702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85

Analysis

max time kernel
188s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 18:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe
Size

72KB
MD5

53da9729f56b52e97681c2ba66a843f2
SHA1

936e54587dfa67954cd096726caa9e594a96d463
SHA256

702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85
SHA512

6c52d23dafa3b394469b96e638cb1e8a06849f707395f566c756b2755213364eed427e83878b5b58e52696767ed7517a61bd53ee39558dbcb20b6ba4ca2ac639
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2C:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrO

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe

Executes dropped EXE 64 IoCs

pid	Process
3340	backup.exe
396	backup.exe
3900	backup.exe
4908	backup.exe
772	backup.exe
4444	backup.exe
3408	backup.exe
3676	backup.exe
4588	backup.exe
2608	backup.exe
4688	backup.exe
4240	data.exe
3604	backup.exe
3820	backup.exe
4628	backup.exe
5000	backup.exe
2968	backup.exe
3932	backup.exe
4224	backup.exe
4948	backup.exe
2064	backup.exe
1816	data.exe
3988	backup.exe
3388	backup.exe
4072	backup.exe
1520	backup.exe
4080	backup.exe
4120	backup.exe
2004	backup.exe
3188	backup.exe
1184	backup.exe
4076	backup.exe
2856	backup.exe
2200	backup.exe
4016	backup.exe
4468	backup.exe
4928	backup.exe
444	backup.exe
4040	System Restore.exe
1676	backup.exe
4864	backup.exe
2824	backup.exe
3548	backup.exe
4004	backup.exe
4736	backup.exe
3908	backup.exe
4740	data.exe
2216	backup.exe
2256	backup.exe
116	backup.exe
532	backup.exe
3376	backup.exe
640	backup.exe
3244	backup.exe
2444	backup.exe
1028	backup.exe
4132	backup.exe
3760	System Restore.exe
1952	backup.exe
3352	backup.exe
4056	backup.exe
4628	backup.exe
4236	backup.exe
1940	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe
3340	backup.exe
396	backup.exe
3900	backup.exe
4908	backup.exe
772	backup.exe
4444	backup.exe
3408	backup.exe
3676	backup.exe
4588	backup.exe
2608	backup.exe
4688	backup.exe
4240	data.exe
3604	backup.exe
3820	backup.exe
4628	backup.exe
5000	backup.exe
2968	backup.exe
3932	backup.exe
4224	backup.exe
4948	backup.exe
2064	backup.exe
1816	data.exe
3988	backup.exe
3388	backup.exe
4072	backup.exe
1520	backup.exe
4080	backup.exe
4120	backup.exe
2004	backup.exe
3188	backup.exe
1184	backup.exe
4076	backup.exe
2856	backup.exe
2200	backup.exe
4016	backup.exe
4468	backup.exe
4928	backup.exe
444	backup.exe
4040	System Restore.exe
1676	backup.exe
4864	backup.exe
2824	backup.exe
3548	backup.exe
4004	backup.exe
4736	backup.exe
3908	backup.exe
4740	data.exe
2216	backup.exe
2256	backup.exe
116	backup.exe
532	backup.exe
640	backup.exe
3376	backup.exe
3244	backup.exe
2444	backup.exe
1028	backup.exe
4132	backup.exe
3760	System Restore.exe
1952	backup.exe
3352	backup.exe
4056	backup.exe
4628	backup.exe
4236	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3340	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	85
PID 4996 wrote to memory of 3340	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	85
PID 4996 wrote to memory of 3340	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	85
PID 4996 wrote to memory of 396	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	86
PID 4996 wrote to memory of 396	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	86
PID 4996 wrote to memory of 396	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	86
PID 4996 wrote to memory of 3900	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	87
PID 4996 wrote to memory of 3900	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	87
PID 4996 wrote to memory of 3900	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	87
PID 4996 wrote to memory of 4908	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	88
PID 4996 wrote to memory of 4908	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	88
PID 4996 wrote to memory of 4908	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	88
PID 4996 wrote to memory of 772	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	89
PID 4996 wrote to memory of 772	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	89
PID 4996 wrote to memory of 772	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	89
PID 4996 wrote to memory of 4444	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	90
PID 4996 wrote to memory of 4444	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	90
PID 4996 wrote to memory of 4444	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	90
PID 4996 wrote to memory of 3408	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	91
PID 4996 wrote to memory of 3408	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	91
PID 4996 wrote to memory of 3408	4996	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe	91
PID 3340 wrote to memory of 3676	3340	backup.exe	92
PID 3340 wrote to memory of 3676	3340	backup.exe	92
PID 3340 wrote to memory of 3676	3340	backup.exe	92
PID 3676 wrote to memory of 4588	3676	backup.exe	93
PID 3676 wrote to memory of 4588	3676	backup.exe	93
PID 3676 wrote to memory of 4588	3676	backup.exe	93
PID 3676 wrote to memory of 2608	3676	backup.exe	94
PID 3676 wrote to memory of 2608	3676	backup.exe	94
PID 3676 wrote to memory of 2608	3676	backup.exe	94
PID 3676 wrote to memory of 4688	3676	backup.exe	95
PID 3676 wrote to memory of 4688	3676	backup.exe	95
PID 3676 wrote to memory of 4688	3676	backup.exe	95
PID 4688 wrote to memory of 4240	4688	backup.exe	96
PID 4688 wrote to memory of 4240	4688	backup.exe	96
PID 4688 wrote to memory of 4240	4688	backup.exe	96
PID 4240 wrote to memory of 3604	4240	data.exe	97
PID 4240 wrote to memory of 3604	4240	data.exe	97
PID 4240 wrote to memory of 3604	4240	data.exe	97
PID 4688 wrote to memory of 3820	4688	backup.exe	98
PID 4688 wrote to memory of 3820	4688	backup.exe	98
PID 4688 wrote to memory of 3820	4688	backup.exe	98
PID 3820 wrote to memory of 4628	3820	backup.exe	99
PID 3820 wrote to memory of 4628	3820	backup.exe	99
PID 3820 wrote to memory of 4628	3820	backup.exe	99
PID 3820 wrote to memory of 5000	3820	backup.exe	100
PID 3820 wrote to memory of 5000	3820	backup.exe	100
PID 3820 wrote to memory of 5000	3820	backup.exe	100
PID 5000 wrote to memory of 2968	5000	backup.exe	101
PID 5000 wrote to memory of 2968	5000	backup.exe	101
PID 5000 wrote to memory of 2968	5000	backup.exe	101
PID 5000 wrote to memory of 3932	5000	backup.exe	102
PID 5000 wrote to memory of 3932	5000	backup.exe	102
PID 5000 wrote to memory of 3932	5000	backup.exe	102
PID 3932 wrote to memory of 4224	3932	backup.exe	103
PID 3932 wrote to memory of 4224	3932	backup.exe	103
PID 3932 wrote to memory of 4224	3932	backup.exe	103
PID 3932 wrote to memory of 4948	3932	backup.exe	104
PID 3932 wrote to memory of 4948	3932	backup.exe	104
PID 3932 wrote to memory of 4948	3932	backup.exe	104
PID 3932 wrote to memory of 2064	3932	backup.exe	105
PID 3932 wrote to memory of 2064	3932	backup.exe	105
PID 3932 wrote to memory of 2064	3932	backup.exe	105
PID 3932 wrote to memory of 1816	3932	backup.exe	106

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe
"C:\Users\Admin\AppData\Local\Temp\702c3511542a1e82c864ce48bb1a197579a6d8de2bfaa99177bb456377b8ec85.exe"
1⤵
- Disables RegEdit via registry modification
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4996
- C:\Users\Admin\AppData\Local\Temp\912521196\backup.exe
  C:\Users\Admin\AppData\Local\Temp\912521196\backup.exe C:\Users\Admin\AppData\Local\Temp\912521196\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3340
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3676
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4588
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2608
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4688
    - - C:\Program Files\7-Zip\data.exe
        
        "C:\Program Files\7-Zip\data.exe" C:\Program Files\7-Zip\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4240
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3604
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3820
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4628
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2968
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4224
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4948
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3988
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3388
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4072
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4080
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4120
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3188
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4076
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2856
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2200
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4016
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4468
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4928
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:444
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4040
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4864
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2824
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4004
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:116
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3352
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4496
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        System policy modification
        
        PID:2556
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:4108
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4264
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4360
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3700
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1896
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2836
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2192
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1364
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:1212
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:4800
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4996
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1072
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4572
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:2020
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3908
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:640
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3760
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4628
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:2440
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        System policy modification
        
        PID:3652
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:4256
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\update.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4188
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5056
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:608
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2952
        
        C:\Program Files\Common Files\microsoft shared\Stationery\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\update.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:2280
        
        C:\Program Files\Common Files\microsoft shared\TextConv\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\update.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4920
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:4436
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:4972
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:3380
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4224
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3704
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4236
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3816
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        System policy modification
        
        PID:2144
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:4844
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4136
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2820
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2592
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        
        PID:888
        
        C:\Program Files\Common Files\System\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2508
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:4560
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4028
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3604
        
        C:\Program Files\Common Files\System\msadc\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\System Restore.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2144
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2004
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4736
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3244
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4132
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Executes dropped EXE
        System policy modification
        
        PID:1940
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3396
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:5028
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2988
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4912
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4316
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:1228
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        System policy modification
        
        PID:3836
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        System policy modification
        
        PID:4396
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:4968
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4380
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2464
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3180
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1520
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4952
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        
        PID:1548
    - - C:\Program Files\Microsoft Office\data.exe
        
        "C:\Program Files\Microsoft Office\data.exe" C:\Program Files\Microsoft Office\
        5⤵
        Disables RegEdit via registry modification
        
        PID:3884
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4136
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:412
  - - C:\Program Files (x86)\data.exe
      "C:\Program Files (x86)\data.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4740
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:532
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:4228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:3548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4892
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1408
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:2864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2196
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1440
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4264
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4240
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:4076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:3452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:4280
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1984
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2940
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1836
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2136
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:4476
    - - C:\Users\Admin\System Restore.exe
        
        "C:\Users\Admin\System Restore.exe" C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2296
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4048
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Windows directory
      PID:3108
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:3188
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:396
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3900
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:772
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
9d11726ce799be7c4c9ecc53b35e7c07

SHA1
f8556cbdf247766e125000bf00ab243e0cbc4797

SHA256
38751afdbe5c27e7965504274c61f23892bfde0259e11cc4b9d99e75bfbb5f34

SHA512
69b6433dabb9f9920298a9e2f311949390005a475e2ffd6b2a66be043ba15fd75fb24a24e54a9dfb500ad7bcd10abba579a47db3d21fd5b78a9fe8eaf657e257

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
9d11726ce799be7c4c9ecc53b35e7c07

SHA1
f8556cbdf247766e125000bf00ab243e0cbc4797

SHA256
38751afdbe5c27e7965504274c61f23892bfde0259e11cc4b9d99e75bfbb5f34

SHA512
69b6433dabb9f9920298a9e2f311949390005a475e2ffd6b2a66be043ba15fd75fb24a24e54a9dfb500ad7bcd10abba579a47db3d21fd5b78a9fe8eaf657e257

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
58c771c881f03aa4d2caa93fe95376b8

SHA1
1e992e693cb02657998158a9fa7f5a1f5439c510

SHA256
04c8b36e0f7ed3d62d213eff7246685baff20dc379d73a89ac2b53719a61e108

SHA512
2e979e49303d96736357a8a6e247e009e4e8e3281fc81e61d108fa5c5b82ad2ded746e81f4a834b108bc893ccd3e879537bb4f17423478ba97e87e35aa31a84e

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
58c771c881f03aa4d2caa93fe95376b8

SHA1
1e992e693cb02657998158a9fa7f5a1f5439c510

SHA256
04c8b36e0f7ed3d62d213eff7246685baff20dc379d73a89ac2b53719a61e108

SHA512
2e979e49303d96736357a8a6e247e009e4e8e3281fc81e61d108fa5c5b82ad2ded746e81f4a834b108bc893ccd3e879537bb4f17423478ba97e87e35aa31a84e

Download Submit
C:\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
4a4d374205089a06e0ed45a6fb6e6304

SHA1
cd1ad46cc8374fd0d449b6e91ea2e6f95bd6b6ab

SHA256
c18edea9fe78b3704d9aa5c8cc9454c1929ae962a4d9c63ef435d5b1f8700f17

SHA512
612663529533445407941c43d96e926d1b142392fc96f01549d95ed95f669ae21e50900fa1cef6ece5c30283a86029432e1d8df0357a41a0e864db04efd00ecf

Download Submit
C:\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
4a4d374205089a06e0ed45a6fb6e6304

SHA1
cd1ad46cc8374fd0d449b6e91ea2e6f95bd6b6ab

SHA256
c18edea9fe78b3704d9aa5c8cc9454c1929ae962a4d9c63ef435d5b1f8700f17

SHA512
612663529533445407941c43d96e926d1b142392fc96f01549d95ed95f669ae21e50900fa1cef6ece5c30283a86029432e1d8df0357a41a0e864db04efd00ecf

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
58c771c881f03aa4d2caa93fe95376b8

SHA1
1e992e693cb02657998158a9fa7f5a1f5439c510

SHA256
04c8b36e0f7ed3d62d213eff7246685baff20dc379d73a89ac2b53719a61e108

SHA512
2e979e49303d96736357a8a6e247e009e4e8e3281fc81e61d108fa5c5b82ad2ded746e81f4a834b108bc893ccd3e879537bb4f17423478ba97e87e35aa31a84e

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
58c771c881f03aa4d2caa93fe95376b8

SHA1
1e992e693cb02657998158a9fa7f5a1f5439c510

SHA256
04c8b36e0f7ed3d62d213eff7246685baff20dc379d73a89ac2b53719a61e108

SHA512
2e979e49303d96736357a8a6e247e009e4e8e3281fc81e61d108fa5c5b82ad2ded746e81f4a834b108bc893ccd3e879537bb4f17423478ba97e87e35aa31a84e

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
4a4d374205089a06e0ed45a6fb6e6304

SHA1
cd1ad46cc8374fd0d449b6e91ea2e6f95bd6b6ab

SHA256
c18edea9fe78b3704d9aa5c8cc9454c1929ae962a4d9c63ef435d5b1f8700f17

SHA512
612663529533445407941c43d96e926d1b142392fc96f01549d95ed95f669ae21e50900fa1cef6ece5c30283a86029432e1d8df0357a41a0e864db04efd00ecf

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
4a4d374205089a06e0ed45a6fb6e6304

SHA1
cd1ad46cc8374fd0d449b6e91ea2e6f95bd6b6ab

SHA256
c18edea9fe78b3704d9aa5c8cc9454c1929ae962a4d9c63ef435d5b1f8700f17

SHA512
612663529533445407941c43d96e926d1b142392fc96f01549d95ed95f669ae21e50900fa1cef6ece5c30283a86029432e1d8df0357a41a0e864db04efd00ecf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
b8e8905662833d517983ae181753b090

SHA1
cc5283c26ec3798114a46388310149b2489bf119

SHA256
0ef1560fee7cb494f2657cae5559fdfb571da4e725c32b8241b24b0af4f30063

SHA512
dd64b7d31c7f338c37d93a4ba0f97c8523dcad7161393c575f0b38a286bb22df3833854d44a2cc45c03f5b1e97a91ebdad1ed73b381923f6ad78fa3dff6bd759

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
b8e8905662833d517983ae181753b090

SHA1
cc5283c26ec3798114a46388310149b2489bf119

SHA256
0ef1560fee7cb494f2657cae5559fdfb571da4e725c32b8241b24b0af4f30063

SHA512
dd64b7d31c7f338c37d93a4ba0f97c8523dcad7161393c575f0b38a286bb22df3833854d44a2cc45c03f5b1e97a91ebdad1ed73b381923f6ad78fa3dff6bd759

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
58c771c881f03aa4d2caa93fe95376b8

SHA1
1e992e693cb02657998158a9fa7f5a1f5439c510

SHA256
04c8b36e0f7ed3d62d213eff7246685baff20dc379d73a89ac2b53719a61e108

SHA512
2e979e49303d96736357a8a6e247e009e4e8e3281fc81e61d108fa5c5b82ad2ded746e81f4a834b108bc893ccd3e879537bb4f17423478ba97e87e35aa31a84e

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
58c771c881f03aa4d2caa93fe95376b8

SHA1
1e992e693cb02657998158a9fa7f5a1f5439c510

SHA256
04c8b36e0f7ed3d62d213eff7246685baff20dc379d73a89ac2b53719a61e108

SHA512
2e979e49303d96736357a8a6e247e009e4e8e3281fc81e61d108fa5c5b82ad2ded746e81f4a834b108bc893ccd3e879537bb4f17423478ba97e87e35aa31a84e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
1018d49c6d38b26618a1fbcb91df9910

SHA1
05422ed9a7a38542d890d5383e06486f1aaff684

SHA256
c18ef464c5c6130617101e22563f69c3173ae57769440291f3dc2edf5d6e6a5d

SHA512
f574ea436331083b53adb1f31982e7ce80dc1c3b0072da770d43d996fe574cffd507121c757da3cdcb04cc5cb5fdd73369120c2f518666d465730f93e49ec718

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
1018d49c6d38b26618a1fbcb91df9910

SHA1
05422ed9a7a38542d890d5383e06486f1aaff684

SHA256
c18ef464c5c6130617101e22563f69c3173ae57769440291f3dc2edf5d6e6a5d

SHA512
f574ea436331083b53adb1f31982e7ce80dc1c3b0072da770d43d996fe574cffd507121c757da3cdcb04cc5cb5fdd73369120c2f518666d465730f93e49ec718

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
b8e8905662833d517983ae181753b090

SHA1
cc5283c26ec3798114a46388310149b2489bf119

SHA256
0ef1560fee7cb494f2657cae5559fdfb571da4e725c32b8241b24b0af4f30063

SHA512
dd64b7d31c7f338c37d93a4ba0f97c8523dcad7161393c575f0b38a286bb22df3833854d44a2cc45c03f5b1e97a91ebdad1ed73b381923f6ad78fa3dff6bd759

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
b8e8905662833d517983ae181753b090

SHA1
cc5283c26ec3798114a46388310149b2489bf119

SHA256
0ef1560fee7cb494f2657cae5559fdfb571da4e725c32b8241b24b0af4f30063

SHA512
dd64b7d31c7f338c37d93a4ba0f97c8523dcad7161393c575f0b38a286bb22df3833854d44a2cc45c03f5b1e97a91ebdad1ed73b381923f6ad78fa3dff6bd759

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
1018d49c6d38b26618a1fbcb91df9910

SHA1
05422ed9a7a38542d890d5383e06486f1aaff684

SHA256
c18ef464c5c6130617101e22563f69c3173ae57769440291f3dc2edf5d6e6a5d

SHA512
f574ea436331083b53adb1f31982e7ce80dc1c3b0072da770d43d996fe574cffd507121c757da3cdcb04cc5cb5fdd73369120c2f518666d465730f93e49ec718

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
1018d49c6d38b26618a1fbcb91df9910

SHA1
05422ed9a7a38542d890d5383e06486f1aaff684

SHA256
c18ef464c5c6130617101e22563f69c3173ae57769440291f3dc2edf5d6e6a5d

SHA512
f574ea436331083b53adb1f31982e7ce80dc1c3b0072da770d43d996fe574cffd507121c757da3cdcb04cc5cb5fdd73369120c2f518666d465730f93e49ec718

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
1018d49c6d38b26618a1fbcb91df9910

SHA1
05422ed9a7a38542d890d5383e06486f1aaff684

SHA256
c18ef464c5c6130617101e22563f69c3173ae57769440291f3dc2edf5d6e6a5d

SHA512
f574ea436331083b53adb1f31982e7ce80dc1c3b0072da770d43d996fe574cffd507121c757da3cdcb04cc5cb5fdd73369120c2f518666d465730f93e49ec718

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
1018d49c6d38b26618a1fbcb91df9910

SHA1
05422ed9a7a38542d890d5383e06486f1aaff684

SHA256
c18ef464c5c6130617101e22563f69c3173ae57769440291f3dc2edf5d6e6a5d

SHA512
f574ea436331083b53adb1f31982e7ce80dc1c3b0072da770d43d996fe574cffd507121c757da3cdcb04cc5cb5fdd73369120c2f518666d465730f93e49ec718

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe

Filesize
72KB

MD5
1018d49c6d38b26618a1fbcb91df9910

SHA1
05422ed9a7a38542d890d5383e06486f1aaff684

SHA256
c18ef464c5c6130617101e22563f69c3173ae57769440291f3dc2edf5d6e6a5d

SHA512
f574ea436331083b53adb1f31982e7ce80dc1c3b0072da770d43d996fe574cffd507121c757da3cdcb04cc5cb5fdd73369120c2f518666d465730f93e49ec718

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe

Filesize
72KB

MD5
1018d49c6d38b26618a1fbcb91df9910

SHA1
05422ed9a7a38542d890d5383e06486f1aaff684

SHA256
c18ef464c5c6130617101e22563f69c3173ae57769440291f3dc2edf5d6e6a5d

SHA512
f574ea436331083b53adb1f31982e7ce80dc1c3b0072da770d43d996fe574cffd507121c757da3cdcb04cc5cb5fdd73369120c2f518666d465730f93e49ec718

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
1018d49c6d38b26618a1fbcb91df9910

SHA1
05422ed9a7a38542d890d5383e06486f1aaff684

SHA256
c18ef464c5c6130617101e22563f69c3173ae57769440291f3dc2edf5d6e6a5d

SHA512
f574ea436331083b53adb1f31982e7ce80dc1c3b0072da770d43d996fe574cffd507121c757da3cdcb04cc5cb5fdd73369120c2f518666d465730f93e49ec718

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
1018d49c6d38b26618a1fbcb91df9910

SHA1
05422ed9a7a38542d890d5383e06486f1aaff684

SHA256
c18ef464c5c6130617101e22563f69c3173ae57769440291f3dc2edf5d6e6a5d

SHA512
f574ea436331083b53adb1f31982e7ce80dc1c3b0072da770d43d996fe574cffd507121c757da3cdcb04cc5cb5fdd73369120c2f518666d465730f93e49ec718

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
d16a2ffb97d5d13209bc8e7e6dbc549b

SHA1
d8773dd1ff4f30fa19cd7a7750a6a08d06bb321e

SHA256
7ac15ec45690f853754626072de66b28773cbb23beac252ef1695644a99dff18

SHA512
65ba5d5d1b0869529644505069aed4b620a4d465f045f62cfac563e7e01d72844adb1b1d79c6e3d0d8ad9cf14e945089a70fc53d0a4c387900ea71983a451537

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
9d11726ce799be7c4c9ecc53b35e7c07

SHA1
f8556cbdf247766e125000bf00ab243e0cbc4797

SHA256
38751afdbe5c27e7965504274c61f23892bfde0259e11cc4b9d99e75bfbb5f34

SHA512
69b6433dabb9f9920298a9e2f311949390005a475e2ffd6b2a66be043ba15fd75fb24a24e54a9dfb500ad7bcd10abba579a47db3d21fd5b78a9fe8eaf657e257

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
9d11726ce799be7c4c9ecc53b35e7c07

SHA1
f8556cbdf247766e125000bf00ab243e0cbc4797

SHA256
38751afdbe5c27e7965504274c61f23892bfde0259e11cc4b9d99e75bfbb5f34

SHA512
69b6433dabb9f9920298a9e2f311949390005a475e2ffd6b2a66be043ba15fd75fb24a24e54a9dfb500ad7bcd10abba579a47db3d21fd5b78a9fe8eaf657e257

Download Submit
C:\Users\Admin\AppData\Local\Temp\912521196\backup.exe

Filesize
72KB

MD5
9c80efb3cfaf187537029af0461ab57a

SHA1
60b45fef7eed4ac12ff86d1de10744bb4f432083

SHA256
8b9e3f60894c5781f5bcb270f0740df36d2accc8c8027fafbe1e393d9d823338

SHA512
e62c7c87eae034eccf84ec0c309f5097bf119bacc85594e086e35fb8481950957a2dfb381808992d92917fe45cc0c49d73b4beebb05eec5e3f2bc8535ca5ee38

Download Submit
C:\Users\Admin\AppData\Local\Temp\912521196\backup.exe

Filesize
72KB

MD5
9c80efb3cfaf187537029af0461ab57a

SHA1
60b45fef7eed4ac12ff86d1de10744bb4f432083

SHA256
8b9e3f60894c5781f5bcb270f0740df36d2accc8c8027fafbe1e393d9d823338

SHA512
e62c7c87eae034eccf84ec0c309f5097bf119bacc85594e086e35fb8481950957a2dfb381808992d92917fe45cc0c49d73b4beebb05eec5e3f2bc8535ca5ee38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
419f8519583276472c9c3a295c1476bd

SHA1
c9180c99fff548191f8d2ee6f736214631179310

SHA256
33973aaa04875ae18a4a7843c676b3385411df1600f631ddfe9ed9ea9712313b

SHA512
10cd80911e69ff950717c1576f3b56b2279768a26f163d988510736e8ff4981b7e39f47d1dcacef6038294ad602ed338e3e65effb46f739a2c8fe24270183a11

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e5789a99b93121fff74e33a7579f368c

SHA1
7835eb879e2a5b63b353df85ea5cbf717af52584

SHA256
dabe8b96c73089b6d9ec7002cc38251690bee4d6bd3e8664b5c3e1eb12cd9850

SHA512
3bfbd20bb861f7585dae83ebe25cd80e8c4bcfa6d7840136978c1f8a3208643b35da6a84a44ca5ecead58b54af5447db7b9c6f04ded0c29e82c86779c623a58a

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e5789a99b93121fff74e33a7579f368c

SHA1
7835eb879e2a5b63b353df85ea5cbf717af52584

SHA256
dabe8b96c73089b6d9ec7002cc38251690bee4d6bd3e8664b5c3e1eb12cd9850

SHA512
3bfbd20bb861f7585dae83ebe25cd80e8c4bcfa6d7840136978c1f8a3208643b35da6a84a44ca5ecead58b54af5447db7b9c6f04ded0c29e82c86779c623a58a

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
9d11726ce799be7c4c9ecc53b35e7c07

SHA1
f8556cbdf247766e125000bf00ab243e0cbc4797

SHA256
38751afdbe5c27e7965504274c61f23892bfde0259e11cc4b9d99e75bfbb5f34

SHA512
69b6433dabb9f9920298a9e2f311949390005a475e2ffd6b2a66be043ba15fd75fb24a24e54a9dfb500ad7bcd10abba579a47db3d21fd5b78a9fe8eaf657e257

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
9d11726ce799be7c4c9ecc53b35e7c07

SHA1
f8556cbdf247766e125000bf00ab243e0cbc4797

SHA256
38751afdbe5c27e7965504274c61f23892bfde0259e11cc4b9d99e75bfbb5f34

SHA512
69b6433dabb9f9920298a9e2f311949390005a475e2ffd6b2a66be043ba15fd75fb24a24e54a9dfb500ad7bcd10abba579a47db3d21fd5b78a9fe8eaf657e257

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads