becec57397aaf7847fcf5af68fad5425c35920fe14abdacfafc07f500ac884c18118b9f0b3aa62aa69b97d85bc72786f707a766323ca4

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
122KB

MD5
414ce964dd982ff27d27976a4a250510

SHA1
525b53a00516b2c81da90d18bc7e245f61a7dedc

SHA256
cbf9efaf56f801f527642a6f5311ca5663823be503be19b36047bc1b5c8cc9b1

SHA512
36265f44d398ab0d446fd162183224bab102c87c8790b76490a20f34187a32ca4374f835f72fbc92e26bd0ba8b9e8fdf99f14ce73024609007aa888f73c91fa0

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
122KB

MD5
414ce964dd982ff27d27976a4a250510

SHA1
525b53a00516b2c81da90d18bc7e245f61a7dedc

SHA256
cbf9efaf56f801f527642a6f5311ca5663823be503be19b36047bc1b5c8cc9b1

SHA512
36265f44d398ab0d446fd162183224bab102c87c8790b76490a20f34187a32ca4374f835f72fbc92e26bd0ba8b9e8fdf99f14ce73024609007aa888f73c91fa0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
a608d3a52e455c3286a44d89f58a15e0

SHA1
5edfd8aefcc5195db1e61ed6ecc5b511a748dae3

SHA256
e1c8ba2f534654f20b15669959e93cfc79dd29b35b35b9ea54e0ccfa019c7938

SHA512
9b06b13ee31a542c678f066de50dca8340235f41a00273f3acb0560b34ac59ab1fab588e7e5b36a8bd6530157be91d5c56164c483c2d491f2a7dbd373633e59d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
a608d3a52e455c3286a44d89f58a15e0

SHA1
5edfd8aefcc5195db1e61ed6ecc5b511a748dae3

SHA256
e1c8ba2f534654f20b15669959e93cfc79dd29b35b35b9ea54e0ccfa019c7938

SHA512
9b06b13ee31a542c678f066de50dca8340235f41a00273f3acb0560b34ac59ab1fab588e7e5b36a8bd6530157be91d5c56164c483c2d491f2a7dbd373633e59d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
122KB

MD5
8901b471d068a090a1dba08b6575204d

SHA1
e03259b4ce50a26bee96436476542ffd488a86da

SHA256
8673c7648d8bab75668ec6ac0453f1b2faf618a5854b82e0a8989dae10ed6985

SHA512
de9e11b0d3dc5d78f22becec57397aaf7847fcf5af68fad5425c35920fe14abdacfafc07f500ac884c18118b9f0b3aa62aa69b97d85bc72786f707a766323ca4

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
122KB

MD5
8901b471d068a090a1dba08b6575204d

SHA1
e03259b4ce50a26bee96436476542ffd488a86da

SHA256
8673c7648d8bab75668ec6ac0453f1b2faf618a5854b82e0a8989dae10ed6985

SHA512
de9e11b0d3dc5d78f22becec57397aaf7847fcf5af68fad5425c35920fe14abdacfafc07f500ac884c18118b9f0b3aa62aa69b97d85bc72786f707a766323ca4

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
122KB

MD5
a608d3a52e455c3286a44d89f58a15e0

SHA1
5edfd8aefcc5195db1e61ed6ecc5b511a748dae3

SHA256
e1c8ba2f534654f20b15669959e93cfc79dd29b35b35b9ea54e0ccfa019c7938

SHA512
9b06b13ee31a542c678f066de50dca8340235f41a00273f3acb0560b34ac59ab1fab588e7e5b36a8bd6530157be91d5c56164c483c2d491f2a7dbd373633e59d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
122KB

MD5
a608d3a52e455c3286a44d89f58a15e0

SHA1
5edfd8aefcc5195db1e61ed6ecc5b511a748dae3

SHA256
e1c8ba2f534654f20b15669959e93cfc79dd29b35b35b9ea54e0ccfa019c7938

SHA512
9b06b13ee31a542c678f066de50dca8340235f41a00273f3acb0560b34ac59ab1fab588e7e5b36a8bd6530157be91d5c56164c483c2d491f2a7dbd373633e59d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
122KB

MD5
a608d3a52e455c3286a44d89f58a15e0

SHA1
5edfd8aefcc5195db1e61ed6ecc5b511a748dae3

SHA256
e1c8ba2f534654f20b15669959e93cfc79dd29b35b35b9ea54e0ccfa019c7938

SHA512
9b06b13ee31a542c678f066de50dca8340235f41a00273f3acb0560b34ac59ab1fab588e7e5b36a8bd6530157be91d5c56164c483c2d491f2a7dbd373633e59d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
122KB

MD5
a608d3a52e455c3286a44d89f58a15e0

SHA1
5edfd8aefcc5195db1e61ed6ecc5b511a748dae3

SHA256
e1c8ba2f534654f20b15669959e93cfc79dd29b35b35b9ea54e0ccfa019c7938

SHA512
9b06b13ee31a542c678f066de50dca8340235f41a00273f3acb0560b34ac59ab1fab588e7e5b36a8bd6530157be91d5c56164c483c2d491f2a7dbd373633e59d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
122KB

MD5
a608d3a52e455c3286a44d89f58a15e0

SHA1
5edfd8aefcc5195db1e61ed6ecc5b511a748dae3

SHA256
e1c8ba2f534654f20b15669959e93cfc79dd29b35b35b9ea54e0ccfa019c7938

SHA512
9b06b13ee31a542c678f066de50dca8340235f41a00273f3acb0560b34ac59ab1fab588e7e5b36a8bd6530157be91d5c56164c483c2d491f2a7dbd373633e59d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
122KB

MD5
a608d3a52e455c3286a44d89f58a15e0

SHA1
5edfd8aefcc5195db1e61ed6ecc5b511a748dae3

SHA256
e1c8ba2f534654f20b15669959e93cfc79dd29b35b35b9ea54e0ccfa019c7938

SHA512
9b06b13ee31a542c678f066de50dca8340235f41a00273f3acb0560b34ac59ab1fab588e7e5b36a8bd6530157be91d5c56164c483c2d491f2a7dbd373633e59d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
122KB

MD5
a608d3a52e455c3286a44d89f58a15e0

SHA1
5edfd8aefcc5195db1e61ed6ecc5b511a748dae3

SHA256
e1c8ba2f534654f20b15669959e93cfc79dd29b35b35b9ea54e0ccfa019c7938

SHA512
9b06b13ee31a542c678f066de50dca8340235f41a00273f3acb0560b34ac59ab1fab588e7e5b36a8bd6530157be91d5c56164c483c2d491f2a7dbd373633e59d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
122KB

MD5
a608d3a52e455c3286a44d89f58a15e0

SHA1
5edfd8aefcc5195db1e61ed6ecc5b511a748dae3

SHA256
e1c8ba2f534654f20b15669959e93cfc79dd29b35b35b9ea54e0ccfa019c7938

SHA512
9b06b13ee31a542c678f066de50dca8340235f41a00273f3acb0560b34ac59ab1fab588e7e5b36a8bd6530157be91d5c56164c483c2d491f2a7dbd373633e59d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
122KB

MD5
8e61662c0e62317a795309b147ac800b

SHA1
7451ed37ff968bfacaa97a8df01111c71538fa7b

SHA256
a1c55639d0f5d799a78ecbf874eaa89ab160837b3883655e91e40fbf9d1610d7

SHA512
b67326e4b072b70fe8eb9694afa4f72fe1242b649affee9c7e65c353d2af2a5542284cf991734de83fd7c79614b5eb5dbb7ba5f4398af32ef98eaeb2c8d781fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
122KB

MD5
8e61662c0e62317a795309b147ac800b

SHA1
7451ed37ff968bfacaa97a8df01111c71538fa7b

SHA256
a1c55639d0f5d799a78ecbf874eaa89ab160837b3883655e91e40fbf9d1610d7

SHA512
b67326e4b072b70fe8eb9694afa4f72fe1242b649affee9c7e65c353d2af2a5542284cf991734de83fd7c79614b5eb5dbb7ba5f4398af32ef98eaeb2c8d781fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
122KB

MD5
8e61662c0e62317a795309b147ac800b

SHA1
7451ed37ff968bfacaa97a8df01111c71538fa7b

SHA256
a1c55639d0f5d799a78ecbf874eaa89ab160837b3883655e91e40fbf9d1610d7

SHA512
b67326e4b072b70fe8eb9694afa4f72fe1242b649affee9c7e65c353d2af2a5542284cf991734de83fd7c79614b5eb5dbb7ba5f4398af32ef98eaeb2c8d781fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
122KB

MD5
8e61662c0e62317a795309b147ac800b

SHA1
7451ed37ff968bfacaa97a8df01111c71538fa7b

SHA256
a1c55639d0f5d799a78ecbf874eaa89ab160837b3883655e91e40fbf9d1610d7

SHA512
b67326e4b072b70fe8eb9694afa4f72fe1242b649affee9c7e65c353d2af2a5542284cf991734de83fd7c79614b5eb5dbb7ba5f4398af32ef98eaeb2c8d781fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
122KB

MD5
40c2a947937f40c26769d090b1ff10ab

SHA1
78c82e52f56061f03da2fed13a54af0bc743f76a

SHA256
32fc21bf124f9bdb5b18223b09ea40784a604809c34176fcf1362a37066cdc9d

SHA512
dbbcab2e751e3b60a8e9bef339a440afa5df9d809b6370abfcaeb32e3f29a551eed9c225ea13aa318579e2d21f83a08850d668049c48368fc636b1a81199a47d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
122KB

MD5
40c2a947937f40c26769d090b1ff10ab

SHA1
78c82e52f56061f03da2fed13a54af0bc743f76a

SHA256
32fc21bf124f9bdb5b18223b09ea40784a604809c34176fcf1362a37066cdc9d

SHA512
dbbcab2e751e3b60a8e9bef339a440afa5df9d809b6370abfcaeb32e3f29a551eed9c225ea13aa318579e2d21f83a08850d668049c48368fc636b1a81199a47d

Download Submit
C:\Program Files\Google\backup.exe

Filesize
122KB

MD5
b8aad67d9e2e2ca52a7c0dc50c487ee5

SHA1
b44984a68d91f863cd8dda19679fa7ce00f6c850

SHA256
b1005e54ad6ac811b6831bb5fbd5717b684dffdd31f78ed0de8ec7cfe370f31b

SHA512
ffc72df4298548bb92e2c5a679a59934ff8ff7af7ad9559c6859c8c57e43c31eea06aef49cd0658b029da05f5fc08e9117bd8aa199887063e041bc292d978989

Download Submit
C:\Program Files\backup.exe

Filesize
122KB

MD5
32dd09a6d729cb2f10277f4fdd28b64f

SHA1
20672b60982b54e74c8a4793eb065981d998aac2

SHA256
1a1e392da9ba73ff4682443524958549c37ee9671ebb9ae01ae2ae27990d7c5b

SHA512
7be8c3d2c8d9a6877424b96de5e7eaf37e36bd979f1fd86acc0c6360b1619ca03408c991ba18e301e07bb515de4bf71c793fe30ebd0ef2aa0aec583203f97239

Download Submit
C:\Program Files\backup.exe

Filesize
122KB

MD5
32dd09a6d729cb2f10277f4fdd28b64f

SHA1
20672b60982b54e74c8a4793eb065981d998aac2

SHA256
1a1e392da9ba73ff4682443524958549c37ee9671ebb9ae01ae2ae27990d7c5b

SHA512
7be8c3d2c8d9a6877424b96de5e7eaf37e36bd979f1fd86acc0c6360b1619ca03408c991ba18e301e07bb515de4bf71c793fe30ebd0ef2aa0aec583203f97239

Download Submit
C:\Users\Admin\AppData\Local\Temp\3700703260\backup.exe

Filesize
122KB

MD5
69b97b7ef2c1a1b32497c1ae76001073

SHA1
902ba26c49f620c8a55b9cc2973d15a6dd0d2b12

SHA256
8fc3891b9674f4a55469c8fb3cae9359a64fc57861f7b3f06f86274b02a4665b

SHA512
ee45f0a2985c53bdd75444339b27fffe74d742b4989d86668d5e8dcfb39b2253e5b5f0319770e871f1c2cd914000827cc3e90cf361acb573f14117c8a3cb75a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3700703260\backup.exe

Filesize
122KB

MD5
69b97b7ef2c1a1b32497c1ae76001073

SHA1
902ba26c49f620c8a55b9cc2973d15a6dd0d2b12

SHA256
8fc3891b9674f4a55469c8fb3cae9359a64fc57861f7b3f06f86274b02a4665b

SHA512
ee45f0a2985c53bdd75444339b27fffe74d742b4989d86668d5e8dcfb39b2253e5b5f0319770e871f1c2cd914000827cc3e90cf361acb573f14117c8a3cb75a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3700703260\backup.exe

Filesize
122KB

MD5
69b97b7ef2c1a1b32497c1ae76001073

SHA1
902ba26c49f620c8a55b9cc2973d15a6dd0d2b12

SHA256
8fc3891b9674f4a55469c8fb3cae9359a64fc57861f7b3f06f86274b02a4665b

SHA512
ee45f0a2985c53bdd75444339b27fffe74d742b4989d86668d5e8dcfb39b2253e5b5f0319770e871f1c2cd914000827cc3e90cf361acb573f14117c8a3cb75a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
61ea2d379ec7445b0052b52f1ca9e1fc

SHA1
31e0081e06c1795f34658ae616c086e70b567b2c

SHA256
3941cdbcabff8e39fd1b181c9499ae496faa29ca5c219a47c5e4ac0b0cc16cb4

SHA512
7a727572e213219e057b00313507141c39e734de8b9b8682949e9474b44f6afa26841d9ccdf540c0e40c1e5a2b889af9c3214bd9971c1ee8cdcc470b9b0a7a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
61ea2d379ec7445b0052b52f1ca9e1fc

SHA1
31e0081e06c1795f34658ae616c086e70b567b2c

SHA256
3941cdbcabff8e39fd1b181c9499ae496faa29ca5c219a47c5e4ac0b0cc16cb4

SHA512
7a727572e213219e057b00313507141c39e734de8b9b8682949e9474b44f6afa26841d9ccdf540c0e40c1e5a2b889af9c3214bd9971c1ee8cdcc470b9b0a7a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
c6cb64810332d58c94ffc47b23951701

SHA1
6ec0f677a103da27a9a496e5a596254a53ac1a44

SHA256
38066007de59b49b0566808d5646a34c69ba8de913c8fc79f586fc634c0559c2

SHA512
9ae086e88a8abc77a0689fb33b018c217d19348cae389beeed1d049268bd5376fc8eb5052c0a25485f10900462ffa7b9c3045d0ceeb12740d8335513351a850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
c6cb64810332d58c94ffc47b23951701

SHA1
6ec0f677a103da27a9a496e5a596254a53ac1a44

SHA256
38066007de59b49b0566808d5646a34c69ba8de913c8fc79f586fc634c0559c2

SHA512
9ae086e88a8abc77a0689fb33b018c217d19348cae389beeed1d049268bd5376fc8eb5052c0a25485f10900462ffa7b9c3045d0ceeb12740d8335513351a850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
122KB

MD5
c6cb64810332d58c94ffc47b23951701

SHA1
6ec0f677a103da27a9a496e5a596254a53ac1a44

SHA256
38066007de59b49b0566808d5646a34c69ba8de913c8fc79f586fc634c0559c2

SHA512
9ae086e88a8abc77a0689fb33b018c217d19348cae389beeed1d049268bd5376fc8eb5052c0a25485f10900462ffa7b9c3045d0ceeb12740d8335513351a850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
122KB

MD5
c6cb64810332d58c94ffc47b23951701

SHA1
6ec0f677a103da27a9a496e5a596254a53ac1a44

SHA256
38066007de59b49b0566808d5646a34c69ba8de913c8fc79f586fc634c0559c2

SHA512
9ae086e88a8abc77a0689fb33b018c217d19348cae389beeed1d049268bd5376fc8eb5052c0a25485f10900462ffa7b9c3045d0ceeb12740d8335513351a850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
122KB

MD5
5a14f87e54b7a841c434e1a17eb14449

SHA1
427392a2b2d6492f1a94c7a629c0b5980971aabd

SHA256
48fe99175838e27b611b8d783cc3eda9bd2a4f81034f240ac7d86354bfec381c

SHA512
e5b6415ecf356e9a02d1c950ef5a273c071ac9dcfe10e50df8b410d9271e10b467cb7fe116e036956cba2b9d9fe5b5ce941b7f3668653e00833ab915f41c1d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
122KB

MD5
5a14f87e54b7a841c434e1a17eb14449

SHA1
427392a2b2d6492f1a94c7a629c0b5980971aabd

SHA256
48fe99175838e27b611b8d783cc3eda9bd2a4f81034f240ac7d86354bfec381c

SHA512
e5b6415ecf356e9a02d1c950ef5a273c071ac9dcfe10e50df8b410d9271e10b467cb7fe116e036956cba2b9d9fe5b5ce941b7f3668653e00833ab915f41c1d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
122KB

MD5
9d9abba317588b07b68b35c24bc5525a

SHA1
ff086513c2535d30bf7f09b3742974d133c22550

SHA256
22e8df9506f38bfda5732e64d63364d2e408b73e350576d991cddfcbbdf16164

SHA512
82bfbfc6ca789093e6c9a9b0a98c92ec833362db887222565ccb28e0c0285f1cbf10c365c4792e43bc3763cc31f591e62f63949781382c54f640ceccffb6c964

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
122KB

MD5
9d9abba317588b07b68b35c24bc5525a

SHA1
ff086513c2535d30bf7f09b3742974d133c22550

SHA256
22e8df9506f38bfda5732e64d63364d2e408b73e350576d991cddfcbbdf16164

SHA512
82bfbfc6ca789093e6c9a9b0a98c92ec833362db887222565ccb28e0c0285f1cbf10c365c4792e43bc3763cc31f591e62f63949781382c54f640ceccffb6c964

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
122KB

MD5
bdfc7ac020ded14ca644eeb6947efc8c

SHA1
d9ca88347a3ec9cc3299b8b2bb7946d6e1958749

SHA256
d1b6300b72719d839b152ff72f3b37365a9849282e35d2b2fc8603e7cb49fc5a

SHA512
302a830d5dec018a242df39c5d58dca4ae3a1b6c8f8a7da8fe8b5c5ddc10e6e6f8a3919a3ffb027f0dc45bcf588291af33d9dd681fc0610e922dd4dd67d80012

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
122KB

MD5
bdfc7ac020ded14ca644eeb6947efc8c

SHA1
d9ca88347a3ec9cc3299b8b2bb7946d6e1958749

SHA256
d1b6300b72719d839b152ff72f3b37365a9849282e35d2b2fc8603e7cb49fc5a

SHA512
302a830d5dec018a242df39c5d58dca4ae3a1b6c8f8a7da8fe8b5c5ddc10e6e6f8a3919a3ffb027f0dc45bcf588291af33d9dd681fc0610e922dd4dd67d80012

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
122KB

MD5
61ea2d379ec7445b0052b52f1ca9e1fc

SHA1
31e0081e06c1795f34658ae616c086e70b567b2c

SHA256
3941cdbcabff8e39fd1b181c9499ae496faa29ca5c219a47c5e4ac0b0cc16cb4

SHA512
7a727572e213219e057b00313507141c39e734de8b9b8682949e9474b44f6afa26841d9ccdf540c0e40c1e5a2b889af9c3214bd9971c1ee8cdcc470b9b0a7a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
122KB

MD5
61ea2d379ec7445b0052b52f1ca9e1fc

SHA1
31e0081e06c1795f34658ae616c086e70b567b2c

SHA256
3941cdbcabff8e39fd1b181c9499ae496faa29ca5c219a47c5e4ac0b0cc16cb4

SHA512
7a727572e213219e057b00313507141c39e734de8b9b8682949e9474b44f6afa26841d9ccdf540c0e40c1e5a2b889af9c3214bd9971c1ee8cdcc470b9b0a7a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
61ea2d379ec7445b0052b52f1ca9e1fc

SHA1
31e0081e06c1795f34658ae616c086e70b567b2c

SHA256
3941cdbcabff8e39fd1b181c9499ae496faa29ca5c219a47c5e4ac0b0cc16cb4

SHA512
7a727572e213219e057b00313507141c39e734de8b9b8682949e9474b44f6afa26841d9ccdf540c0e40c1e5a2b889af9c3214bd9971c1ee8cdcc470b9b0a7a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
61ea2d379ec7445b0052b52f1ca9e1fc

SHA1
31e0081e06c1795f34658ae616c086e70b567b2c

SHA256
3941cdbcabff8e39fd1b181c9499ae496faa29ca5c219a47c5e4ac0b0cc16cb4

SHA512
7a727572e213219e057b00313507141c39e734de8b9b8682949e9474b44f6afa26841d9ccdf540c0e40c1e5a2b889af9c3214bd9971c1ee8cdcc470b9b0a7a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
bdfc7ac020ded14ca644eeb6947efc8c

SHA1
d9ca88347a3ec9cc3299b8b2bb7946d6e1958749

SHA256
d1b6300b72719d839b152ff72f3b37365a9849282e35d2b2fc8603e7cb49fc5a

SHA512
302a830d5dec018a242df39c5d58dca4ae3a1b6c8f8a7da8fe8b5c5ddc10e6e6f8a3919a3ffb027f0dc45bcf588291af33d9dd681fc0610e922dd4dd67d80012

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
bdfc7ac020ded14ca644eeb6947efc8c

SHA1
d9ca88347a3ec9cc3299b8b2bb7946d6e1958749

SHA256
d1b6300b72719d839b152ff72f3b37365a9849282e35d2b2fc8603e7cb49fc5a

SHA512
302a830d5dec018a242df39c5d58dca4ae3a1b6c8f8a7da8fe8b5c5ddc10e6e6f8a3919a3ffb027f0dc45bcf588291af33d9dd681fc0610e922dd4dd67d80012

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
41KB

MD5
bd44fe1958bd2dcda8c07ec4bca46336

SHA1
5567dd1b1070548a3670e53fc137fa85f5a43dd9

SHA256
1337b33d584d7aa40e3c1843f3567264e6de547d3a3cdb5722a4ea8981399479

SHA512
1744d9cc568e43e08631700d56c719b7bfdd08bf1d480acfa2d9bdfa5e6bd8314049340a385587c7e1d08695cfe6a5794664f4eeff56c50d2cf7c092bda0532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{60EF4F01-6BA2-465D-8D76-56BA1257C2B7}\backup.exe

Filesize
122KB

MD5
69b97b7ef2c1a1b32497c1ae76001073

SHA1
902ba26c49f620c8a55b9cc2973d15a6dd0d2b12

SHA256
8fc3891b9674f4a55469c8fb3cae9359a64fc57861f7b3f06f86274b02a4665b

SHA512
ee45f0a2985c53bdd75444339b27fffe74d742b4989d86668d5e8dcfb39b2253e5b5f0319770e871f1c2cd914000827cc3e90cf361acb573f14117c8a3cb75a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{60EF4F01-6BA2-465D-8D76-56BA1257C2B7}\backup.exe

Filesize
122KB

MD5
69b97b7ef2c1a1b32497c1ae76001073

SHA1
902ba26c49f620c8a55b9cc2973d15a6dd0d2b12

SHA256
8fc3891b9674f4a55469c8fb3cae9359a64fc57861f7b3f06f86274b02a4665b

SHA512
ee45f0a2985c53bdd75444339b27fffe74d742b4989d86668d5e8dcfb39b2253e5b5f0319770e871f1c2cd914000827cc3e90cf361acb573f14117c8a3cb75a8

Download Submit
C:\backup.exe

Filesize
122KB

MD5
e7be94de47ca40b3bce3a91618559e10

SHA1
0ee3a693197651704e006b80ecd1936de95dce6b

SHA256
53c9349244de1b3d065472e22050e6cfd1a32bb482894ed64aae1398292011c7

SHA512
4becaf1312a5d118bfe0ac9cb4d8f09dd3cee8ca18f04e49c17076722c5fc7120d603c63f54aab095cc6494f60bf7ba2c74bed8fa93ccd390c57d97d23512274

Download Submit
C:\backup.exe

Filesize
122KB

MD5
e7be94de47ca40b3bce3a91618559e10

SHA1
0ee3a693197651704e006b80ecd1936de95dce6b

SHA256
53c9349244de1b3d065472e22050e6cfd1a32bb482894ed64aae1398292011c7

SHA512
4becaf1312a5d118bfe0ac9cb4d8f09dd3cee8ca18f04e49c17076722c5fc7120d603c63f54aab095cc6494f60bf7ba2c74bed8fa93ccd390c57d97d23512274

Download Submit
C:\odt\backup.exe

Filesize
122KB

MD5
93e49c80d8bd971d43398bc6792012e1

SHA1
4145ad965cdbdedb99cb353b0307b6493ccdc588

SHA256
2b1bc93d91630c9abcf2f19f776c1c53d486482839197e53e119bd985b82eaa9

SHA512
eeac37d0bf7c52d3f5d74a895a3510b7f48fd8544686d96d16f9c30fe75d8ae95dd4464d0b97cc2342798fede7619dc10c4d9949b3ebb62a999b7ddfb234ee9e

Download Submit
C:\odt\backup.exe

Filesize
122KB

MD5
93e49c80d8bd971d43398bc6792012e1

SHA1
4145ad965cdbdedb99cb353b0307b6493ccdc588

SHA256
2b1bc93d91630c9abcf2f19f776c1c53d486482839197e53e119bd985b82eaa9

SHA512
eeac37d0bf7c52d3f5d74a895a3510b7f48fd8544686d96d16f9c30fe75d8ae95dd4464d0b97cc2342798fede7619dc10c4d9949b3ebb62a999b7ddfb234ee9e

Download Submit
memory/60-238-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/64-675-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/64-356-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/440-72-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/440-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/492-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/648-677-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/764-227-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/952-306-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/952-335-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1028-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1100-182-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1128-490-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1160-392-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1196-239-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1196-256-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1324-93-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1340-558-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1340-503-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1496-668-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1564-495-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1564-419-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1596-112-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1796-136-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1808-406-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1808-489-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1840-467-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2044-504-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2044-557-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-342-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-334-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2232-689-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2372-224-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2372-88-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-564-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-686-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-135-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-292-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2568-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2568-290-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2568-228-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2568-277-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2568-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2576-674-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2664-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2808-211-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2880-466-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3040-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3040-491-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3040-420-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3052-140-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3184-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3196-154-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3388-501-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3388-611-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3788-684-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3800-508-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3800-560-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3856-365-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3860-360-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3932-505-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3932-416-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3936-497-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4032-663-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4032-621-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4032-547-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-418-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-507-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-189-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4188-535-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4188-620-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4260-414-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4260-464-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4360-339-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4360-207-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4372-294-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4444-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4464-114-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4484-656-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4492-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4492-448-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4492-80-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4500-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4648-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4676-284-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4676-307-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4704-402-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4704-478-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4792-380-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4792-559-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4792-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4812-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4884-417-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4884-506-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5008-351-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5008-451-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5016-361-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5048-218-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5080-305-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5092-203-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads