1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155

Analysis

max time kernel
162s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe
Size

72KB
MD5

0f1a196dfce2f996fd4d5b5552fe4c71
SHA1

11645b6ff8d1c16fab0e568f25aba2620b0224aa
SHA256

1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155
SHA512

949d123f77de06180309e12effafaf6d62f0b9a19f8fd2437ca840fde0c3d1181197d2db296e4228439c074d698f5e8312821589bfdf6ab86edd6ebcc184dfcc
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2D:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr/

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
456	backup.exe
1580	backup.exe
4860	backup.exe
4852	backup.exe
4832	backup.exe
3368	System Restore.exe
4828	backup.exe
332	backup.exe
1504	backup.exe
3620	update.exe
4364	backup.exe
3100	backup.exe
4680	update.exe
4676	System Restore.exe
4468	update.exe
4196	backup.exe
3596	backup.exe
3436	backup.exe
4568	backup.exe
4516	backup.exe
1428	backup.exe
1300	backup.exe
1552	backup.exe
2040	backup.exe
3932	backup.exe
1172	backup.exe
5012	backup.exe
4240	backup.exe
3428	backup.exe
840	backup.exe
5064	backup.exe
4920	System Restore.exe
3680	backup.exe
3552	backup.exe
2352	backup.exe
972	backup.exe
3464	backup.exe
1464	backup.exe
1796	backup.exe
1056	backup.exe
2152	backup.exe
728	backup.exe
1776	backup.exe
4784	backup.exe
1784	backup.exe
5096	backup.exe
2680	backup.exe
3556	backup.exe
1324	update.exe
1844	backup.exe
3352	backup.exe
3380	backup.exe
3992	backup.exe
2956	backup.exe
2916	backup.exe
860	System Restore.exe
2908	backup.exe
812	backup.exe
1940	backup.exe
4212	backup.exe
4792	backup.exe
4728	backup.exe
4444	backup.exe
4404	System Restore.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\update.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe
456	backup.exe
1580	backup.exe
4860	backup.exe
4852	backup.exe
4832	backup.exe
3368	System Restore.exe
4828	backup.exe
332	backup.exe
1504	backup.exe
4364	backup.exe
3620	update.exe
3100	backup.exe
4680	update.exe
4676	System Restore.exe
4468	update.exe
4196	backup.exe
3596	backup.exe
3436	backup.exe
4568	backup.exe
4516	backup.exe
1428	backup.exe
1300	backup.exe
1552	backup.exe
2040	backup.exe
3932	backup.exe
1172	backup.exe
5012	backup.exe
4240	backup.exe
3428	backup.exe
840	backup.exe
5064	backup.exe
4920	System Restore.exe
972	backup.exe
2352	backup.exe
3552	backup.exe
3464	backup.exe
3680	backup.exe
1464	backup.exe
1796	backup.exe
2152	backup.exe
1056	backup.exe
728	backup.exe
1776	backup.exe
4784	backup.exe
5096	backup.exe
2680	backup.exe
1784	backup.exe
3556	backup.exe
1324	update.exe
1844	backup.exe
3352	backup.exe
3992	backup.exe
3380	backup.exe
2916	backup.exe
2956	backup.exe
860	System Restore.exe
2908	backup.exe
812	backup.exe
1940	backup.exe
4212	backup.exe
4792	backup.exe
4728	backup.exe
4444	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 456	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	80
PID 1648 wrote to memory of 456	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	80
PID 1648 wrote to memory of 456	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	80
PID 1648 wrote to memory of 1580	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	81
PID 1648 wrote to memory of 1580	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	81
PID 1648 wrote to memory of 1580	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	81
PID 1648 wrote to memory of 4860	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	82
PID 1648 wrote to memory of 4860	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	82
PID 1648 wrote to memory of 4860	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	82
PID 1648 wrote to memory of 4852	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	83
PID 1648 wrote to memory of 4852	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	83
PID 1648 wrote to memory of 4852	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	83
PID 1648 wrote to memory of 3368	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	84
PID 1648 wrote to memory of 3368	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	84
PID 1648 wrote to memory of 3368	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	84
PID 456 wrote to memory of 4832	456	backup.exe	85
PID 456 wrote to memory of 4832	456	backup.exe	85
PID 456 wrote to memory of 4832	456	backup.exe	85
PID 4832 wrote to memory of 4828	4832	backup.exe	86
PID 4832 wrote to memory of 4828	4832	backup.exe	86
PID 4832 wrote to memory of 4828	4832	backup.exe	86
PID 1648 wrote to memory of 332	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	87
PID 1648 wrote to memory of 332	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	87
PID 1648 wrote to memory of 332	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	87
PID 4832 wrote to memory of 1504	4832	backup.exe	88
PID 4832 wrote to memory of 1504	4832	backup.exe	88
PID 4832 wrote to memory of 1504	4832	backup.exe	88
PID 1648 wrote to memory of 3620	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	89
PID 1648 wrote to memory of 3620	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	89
PID 1648 wrote to memory of 3620	1648	1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe	89
PID 4832 wrote to memory of 4364	4832	backup.exe	90
PID 4832 wrote to memory of 4364	4832	backup.exe	90
PID 4832 wrote to memory of 4364	4832	backup.exe	90
PID 4364 wrote to memory of 3100	4364	backup.exe	91
PID 4364 wrote to memory of 3100	4364	backup.exe	91
PID 4364 wrote to memory of 3100	4364	backup.exe	91
PID 3100 wrote to memory of 4680	3100	backup.exe	92
PID 3100 wrote to memory of 4680	3100	backup.exe	92
PID 3100 wrote to memory of 4680	3100	backup.exe	92
PID 4364 wrote to memory of 4676	4364	backup.exe	93
PID 4364 wrote to memory of 4676	4364	backup.exe	93
PID 4364 wrote to memory of 4676	4364	backup.exe	93
PID 4676 wrote to memory of 4468	4676	System Restore.exe	94
PID 4676 wrote to memory of 4468	4676	System Restore.exe	94
PID 4676 wrote to memory of 4468	4676	System Restore.exe	94
PID 4676 wrote to memory of 4196	4676	System Restore.exe	95
PID 4676 wrote to memory of 4196	4676	System Restore.exe	95
PID 4676 wrote to memory of 4196	4676	System Restore.exe	95
PID 4196 wrote to memory of 3596	4196	backup.exe	96
PID 4196 wrote to memory of 3596	4196	backup.exe	96
PID 4196 wrote to memory of 3596	4196	backup.exe	96
PID 4196 wrote to memory of 3436	4196	backup.exe	97
PID 4196 wrote to memory of 3436	4196	backup.exe	97
PID 4196 wrote to memory of 3436	4196	backup.exe	97
PID 3436 wrote to memory of 4568	3436	backup.exe	98
PID 3436 wrote to memory of 4568	3436	backup.exe	98
PID 3436 wrote to memory of 4568	3436	backup.exe	98
PID 3436 wrote to memory of 4516	3436	backup.exe	99
PID 3436 wrote to memory of 4516	3436	backup.exe	99
PID 3436 wrote to memory of 4516	3436	backup.exe	99
PID 3436 wrote to memory of 1428	3436	backup.exe	100
PID 3436 wrote to memory of 1428	3436	backup.exe	100
PID 3436 wrote to memory of 1428	3436	backup.exe	100
PID 3436 wrote to memory of 1300	3436	backup.exe	101

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe
"C:\Users\Admin\AppData\Local\Temp\1575c41885cf1c17026557e3b475acb4c363e9feb269e00d74e71baa565d5155.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\526785695\backup.exe
  C:\Users\Admin\AppData\Local\Temp\526785695\backup.exe C:\Users\Admin\AppData\Local\Temp\526785695\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:456
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4828
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1504
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3100
      - C:\Program Files\7-Zip\Lang\update.exe
        
        "C:\Program Files\7-Zip\Lang\update.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4680
    - - C:\Program Files\Common Files\System Restore.exe
        
        "C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Program Files\Common Files\DESIGNER\update.exe
        
        "C:\Program Files\Common Files\DESIGNER\update.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4468
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3596
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4568
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4516
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3932
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5012
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4240
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3428
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5064
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4920
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:972
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1464
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1776
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3352
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4792
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2624
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1948
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4572
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5036
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:3064
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:2636
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:3188
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1900
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4340
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:4052
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2336
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:3356
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:228
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\update.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3044
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:3700
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3680
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4728
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2744
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2016
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3440
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1312
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:4772
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4036
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:4336
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1408
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2480
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        System policy modification
        
        PID:2484
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:912
        
        C:\Program Files\Common Files\microsoft shared\VSTO\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\System Restore.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Drops file in Program Files directory
        
        PID:4468
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:2828
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        System policy modification
        
        PID:4996
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1056
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4784
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3380
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:812
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1832
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        System policy modification
        
        PID:4656
        
        C:\Program Files\Common Files\System\ado\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\update.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:176
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        System policy modification
        
        PID:3488
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4320
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:676
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4224
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3668
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4920
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2120
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4092
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        System policy modification
        
        PID:3784
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3136
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3768
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1528
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3792
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3552
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4212
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:4852
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:5088
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4680
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:3912
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3824
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1552
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4192
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:896
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3612
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:3372
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1372
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4564
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:444
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:4548
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Disables RegEdit via registry modification
        
        PID:616
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2168
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4516
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5112
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:3160
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:3464
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1796
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5096
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:2828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:4276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4704
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3844
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:3888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3988
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:4836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:3304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Drops file in Program Files directory
        
        PID:3620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4852
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:1840
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        System policy modification
        
        PID:2320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        System policy modification
        
        PID:2308
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:4068
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3832
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        System policy modification
        
        PID:332
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4104
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1640
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:3440
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        System policy modification
        
        PID:4272
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:724
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Disables RegEdit via registry modification
      System policy modification
      PID:404
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3396
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        System policy modification
        
        PID:5024
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2632
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4368
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:544
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:3928
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3884
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1172
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4860
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3368
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:332
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3620

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
39d6648e67ecb77a8f1f5934a32cb378

SHA1
408f1bfbdfc8aa8c877ab80e51e49e5695acda00

SHA256
79e4e7d8c94558b86b06d663fdcba5ef9f6b1131609318f14eb5ca0b5cfdca83

SHA512
236548e4d939112b9f18ae60337b276fe9eaec7732119efc2b6e924fc237fd9c267b92a2c8a2f33b5cccc13436f4a9623da68ec87c85327776ea4ff41478feb8

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
39d6648e67ecb77a8f1f5934a32cb378

SHA1
408f1bfbdfc8aa8c877ab80e51e49e5695acda00

SHA256
79e4e7d8c94558b86b06d663fdcba5ef9f6b1131609318f14eb5ca0b5cfdca83

SHA512
236548e4d939112b9f18ae60337b276fe9eaec7732119efc2b6e924fc237fd9c267b92a2c8a2f33b5cccc13436f4a9623da68ec87c85327776ea4ff41478feb8

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
10930fcbd472841c0c74c3d8efd4d99d

SHA1
42dc56a85ab3d37c33a08c9ba94ee06d3749f2e2

SHA256
f6c508c818403b2aec130ff7d31719e951286b11404bc6316d72aadf918402bd

SHA512
ffb2ba91be5bd980d1cad5e4ce79e926f49ec780cf4181e2a3951217af1a85a75539ec2c4c4bcb93132adff5dab0dc85bec4dfd9b0f35b49081088a315dddefd

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
10930fcbd472841c0c74c3d8efd4d99d

SHA1
42dc56a85ab3d37c33a08c9ba94ee06d3749f2e2

SHA256
f6c508c818403b2aec130ff7d31719e951286b11404bc6316d72aadf918402bd

SHA512
ffb2ba91be5bd980d1cad5e4ce79e926f49ec780cf4181e2a3951217af1a85a75539ec2c4c4bcb93132adff5dab0dc85bec4dfd9b0f35b49081088a315dddefd

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
09e8ab52a93c093c9157c56fcbcf1d90

SHA1
ff230e4a70baf0335c3dd0a05909fde4b5c3ddd5

SHA256
40c1a951421bfd2c2d472d97862fbf187179aeeee7e8b994d8aabc1f310dcfd6

SHA512
5facf4cd1910aa12187a1e943ddc61fcfea3f51de43e8fb8238e67aee9610c7f7eb9be72ec393758514b159f69fb35fd9fc01faae36f66616be3e64abad56280

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
09e8ab52a93c093c9157c56fcbcf1d90

SHA1
ff230e4a70baf0335c3dd0a05909fde4b5c3ddd5

SHA256
40c1a951421bfd2c2d472d97862fbf187179aeeee7e8b994d8aabc1f310dcfd6

SHA512
5facf4cd1910aa12187a1e943ddc61fcfea3f51de43e8fb8238e67aee9610c7f7eb9be72ec393758514b159f69fb35fd9fc01faae36f66616be3e64abad56280

Download Submit
C:\Program Files\Common Files\DESIGNER\update.exe

Filesize
72KB

MD5
5fc29bfb39035529bdf67f52d71f134e

SHA1
468b51f2eb165ff06fa1318fcd32621dccf41cb1

SHA256
3b50fa1e76d185ff28a0a3839ee14b487e7b1860f95306f86d3a6f8f3b25966a

SHA512
2f86470e007f844ad1106913577d7483f7262c7e8682bbc17f95f52e03d35f77ea349d3e948ee06051fe33657e09f21ddf7b9e622d7662318e71193148124091

Download Submit
C:\Program Files\Common Files\DESIGNER\update.exe

Filesize
72KB

MD5
5fc29bfb39035529bdf67f52d71f134e

SHA1
468b51f2eb165ff06fa1318fcd32621dccf41cb1

SHA256
3b50fa1e76d185ff28a0a3839ee14b487e7b1860f95306f86d3a6f8f3b25966a

SHA512
2f86470e007f844ad1106913577d7483f7262c7e8682bbc17f95f52e03d35f77ea349d3e948ee06051fe33657e09f21ddf7b9e622d7662318e71193148124091

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
09e8ab52a93c093c9157c56fcbcf1d90

SHA1
ff230e4a70baf0335c3dd0a05909fde4b5c3ddd5

SHA256
40c1a951421bfd2c2d472d97862fbf187179aeeee7e8b994d8aabc1f310dcfd6

SHA512
5facf4cd1910aa12187a1e943ddc61fcfea3f51de43e8fb8238e67aee9610c7f7eb9be72ec393758514b159f69fb35fd9fc01faae36f66616be3e64abad56280

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
09e8ab52a93c093c9157c56fcbcf1d90

SHA1
ff230e4a70baf0335c3dd0a05909fde4b5c3ddd5

SHA256
40c1a951421bfd2c2d472d97862fbf187179aeeee7e8b994d8aabc1f310dcfd6

SHA512
5facf4cd1910aa12187a1e943ddc61fcfea3f51de43e8fb8238e67aee9610c7f7eb9be72ec393758514b159f69fb35fd9fc01faae36f66616be3e64abad56280

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
72fbffbd37bd5cb9edb3052523e71b82

SHA1
d134343765d0f7ea88e28764e791e7d0b938922f

SHA256
1d7097e6bfe9aaa8b2d1cdee92e8701c6332e3d7992f7bb28d3d1aed0cd563aa

SHA512
7892dbc84824401c506e1d68ab2596fa1944f5eedf2a3074947302e4e1ab023902aa1236a467686fc0f54ab18b3cd207ee349cb66196d3b743e5c45045d3fa47

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
72fbffbd37bd5cb9edb3052523e71b82

SHA1
d134343765d0f7ea88e28764e791e7d0b938922f

SHA256
1d7097e6bfe9aaa8b2d1cdee92e8701c6332e3d7992f7bb28d3d1aed0cd563aa

SHA512
7892dbc84824401c506e1d68ab2596fa1944f5eedf2a3074947302e4e1ab023902aa1236a467686fc0f54ab18b3cd207ee349cb66196d3b743e5c45045d3fa47

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
5fc29bfb39035529bdf67f52d71f134e

SHA1
468b51f2eb165ff06fa1318fcd32621dccf41cb1

SHA256
3b50fa1e76d185ff28a0a3839ee14b487e7b1860f95306f86d3a6f8f3b25966a

SHA512
2f86470e007f844ad1106913577d7483f7262c7e8682bbc17f95f52e03d35f77ea349d3e948ee06051fe33657e09f21ddf7b9e622d7662318e71193148124091

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
5fc29bfb39035529bdf67f52d71f134e

SHA1
468b51f2eb165ff06fa1318fcd32621dccf41cb1

SHA256
3b50fa1e76d185ff28a0a3839ee14b487e7b1860f95306f86d3a6f8f3b25966a

SHA512
2f86470e007f844ad1106913577d7483f7262c7e8682bbc17f95f52e03d35f77ea349d3e948ee06051fe33657e09f21ddf7b9e622d7662318e71193148124091

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
2c10b8fdb44c4b742d8238f168b0f06d

SHA1
10266fcd00a6f173bbbadf2172a37f929a87638b

SHA256
ddeac6d1c1b941a9f8b81191651cadab6cabf6860aba282b55f71ff7c317565f

SHA512
01d0c7d202b01bdc06817564115b00180169c02fff62a5bc4eb316165432dc6451ecb9cecf9d3cd833c9546a2e8fe10d0a650f7733df1353736ce961106a7525

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
2c10b8fdb44c4b742d8238f168b0f06d

SHA1
10266fcd00a6f173bbbadf2172a37f929a87638b

SHA256
ddeac6d1c1b941a9f8b81191651cadab6cabf6860aba282b55f71ff7c317565f

SHA512
01d0c7d202b01bdc06817564115b00180169c02fff62a5bc4eb316165432dc6451ecb9cecf9d3cd833c9546a2e8fe10d0a650f7733df1353736ce961106a7525

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
72fbffbd37bd5cb9edb3052523e71b82

SHA1
d134343765d0f7ea88e28764e791e7d0b938922f

SHA256
1d7097e6bfe9aaa8b2d1cdee92e8701c6332e3d7992f7bb28d3d1aed0cd563aa

SHA512
7892dbc84824401c506e1d68ab2596fa1944f5eedf2a3074947302e4e1ab023902aa1236a467686fc0f54ab18b3cd207ee349cb66196d3b743e5c45045d3fa47

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
72fbffbd37bd5cb9edb3052523e71b82

SHA1
d134343765d0f7ea88e28764e791e7d0b938922f

SHA256
1d7097e6bfe9aaa8b2d1cdee92e8701c6332e3d7992f7bb28d3d1aed0cd563aa

SHA512
7892dbc84824401c506e1d68ab2596fa1944f5eedf2a3074947302e4e1ab023902aa1236a467686fc0f54ab18b3cd207ee349cb66196d3b743e5c45045d3fa47

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
2c10b8fdb44c4b742d8238f168b0f06d

SHA1
10266fcd00a6f173bbbadf2172a37f929a87638b

SHA256
ddeac6d1c1b941a9f8b81191651cadab6cabf6860aba282b55f71ff7c317565f

SHA512
01d0c7d202b01bdc06817564115b00180169c02fff62a5bc4eb316165432dc6451ecb9cecf9d3cd833c9546a2e8fe10d0a650f7733df1353736ce961106a7525

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
2c10b8fdb44c4b742d8238f168b0f06d

SHA1
10266fcd00a6f173bbbadf2172a37f929a87638b

SHA256
ddeac6d1c1b941a9f8b81191651cadab6cabf6860aba282b55f71ff7c317565f

SHA512
01d0c7d202b01bdc06817564115b00180169c02fff62a5bc4eb316165432dc6451ecb9cecf9d3cd833c9546a2e8fe10d0a650f7733df1353736ce961106a7525

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
2c10b8fdb44c4b742d8238f168b0f06d

SHA1
10266fcd00a6f173bbbadf2172a37f929a87638b

SHA256
ddeac6d1c1b941a9f8b81191651cadab6cabf6860aba282b55f71ff7c317565f

SHA512
01d0c7d202b01bdc06817564115b00180169c02fff62a5bc4eb316165432dc6451ecb9cecf9d3cd833c9546a2e8fe10d0a650f7733df1353736ce961106a7525

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
2c10b8fdb44c4b742d8238f168b0f06d

SHA1
10266fcd00a6f173bbbadf2172a37f929a87638b

SHA256
ddeac6d1c1b941a9f8b81191651cadab6cabf6860aba282b55f71ff7c317565f

SHA512
01d0c7d202b01bdc06817564115b00180169c02fff62a5bc4eb316165432dc6451ecb9cecf9d3cd833c9546a2e8fe10d0a650f7733df1353736ce961106a7525

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
2c10b8fdb44c4b742d8238f168b0f06d

SHA1
10266fcd00a6f173bbbadf2172a37f929a87638b

SHA256
ddeac6d1c1b941a9f8b81191651cadab6cabf6860aba282b55f71ff7c317565f

SHA512
01d0c7d202b01bdc06817564115b00180169c02fff62a5bc4eb316165432dc6451ecb9cecf9d3cd833c9546a2e8fe10d0a650f7733df1353736ce961106a7525

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
2c10b8fdb44c4b742d8238f168b0f06d

SHA1
10266fcd00a6f173bbbadf2172a37f929a87638b

SHA256
ddeac6d1c1b941a9f8b81191651cadab6cabf6860aba282b55f71ff7c317565f

SHA512
01d0c7d202b01bdc06817564115b00180169c02fff62a5bc4eb316165432dc6451ecb9cecf9d3cd833c9546a2e8fe10d0a650f7733df1353736ce961106a7525

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
902449b04018d953aa2960a0c76304e1

SHA1
db7cde7cb5fdbe8ea0f0e2adf0b701e3005d5689

SHA256
fb7236ff09b6a25b09a8b7eef4b62fd4712f7e286ab862f4ae4ade31198e0c1b

SHA512
72d5ae281d36d2e6c6cbe2a111c49cb709d3f1bad84486426162ad7d91dd5e560c7ae201791987f9052d32a10e13d9d15d133bf47bf25524b372af68cde90c1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
902449b04018d953aa2960a0c76304e1

SHA1
db7cde7cb5fdbe8ea0f0e2adf0b701e3005d5689

SHA256
fb7236ff09b6a25b09a8b7eef4b62fd4712f7e286ab862f4ae4ade31198e0c1b

SHA512
72d5ae281d36d2e6c6cbe2a111c49cb709d3f1bad84486426162ad7d91dd5e560c7ae201791987f9052d32a10e13d9d15d133bf47bf25524b372af68cde90c1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
902449b04018d953aa2960a0c76304e1

SHA1
db7cde7cb5fdbe8ea0f0e2adf0b701e3005d5689

SHA256
fb7236ff09b6a25b09a8b7eef4b62fd4712f7e286ab862f4ae4ade31198e0c1b

SHA512
72d5ae281d36d2e6c6cbe2a111c49cb709d3f1bad84486426162ad7d91dd5e560c7ae201791987f9052d32a10e13d9d15d133bf47bf25524b372af68cde90c1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
902449b04018d953aa2960a0c76304e1

SHA1
db7cde7cb5fdbe8ea0f0e2adf0b701e3005d5689

SHA256
fb7236ff09b6a25b09a8b7eef4b62fd4712f7e286ab862f4ae4ade31198e0c1b

SHA512
72d5ae281d36d2e6c6cbe2a111c49cb709d3f1bad84486426162ad7d91dd5e560c7ae201791987f9052d32a10e13d9d15d133bf47bf25524b372af68cde90c1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
902449b04018d953aa2960a0c76304e1

SHA1
db7cde7cb5fdbe8ea0f0e2adf0b701e3005d5689

SHA256
fb7236ff09b6a25b09a8b7eef4b62fd4712f7e286ab862f4ae4ade31198e0c1b

SHA512
72d5ae281d36d2e6c6cbe2a111c49cb709d3f1bad84486426162ad7d91dd5e560c7ae201791987f9052d32a10e13d9d15d133bf47bf25524b372af68cde90c1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
902449b04018d953aa2960a0c76304e1

SHA1
db7cde7cb5fdbe8ea0f0e2adf0b701e3005d5689

SHA256
fb7236ff09b6a25b09a8b7eef4b62fd4712f7e286ab862f4ae4ade31198e0c1b

SHA512
72d5ae281d36d2e6c6cbe2a111c49cb709d3f1bad84486426162ad7d91dd5e560c7ae201791987f9052d32a10e13d9d15d133bf47bf25524b372af68cde90c1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
b6fcf97ca5aa7689f9ea6d1f0ea3c396

SHA1
1cd3f872dd1b120ce0fba0e86a62b50b54e4fefb

SHA256
cbd60e28ac13fe2286c60bad06f62af11f8f4f8613549ad5018b199772190e84

SHA512
afc8aba67bf1a036c9aba9e9aeee627d954035f9f7900c465422c16d2207f7e707887ccecc88a895adbf219380be05dcf97aa15d0271f6e5d25d667a2adea0da

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
b6fcf97ca5aa7689f9ea6d1f0ea3c396

SHA1
1cd3f872dd1b120ce0fba0e86a62b50b54e4fefb

SHA256
cbd60e28ac13fe2286c60bad06f62af11f8f4f8613549ad5018b199772190e84

SHA512
afc8aba67bf1a036c9aba9e9aeee627d954035f9f7900c465422c16d2207f7e707887ccecc88a895adbf219380be05dcf97aa15d0271f6e5d25d667a2adea0da

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
b6fcf97ca5aa7689f9ea6d1f0ea3c396

SHA1
1cd3f872dd1b120ce0fba0e86a62b50b54e4fefb

SHA256
cbd60e28ac13fe2286c60bad06f62af11f8f4f8613549ad5018b199772190e84

SHA512
afc8aba67bf1a036c9aba9e9aeee627d954035f9f7900c465422c16d2207f7e707887ccecc88a895adbf219380be05dcf97aa15d0271f6e5d25d667a2adea0da

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
b6fcf97ca5aa7689f9ea6d1f0ea3c396

SHA1
1cd3f872dd1b120ce0fba0e86a62b50b54e4fefb

SHA256
cbd60e28ac13fe2286c60bad06f62af11f8f4f8613549ad5018b199772190e84

SHA512
afc8aba67bf1a036c9aba9e9aeee627d954035f9f7900c465422c16d2207f7e707887ccecc88a895adbf219380be05dcf97aa15d0271f6e5d25d667a2adea0da

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
b6fcf97ca5aa7689f9ea6d1f0ea3c396

SHA1
1cd3f872dd1b120ce0fba0e86a62b50b54e4fefb

SHA256
cbd60e28ac13fe2286c60bad06f62af11f8f4f8613549ad5018b199772190e84

SHA512
afc8aba67bf1a036c9aba9e9aeee627d954035f9f7900c465422c16d2207f7e707887ccecc88a895adbf219380be05dcf97aa15d0271f6e5d25d667a2adea0da

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
b6fcf97ca5aa7689f9ea6d1f0ea3c396

SHA1
1cd3f872dd1b120ce0fba0e86a62b50b54e4fefb

SHA256
cbd60e28ac13fe2286c60bad06f62af11f8f4f8613549ad5018b199772190e84

SHA512
afc8aba67bf1a036c9aba9e9aeee627d954035f9f7900c465422c16d2207f7e707887ccecc88a895adbf219380be05dcf97aa15d0271f6e5d25d667a2adea0da

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
651dd6977a9f7c07375b8ce15c6527ac

SHA1
4cedb5fd9b1ded8a30073ce7c7250fec2b035f67

SHA256
327a0eef67b9cc187c4c5169b07746e816cc137ee279f4b056cc48bfc39e2cff

SHA512
b7c5c096907b85e9ceb3a4a7240a1f0f89becce8b751cf474fce19dbbaa93892cf26508185e0e4d7063de8ccdcca3a1ccaf5a6acbd920b02763b7c20888e2371

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
651dd6977a9f7c07375b8ce15c6527ac

SHA1
4cedb5fd9b1ded8a30073ce7c7250fec2b035f67

SHA256
327a0eef67b9cc187c4c5169b07746e816cc137ee279f4b056cc48bfc39e2cff

SHA512
b7c5c096907b85e9ceb3a4a7240a1f0f89becce8b751cf474fce19dbbaa93892cf26508185e0e4d7063de8ccdcca3a1ccaf5a6acbd920b02763b7c20888e2371

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
651dd6977a9f7c07375b8ce15c6527ac

SHA1
4cedb5fd9b1ded8a30073ce7c7250fec2b035f67

SHA256
327a0eef67b9cc187c4c5169b07746e816cc137ee279f4b056cc48bfc39e2cff

SHA512
b7c5c096907b85e9ceb3a4a7240a1f0f89becce8b751cf474fce19dbbaa93892cf26508185e0e4d7063de8ccdcca3a1ccaf5a6acbd920b02763b7c20888e2371

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
651dd6977a9f7c07375b8ce15c6527ac

SHA1
4cedb5fd9b1ded8a30073ce7c7250fec2b035f67

SHA256
327a0eef67b9cc187c4c5169b07746e816cc137ee279f4b056cc48bfc39e2cff

SHA512
b7c5c096907b85e9ceb3a4a7240a1f0f89becce8b751cf474fce19dbbaa93892cf26508185e0e4d7063de8ccdcca3a1ccaf5a6acbd920b02763b7c20888e2371

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
aec8c8878fb2388b9bb99792c4816e53

SHA1
880848a2353a511fdcd12606d6e93295d7ed186c

SHA256
528b8d87253e0f6465c44b4ba4df824bc424ee832800617847e0a16fa088fe51

SHA512
7055fdaf2589300357d49b3154161a910691f37de0285cb956ad408d0dfc1948fd5b3d4c01432a2208c576bb7dc1e7b25acea1a40b381eb999b00ddaf467f432

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
aec8c8878fb2388b9bb99792c4816e53

SHA1
880848a2353a511fdcd12606d6e93295d7ed186c

SHA256
528b8d87253e0f6465c44b4ba4df824bc424ee832800617847e0a16fa088fe51

SHA512
7055fdaf2589300357d49b3154161a910691f37de0285cb956ad408d0dfc1948fd5b3d4c01432a2208c576bb7dc1e7b25acea1a40b381eb999b00ddaf467f432

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\System Restore.exe

Filesize
72KB

MD5
aec8c8878fb2388b9bb99792c4816e53

SHA1
880848a2353a511fdcd12606d6e93295d7ed186c

SHA256
528b8d87253e0f6465c44b4ba4df824bc424ee832800617847e0a16fa088fe51

SHA512
7055fdaf2589300357d49b3154161a910691f37de0285cb956ad408d0dfc1948fd5b3d4c01432a2208c576bb7dc1e7b25acea1a40b381eb999b00ddaf467f432

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\System Restore.exe

Filesize
72KB

MD5
aec8c8878fb2388b9bb99792c4816e53

SHA1
880848a2353a511fdcd12606d6e93295d7ed186c

SHA256
528b8d87253e0f6465c44b4ba4df824bc424ee832800617847e0a16fa088fe51

SHA512
7055fdaf2589300357d49b3154161a910691f37de0285cb956ad408d0dfc1948fd5b3d4c01432a2208c576bb7dc1e7b25acea1a40b381eb999b00ddaf467f432

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
39d6648e67ecb77a8f1f5934a32cb378

SHA1
408f1bfbdfc8aa8c877ab80e51e49e5695acda00

SHA256
79e4e7d8c94558b86b06d663fdcba5ef9f6b1131609318f14eb5ca0b5cfdca83

SHA512
236548e4d939112b9f18ae60337b276fe9eaec7732119efc2b6e924fc237fd9c267b92a2c8a2f33b5cccc13436f4a9623da68ec87c85327776ea4ff41478feb8

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
39d6648e67ecb77a8f1f5934a32cb378

SHA1
408f1bfbdfc8aa8c877ab80e51e49e5695acda00

SHA256
79e4e7d8c94558b86b06d663fdcba5ef9f6b1131609318f14eb5ca0b5cfdca83

SHA512
236548e4d939112b9f18ae60337b276fe9eaec7732119efc2b6e924fc237fd9c267b92a2c8a2f33b5cccc13436f4a9623da68ec87c85327776ea4ff41478feb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\526785695\backup.exe

Filesize
72KB

MD5
24da93a3ab6d77f7c458fdfc0829e655

SHA1
f57e8b708b487907b1b28ba7f5f06efa99208998

SHA256
925256f6490bf282d078d40bc3fffbc9ced824e854411acfe84e8647f7971f00

SHA512
b6818419e20092e1958d62da2d3b56357f49ab1274ef5c0a9dfdf918141fff00dca924d837601c4e9f8c6d0804c527f45c8eafbb3b149d5a96d195646bb02eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\526785695\backup.exe

Filesize
72KB

MD5
24da93a3ab6d77f7c458fdfc0829e655

SHA1
f57e8b708b487907b1b28ba7f5f06efa99208998

SHA256
925256f6490bf282d078d40bc3fffbc9ced824e854411acfe84e8647f7971f00

SHA512
b6818419e20092e1958d62da2d3b56357f49ab1274ef5c0a9dfdf918141fff00dca924d837601c4e9f8c6d0804c527f45c8eafbb3b149d5a96d195646bb02eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
506234bc4c5c955e46176bad5b0aefbb

SHA1
c419be0b17111ca5b2f97332321120795b878c6e

SHA256
c93eb48403ec317e61cd8a3e5f5b10d329983853db0c5f5ba48ab24aa3b6f40c

SHA512
7abf6a75adc829abc0ec4b0346b60e7dce69a5afe6b6a840faf9d2f7340a2f93087bc2731a7e3bb8f520ac370191e000c3b2fe05da7305b37c0345704908d70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
506234bc4c5c955e46176bad5b0aefbb

SHA1
c419be0b17111ca5b2f97332321120795b878c6e

SHA256
c93eb48403ec317e61cd8a3e5f5b10d329983853db0c5f5ba48ab24aa3b6f40c

SHA512
7abf6a75adc829abc0ec4b0346b60e7dce69a5afe6b6a840faf9d2f7340a2f93087bc2731a7e3bb8f520ac370191e000c3b2fe05da7305b37c0345704908d70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
46041025661decfbdcb70ec30ade2b60

SHA1
42b2e852efe0340af68305a64382678c206b4943

SHA256
eda2a85c1b005cd13d615754a7da82673519b8b09b3fa1b2beffa494c3f0d8a1

SHA512
04c97eb84835c1f6b7cef959818f37dbbb791c4dfb84a1c10220c5744aefae37a8d6b86dfb529a1bb97c134dc2ed78f03ef74f2cb60cb76dce42672576d562e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
46041025661decfbdcb70ec30ade2b60

SHA1
42b2e852efe0340af68305a64382678c206b4943

SHA256
eda2a85c1b005cd13d615754a7da82673519b8b09b3fa1b2beffa494c3f0d8a1

SHA512
04c97eb84835c1f6b7cef959818f37dbbb791c4dfb84a1c10220c5744aefae37a8d6b86dfb529a1bb97c134dc2ed78f03ef74f2cb60cb76dce42672576d562e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
46041025661decfbdcb70ec30ade2b60

SHA1
42b2e852efe0340af68305a64382678c206b4943

SHA256
eda2a85c1b005cd13d615754a7da82673519b8b09b3fa1b2beffa494c3f0d8a1

SHA512
04c97eb84835c1f6b7cef959818f37dbbb791c4dfb84a1c10220c5744aefae37a8d6b86dfb529a1bb97c134dc2ed78f03ef74f2cb60cb76dce42672576d562e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
46041025661decfbdcb70ec30ade2b60

SHA1
42b2e852efe0340af68305a64382678c206b4943

SHA256
eda2a85c1b005cd13d615754a7da82673519b8b09b3fa1b2beffa494c3f0d8a1

SHA512
04c97eb84835c1f6b7cef959818f37dbbb791c4dfb84a1c10220c5744aefae37a8d6b86dfb529a1bb97c134dc2ed78f03ef74f2cb60cb76dce42672576d562e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
506234bc4c5c955e46176bad5b0aefbb

SHA1
c419be0b17111ca5b2f97332321120795b878c6e

SHA256
c93eb48403ec317e61cd8a3e5f5b10d329983853db0c5f5ba48ab24aa3b6f40c

SHA512
7abf6a75adc829abc0ec4b0346b60e7dce69a5afe6b6a840faf9d2f7340a2f93087bc2731a7e3bb8f520ac370191e000c3b2fe05da7305b37c0345704908d70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
506234bc4c5c955e46176bad5b0aefbb

SHA1
c419be0b17111ca5b2f97332321120795b878c6e

SHA256
c93eb48403ec317e61cd8a3e5f5b10d329983853db0c5f5ba48ab24aa3b6f40c

SHA512
7abf6a75adc829abc0ec4b0346b60e7dce69a5afe6b6a840faf9d2f7340a2f93087bc2731a7e3bb8f520ac370191e000c3b2fe05da7305b37c0345704908d70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
506234bc4c5c955e46176bad5b0aefbb

SHA1
c419be0b17111ca5b2f97332321120795b878c6e

SHA256
c93eb48403ec317e61cd8a3e5f5b10d329983853db0c5f5ba48ab24aa3b6f40c

SHA512
7abf6a75adc829abc0ec4b0346b60e7dce69a5afe6b6a840faf9d2f7340a2f93087bc2731a7e3bb8f520ac370191e000c3b2fe05da7305b37c0345704908d70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
506234bc4c5c955e46176bad5b0aefbb

SHA1
c419be0b17111ca5b2f97332321120795b878c6e

SHA256
c93eb48403ec317e61cd8a3e5f5b10d329983853db0c5f5ba48ab24aa3b6f40c

SHA512
7abf6a75adc829abc0ec4b0346b60e7dce69a5afe6b6a840faf9d2f7340a2f93087bc2731a7e3bb8f520ac370191e000c3b2fe05da7305b37c0345704908d70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
72KB

MD5
46041025661decfbdcb70ec30ade2b60

SHA1
42b2e852efe0340af68305a64382678c206b4943

SHA256
eda2a85c1b005cd13d615754a7da82673519b8b09b3fa1b2beffa494c3f0d8a1

SHA512
04c97eb84835c1f6b7cef959818f37dbbb791c4dfb84a1c10220c5744aefae37a8d6b86dfb529a1bb97c134dc2ed78f03ef74f2cb60cb76dce42672576d562e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
72KB

MD5
46041025661decfbdcb70ec30ade2b60

SHA1
42b2e852efe0340af68305a64382678c206b4943

SHA256
eda2a85c1b005cd13d615754a7da82673519b8b09b3fa1b2beffa494c3f0d8a1

SHA512
04c97eb84835c1f6b7cef959818f37dbbb791c4dfb84a1c10220c5744aefae37a8d6b86dfb529a1bb97c134dc2ed78f03ef74f2cb60cb76dce42672576d562e0

Download Submit
C:\backup.exe

Filesize
72KB

MD5
1df31f495c278d94bffaeeed02304322

SHA1
e4817e875c4fff44e0745520606c51093addbd0a

SHA256
c6e2525a971d24384bd15ce278db92299c8b8263fefe5ad53c2797c7b3940b6c

SHA512
1a3094e4debc5b89b9e11f8c2549c8b24c91f36dfb6a4f91141158f37a533fc21c704093eb8108e3c838751b33c5a667d0d611007429749a1e71438ec51a74ea

Download Submit
C:\backup.exe

Filesize
72KB

MD5
1df31f495c278d94bffaeeed02304322

SHA1
e4817e875c4fff44e0745520606c51093addbd0a

SHA256
c6e2525a971d24384bd15ce278db92299c8b8263fefe5ad53c2797c7b3940b6c

SHA512
1a3094e4debc5b89b9e11f8c2549c8b24c91f36dfb6a4f91141158f37a533fc21c704093eb8108e3c838751b33c5a667d0d611007429749a1e71438ec51a74ea

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
39d6648e67ecb77a8f1f5934a32cb378

SHA1
408f1bfbdfc8aa8c877ab80e51e49e5695acda00

SHA256
79e4e7d8c94558b86b06d663fdcba5ef9f6b1131609318f14eb5ca0b5cfdca83

SHA512
236548e4d939112b9f18ae60337b276fe9eaec7732119efc2b6e924fc237fd9c267b92a2c8a2f33b5cccc13436f4a9623da68ec87c85327776ea4ff41478feb8

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
39d6648e67ecb77a8f1f5934a32cb378

SHA1
408f1bfbdfc8aa8c877ab80e51e49e5695acda00

SHA256
79e4e7d8c94558b86b06d663fdcba5ef9f6b1131609318f14eb5ca0b5cfdca83

SHA512
236548e4d939112b9f18ae60337b276fe9eaec7732119efc2b6e924fc237fd9c267b92a2c8a2f33b5cccc13436f4a9623da68ec87c85327776ea4ff41478feb8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads