f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4

Analysis

max time kernel
207s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe
Size

72KB
MD5

043969b9c3e1be1a1467b194d6be8615
SHA1

72b0963368af678b3ddf0931150ef1c77fd2da20
SHA256

f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4
SHA512

8536298f93bc7ce4ed1052b59c5ab18b6c82923ee9991f3cfb2b601560f274b0d0fa44a84762d34949a5344e2d7cb0b88d3864cf86b8e6e8ab8968b0fc059f91
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2k:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPw

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
4764	backup.exe
3524	backup.exe
4348	backup.exe
4248	backup.exe
1236	backup.exe
1300	backup.exe
3640	backup.exe
4036	backup.exe
4592	backup.exe
2276	backup.exe
4252	backup.exe
2356	backup.exe
4388	backup.exe
1528	backup.exe
4164	backup.exe
3448	backup.exe
3672	data.exe
1888	backup.exe
4948	backup.exe
4692	backup.exe
2704	backup.exe
4608	data.exe
1968	backup.exe
2976	backup.exe
3812	backup.exe
396	backup.exe
2336	backup.exe
1524	backup.exe
3932	backup.exe
2272	backup.exe
4916	backup.exe
1920	backup.exe
3388	backup.exe
1492	backup.exe
2136	backup.exe
1624	backup.exe
2760	backup.exe
1520	backup.exe
1660	backup.exe
712	backup.exe
1800	backup.exe
2940	backup.exe
4824	backup.exe
1864	backup.exe
4380	update.exe
3708	backup.exe
3520	backup.exe
1708	backup.exe
4144	backup.exe
3792	data.exe
3580	backup.exe
2884	backup.exe
3664	backup.exe
5088	backup.exe
5016	backup.exe
3648	backup.exe
1628	backup.exe
2424	backup.exe
2056	backup.exe
3864	backup.exe
2868	backup.exe
2228	backup.exe
1008	backup.exe
2004	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\data.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\data.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\backup.exe	backup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe
4764	backup.exe
3524	backup.exe
4348	backup.exe
4248	backup.exe
1236	backup.exe
1300	backup.exe
3640	backup.exe
4036	backup.exe
4592	backup.exe
2276	backup.exe
4252	backup.exe
2356	backup.exe
4388	backup.exe
1528	backup.exe
4164	backup.exe
3448	backup.exe
3672	data.exe
1888	backup.exe
4948	backup.exe
4692	backup.exe
2704	backup.exe
4608	data.exe
1968	backup.exe
2976	backup.exe
3812	backup.exe
396	backup.exe
2336	backup.exe
1524	backup.exe
3932	backup.exe
2272	backup.exe
4916	backup.exe
1920	backup.exe
3388	backup.exe
1624	backup.exe
2760	backup.exe
1660	backup.exe
1492	backup.exe
2136	backup.exe
1520	backup.exe
1800	backup.exe
712	backup.exe
2940	backup.exe
1864	backup.exe
4824	backup.exe
4380	update.exe
1708	backup.exe
3520	backup.exe
3708	backup.exe
4144	backup.exe
3580	backup.exe
3664	backup.exe
2884	backup.exe
5088	backup.exe
1472	backup.exe
5016	backup.exe
1628	backup.exe
3648	backup.exe
2424	backup.exe
2056	backup.exe
3864	backup.exe
2228	backup.exe
1008	backup.exe
1252	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 4764	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	78
PID 2296 wrote to memory of 4764	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	78
PID 2296 wrote to memory of 4764	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	78
PID 2296 wrote to memory of 3524	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	79
PID 2296 wrote to memory of 3524	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	79
PID 2296 wrote to memory of 3524	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	79
PID 2296 wrote to memory of 4348	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	80
PID 2296 wrote to memory of 4348	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	80
PID 2296 wrote to memory of 4348	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	80
PID 2296 wrote to memory of 4248	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	81
PID 2296 wrote to memory of 4248	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	81
PID 2296 wrote to memory of 4248	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	81
PID 2296 wrote to memory of 1236	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	82
PID 2296 wrote to memory of 1236	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	82
PID 2296 wrote to memory of 1236	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	82
PID 2296 wrote to memory of 1300	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	83
PID 2296 wrote to memory of 1300	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	83
PID 2296 wrote to memory of 1300	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	83
PID 4764 wrote to memory of 3640	4764	backup.exe	84
PID 4764 wrote to memory of 3640	4764	backup.exe	84
PID 4764 wrote to memory of 3640	4764	backup.exe	84
PID 2296 wrote to memory of 4036	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	85
PID 2296 wrote to memory of 4036	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	85
PID 2296 wrote to memory of 4036	2296	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe	85
PID 3640 wrote to memory of 4592	3640	backup.exe	86
PID 3640 wrote to memory of 4592	3640	backup.exe	86
PID 3640 wrote to memory of 4592	3640	backup.exe	86
PID 3640 wrote to memory of 2276	3640	backup.exe	87
PID 3640 wrote to memory of 2276	3640	backup.exe	87
PID 3640 wrote to memory of 2276	3640	backup.exe	87
PID 3640 wrote to memory of 4252	3640	backup.exe	88
PID 3640 wrote to memory of 4252	3640	backup.exe	88
PID 3640 wrote to memory of 4252	3640	backup.exe	88
PID 4252 wrote to memory of 2356	4252	backup.exe	89
PID 4252 wrote to memory of 2356	4252	backup.exe	89
PID 4252 wrote to memory of 2356	4252	backup.exe	89
PID 2356 wrote to memory of 4388	2356	backup.exe	90
PID 2356 wrote to memory of 4388	2356	backup.exe	90
PID 2356 wrote to memory of 4388	2356	backup.exe	90
PID 4252 wrote to memory of 1528	4252	backup.exe	91
PID 4252 wrote to memory of 1528	4252	backup.exe	91
PID 4252 wrote to memory of 1528	4252	backup.exe	91
PID 1528 wrote to memory of 4164	1528	backup.exe	92
PID 1528 wrote to memory of 4164	1528	backup.exe	92
PID 1528 wrote to memory of 4164	1528	backup.exe	92
PID 1528 wrote to memory of 3448	1528	backup.exe	93
PID 1528 wrote to memory of 3448	1528	backup.exe	93
PID 1528 wrote to memory of 3448	1528	backup.exe	93
PID 3448 wrote to memory of 3672	3448	backup.exe	94
PID 3448 wrote to memory of 3672	3448	backup.exe	94
PID 3448 wrote to memory of 3672	3448	backup.exe	94
PID 3448 wrote to memory of 1888	3448	backup.exe	95
PID 3448 wrote to memory of 1888	3448	backup.exe	95
PID 3448 wrote to memory of 1888	3448	backup.exe	95
PID 1888 wrote to memory of 4948	1888	backup.exe	96
PID 1888 wrote to memory of 4948	1888	backup.exe	96
PID 1888 wrote to memory of 4948	1888	backup.exe	96
PID 1888 wrote to memory of 4692	1888	backup.exe	97
PID 1888 wrote to memory of 4692	1888	backup.exe	97
PID 1888 wrote to memory of 4692	1888	backup.exe	97
PID 1888 wrote to memory of 2704	1888	backup.exe	98
PID 1888 wrote to memory of 2704	1888	backup.exe	98
PID 1888 wrote to memory of 2704	1888	backup.exe	98
PID 1888 wrote to memory of 4608	1888	backup.exe	99

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe
"C:\Users\Admin\AppData\Local\Temp\f38d597571263afb5fada39707610a9567bfc0febf7145b225992c0babf023f4.exe"
1⤵
- Disables RegEdit via registry modification
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2296
- C:\Users\Admin\AppData\Local\Temp\3388051835\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3388051835\backup.exe C:\Users\Admin\AppData\Local\Temp\3388051835\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4764
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4592
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2276
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4388
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1528
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4164
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\data.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3672
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4948
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4692
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2704
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4608
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1968
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        9⤵
        System policy modification
        
        PID:2140
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        9⤵
        
        PID:1952
        
        C:\Program Files\Common Files\System\msadc\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\data.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        9⤵
        
        PID:1688
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2976
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3812
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:396
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3932
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4916
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1920
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3388
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1708
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3084
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:2868
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5088
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3988
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3156
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:1920
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:1684
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4380
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:404
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:4836
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4492
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1184
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:4028
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2064
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:532
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\update.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        System policy modification
        
        PID:4084
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1436
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:2296
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:1352
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3508
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:2508
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3520
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2424
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2676
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:772
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4112
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4820
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4824
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3664
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        System policy modification
        
        PID:380
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3864
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3220
        
        C:\Program Files\Common Files\microsoft shared\TextConv\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\update.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:868
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:396
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:1524
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4308
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2932
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:5104
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:2640
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4712
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3580
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3800
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2296
        
        C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2336
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4652
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4260
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1608
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4968
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1000
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1412
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        System policy modification
        
        PID:4836
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1968
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1492
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3708
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:712
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4144
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:2004
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3648
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4496
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4700
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:5076
      - C:\Program Files\Internet Explorer\ja-JP\System Restore.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\System Restore.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        System policy modification
        
        PID:1620
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2660
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4508
      - C:\Program Files\Java\jdk1.8.0_66\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\data.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4748
        
        C:\Program Files\Java\jdk1.8.0_66\bin\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\data.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1860
        
        C:\Program Files\Java\jdk1.8.0_66\db\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\data.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4496
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2272
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:3380
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:816
      - C:\Program Files\Java\jre1.8.0_66\System Restore.exe
        
        "C:\Program Files\Java\jre1.8.0_66\System Restore.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:4596
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Drops file in Program Files directory
        
        PID:2976
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4324
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        
        PID:1684
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        System policy modification
        
        PID:4928
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:3724
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        System policy modification
        
        PID:1880
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4156
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2136
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1864
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:4176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        System policy modification
        
        PID:3096
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:2760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        System policy modification
        
        PID:3548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Disables RegEdit via registry modification
        
        PID:872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4312
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:720
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4592
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        System policy modification
        
        PID:2844
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4744
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4228
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:4200
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1800
    - - C:\Users\Admin\data.exe
        
        C:\Users\Admin\data.exe C:\Users\Admin\
        5⤵
        Executes dropped EXE
        
        PID:3792
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1472
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1252
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3456
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Disables RegEdit via registry modification
        
        PID:844
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2516
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:4960
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2508
      - C:\Users\Admin\Music\data.exe
        
        C:\Users\Admin\Music\data.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2160
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:1560
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2024
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        System policy modification
        
        PID:1432
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2416
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Disables RegEdit via registry modification
        
        PID:424
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3636
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:4120
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:868
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:4396
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2568
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3388
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:1816
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        System policy modification
        
        PID:4420
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:3512
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        System policy modification
        
        PID:4448
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3524
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4348
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4248
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4036

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1628
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  PID:4036
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
    3⤵
    PID:3440
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
    3⤵
    - System policy modification
    PID:4240
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
    3⤵
    - System policy modification
    PID:1516
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\data.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
    3⤵
    PID:536
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1832
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
    3⤵
    PID:3992
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4436
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4408
  - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
      4⤵
      System policy modification
      PID:1244
    - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2328
- C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
  "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
  2⤵
  - Disables RegEdit via registry modification
  - System policy modification
  PID:4664

C:\Program Files\Common Files\System\ado\en-US\backup.exe
"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:3028

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2056

C:\Users\Admin\Pictures\Camera Roll\update.exe
"C:\Users\Admin\Pictures\Camera Roll\update.exe" C:\Users\Admin\Pictures\Camera Roll\
1⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4140

C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
1⤵
PID:3900

C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
1⤵
PID:3312

C:\Windows\appcompat\appraiser\Telemetry\backup.exe
C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
1⤵
PID:4028

C:\Program Files\Microsoft Office\root\Client\backup.exe
"C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
8617c488670fbc0e281e676fc35be7a8

SHA1
d9a458c1afe13a467664ab6d6cf6ec88f4f1cf69

SHA256
d3b3e1dee18e8bb1807e0b02717a827334fc06566c9d5cf6b101e9da10f55225

SHA512
7683b0d5a8b223d14f524e3570d957bb100953d2dec4daa21c0c27faefce3f2ef6cfd664e36cac51ac8c603979d547923f5c9752eba5f7df2a4c9c8d9c5dc188

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
8617c488670fbc0e281e676fc35be7a8

SHA1
d9a458c1afe13a467664ab6d6cf6ec88f4f1cf69

SHA256
d3b3e1dee18e8bb1807e0b02717a827334fc06566c9d5cf6b101e9da10f55225

SHA512
7683b0d5a8b223d14f524e3570d957bb100953d2dec4daa21c0c27faefce3f2ef6cfd664e36cac51ac8c603979d547923f5c9752eba5f7df2a4c9c8d9c5dc188

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
1edc879d2234e2beec03bacfd28fa1ae

SHA1
1e24475dac3be2fe7bff6b273509bc9167cb81f0

SHA256
5fd48c91146571d9b6cd291401dbc1ffd202de5169c9b799f940fae3e6055102

SHA512
4bd8ec1dd0baaeb19eb88849c261583015808ad46ccf362c4a863f80ae29d151c0a5b6be4d936c602981e4851ce5a15d874bf35d970c7a920a1369442a728630

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
1edc879d2234e2beec03bacfd28fa1ae

SHA1
1e24475dac3be2fe7bff6b273509bc9167cb81f0

SHA256
5fd48c91146571d9b6cd291401dbc1ffd202de5169c9b799f940fae3e6055102

SHA512
4bd8ec1dd0baaeb19eb88849c261583015808ad46ccf362c4a863f80ae29d151c0a5b6be4d936c602981e4851ce5a15d874bf35d970c7a920a1369442a728630

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
eacdfd95913fc697dc38822822de4082

SHA1
9ef24f8424c993e32af5d6a034dde8382e9a8751

SHA256
372049ef016657a7cb6d70a73e515a96df92e69526f3370f885aae42410f83e1

SHA512
0ef115c6ffc25e375ade12e18e83536330462caa1cf84ed82600d8e296b9a73fc8979eb65226e9db6d641cb8c42f9ea3868c24112f3562e879cf831466e91c0b

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
eacdfd95913fc697dc38822822de4082

SHA1
9ef24f8424c993e32af5d6a034dde8382e9a8751

SHA256
372049ef016657a7cb6d70a73e515a96df92e69526f3370f885aae42410f83e1

SHA512
0ef115c6ffc25e375ade12e18e83536330462caa1cf84ed82600d8e296b9a73fc8979eb65226e9db6d641cb8c42f9ea3868c24112f3562e879cf831466e91c0b

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
1739e4a4b6a671ae10cbfd28a68f392e

SHA1
bed619c2c6c0436915d361821b28c5adf1e7c59b

SHA256
41f6bf391c2094dbf688db6ce7fd239c3d30b060815b749bc5591a08c283f620

SHA512
16a4db208fbb4727068aa815bca69a0f6c2346918cde7f8f0c644b02a298c98a5c999abdba9dfec9fde2438fa50577b5c36b6516b5ef5a1115fa55456dfdf5dd

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
1739e4a4b6a671ae10cbfd28a68f392e

SHA1
bed619c2c6c0436915d361821b28c5adf1e7c59b

SHA256
41f6bf391c2094dbf688db6ce7fd239c3d30b060815b749bc5591a08c283f620

SHA512
16a4db208fbb4727068aa815bca69a0f6c2346918cde7f8f0c644b02a298c98a5c999abdba9dfec9fde2438fa50577b5c36b6516b5ef5a1115fa55456dfdf5dd

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c66b6b08399f8310983afb8a210fb430

SHA1
bd341480f16843ca80cbc4cd7d5fbcc0d8d7196c

SHA256
7969b710c740b144a669f75c935cc46649482c16cc88d3d21524d431a9acc7f8

SHA512
4a3397c02da0695e11a92e34c0623f00de24b5df3b506534381f7ac2432555dfe769cc2da5f68aa041faa32c9bf80873c3f559f5999c7d4997681fdcfb42e711

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c66b6b08399f8310983afb8a210fb430

SHA1
bd341480f16843ca80cbc4cd7d5fbcc0d8d7196c

SHA256
7969b710c740b144a669f75c935cc46649482c16cc88d3d21524d431a9acc7f8

SHA512
4a3397c02da0695e11a92e34c0623f00de24b5df3b506534381f7ac2432555dfe769cc2da5f68aa041faa32c9bf80873c3f559f5999c7d4997681fdcfb42e711

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\data.exe

Filesize
72KB

MD5
f255dee724d97cb68305dc6fd30b5cea

SHA1
cb89a3760f8923ee1dc7c2294bde636c4d3cddce

SHA256
4d59c1ce79d559655ed8e48fdd9aa6f3b58b59842fcc517e661ba75641e72d3c

SHA512
65321355d4cb14f5ef7df74f1212c2b6838c684e225c45c3274b5104060ad3de3e9097b3d2c6cad05290f4096b7d9150740b8b4e96e2a7183563086d443ca26f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\data.exe

Filesize
72KB

MD5
f255dee724d97cb68305dc6fd30b5cea

SHA1
cb89a3760f8923ee1dc7c2294bde636c4d3cddce

SHA256
4d59c1ce79d559655ed8e48fdd9aa6f3b58b59842fcc517e661ba75641e72d3c

SHA512
65321355d4cb14f5ef7df74f1212c2b6838c684e225c45c3274b5104060ad3de3e9097b3d2c6cad05290f4096b7d9150740b8b4e96e2a7183563086d443ca26f

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
54ef182ba34869ce4f238cba716e805c

SHA1
af2a47848c8591bfc30ceffd375868820851ca16

SHA256
10a103b8ba71e7bdf137f263ba3e4c7ffec9624719c48bab2d50d3502429ad06

SHA512
e116966de51e5f640a95069d20ecc5f0301f333eb7d84093350aa591191792e904f0b71c62a085a54cd45e6a7966374dc67f28a64a5357b3f2295f637e79471c

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
54ef182ba34869ce4f238cba716e805c

SHA1
af2a47848c8591bfc30ceffd375868820851ca16

SHA256
10a103b8ba71e7bdf137f263ba3e4c7ffec9624719c48bab2d50d3502429ad06

SHA512
e116966de51e5f640a95069d20ecc5f0301f333eb7d84093350aa591191792e904f0b71c62a085a54cd45e6a7966374dc67f28a64a5357b3f2295f637e79471c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
a0f5ec6b753349932fd55e18988c299d

SHA1
4868e4ada617fb33f287d87cbf82e2bbd96eb536

SHA256
56634c19974e8a90631c8137e979fd7a9b0e3f04f3495c5dea8cbebfbf5858c2

SHA512
0a870f4febed6feaef69f08767ad5147d15c2d8d0779e2b681ffdb56ea85337a3d8fe92e39cc7aa3039f372264f8ada10e9b70a82815afca2c9e098bfc7fee54

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
a0f5ec6b753349932fd55e18988c299d

SHA1
4868e4ada617fb33f287d87cbf82e2bbd96eb536

SHA256
56634c19974e8a90631c8137e979fd7a9b0e3f04f3495c5dea8cbebfbf5858c2

SHA512
0a870f4febed6feaef69f08767ad5147d15c2d8d0779e2b681ffdb56ea85337a3d8fe92e39cc7aa3039f372264f8ada10e9b70a82815afca2c9e098bfc7fee54

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
625440285ee9da02aa13bdfab13ed8d3

SHA1
5a6da44013c747dfa1e25db5d776e55c1663696c

SHA256
4336207103045e0c7da35dc782620165aff9945a5c6626b739e91794a9b14fa7

SHA512
99eedad5256ae3b8fbbbb97050511061fd1b6e6b0317bdd8eb6cc3a219260b5e84410daf142a1243bbf98fb7493602f4ea9e9bbc92bb87900d9670bcf2da7843

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
625440285ee9da02aa13bdfab13ed8d3

SHA1
5a6da44013c747dfa1e25db5d776e55c1663696c

SHA256
4336207103045e0c7da35dc782620165aff9945a5c6626b739e91794a9b14fa7

SHA512
99eedad5256ae3b8fbbbb97050511061fd1b6e6b0317bdd8eb6cc3a219260b5e84410daf142a1243bbf98fb7493602f4ea9e9bbc92bb87900d9670bcf2da7843

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
a0f5ec6b753349932fd55e18988c299d

SHA1
4868e4ada617fb33f287d87cbf82e2bbd96eb536

SHA256
56634c19974e8a90631c8137e979fd7a9b0e3f04f3495c5dea8cbebfbf5858c2

SHA512
0a870f4febed6feaef69f08767ad5147d15c2d8d0779e2b681ffdb56ea85337a3d8fe92e39cc7aa3039f372264f8ada10e9b70a82815afca2c9e098bfc7fee54

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
a0f5ec6b753349932fd55e18988c299d

SHA1
4868e4ada617fb33f287d87cbf82e2bbd96eb536

SHA256
56634c19974e8a90631c8137e979fd7a9b0e3f04f3495c5dea8cbebfbf5858c2

SHA512
0a870f4febed6feaef69f08767ad5147d15c2d8d0779e2b681ffdb56ea85337a3d8fe92e39cc7aa3039f372264f8ada10e9b70a82815afca2c9e098bfc7fee54

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
a0f5ec6b753349932fd55e18988c299d

SHA1
4868e4ada617fb33f287d87cbf82e2bbd96eb536

SHA256
56634c19974e8a90631c8137e979fd7a9b0e3f04f3495c5dea8cbebfbf5858c2

SHA512
0a870f4febed6feaef69f08767ad5147d15c2d8d0779e2b681ffdb56ea85337a3d8fe92e39cc7aa3039f372264f8ada10e9b70a82815afca2c9e098bfc7fee54

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
a0f5ec6b753349932fd55e18988c299d

SHA1
4868e4ada617fb33f287d87cbf82e2bbd96eb536

SHA256
56634c19974e8a90631c8137e979fd7a9b0e3f04f3495c5dea8cbebfbf5858c2

SHA512
0a870f4febed6feaef69f08767ad5147d15c2d8d0779e2b681ffdb56ea85337a3d8fe92e39cc7aa3039f372264f8ada10e9b70a82815afca2c9e098bfc7fee54

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe

Filesize
72KB

MD5
efe0ffed7b169a56e4a1182c5ba98e36

SHA1
ac0053a44ca920f328eea7ac0b0ac4bbf72d5877

SHA256
197e94abc94b6361a9d8b42596b218a3b74c4a5619db21ae4f4873b645216d35

SHA512
97ed59371ebe85b98622949535ad983b6c5354049e389aa48cbdd3b587a257c0dc53fca5befb3927f629b609b38d5cad698a9a6249e6a7b6708754913dde2008

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe

Filesize
72KB

MD5
efe0ffed7b169a56e4a1182c5ba98e36

SHA1
ac0053a44ca920f328eea7ac0b0ac4bbf72d5877

SHA256
197e94abc94b6361a9d8b42596b218a3b74c4a5619db21ae4f4873b645216d35

SHA512
97ed59371ebe85b98622949535ad983b6c5354049e389aa48cbdd3b587a257c0dc53fca5befb3927f629b609b38d5cad698a9a6249e6a7b6708754913dde2008

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
efe0ffed7b169a56e4a1182c5ba98e36

SHA1
ac0053a44ca920f328eea7ac0b0ac4bbf72d5877

SHA256
197e94abc94b6361a9d8b42596b218a3b74c4a5619db21ae4f4873b645216d35

SHA512
97ed59371ebe85b98622949535ad983b6c5354049e389aa48cbdd3b587a257c0dc53fca5befb3927f629b609b38d5cad698a9a6249e6a7b6708754913dde2008

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
efe0ffed7b169a56e4a1182c5ba98e36

SHA1
ac0053a44ca920f328eea7ac0b0ac4bbf72d5877

SHA256
197e94abc94b6361a9d8b42596b218a3b74c4a5619db21ae4f4873b645216d35

SHA512
97ed59371ebe85b98622949535ad983b6c5354049e389aa48cbdd3b587a257c0dc53fca5befb3927f629b609b38d5cad698a9a6249e6a7b6708754913dde2008

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
efe0ffed7b169a56e4a1182c5ba98e36

SHA1
ac0053a44ca920f328eea7ac0b0ac4bbf72d5877

SHA256
197e94abc94b6361a9d8b42596b218a3b74c4a5619db21ae4f4873b645216d35

SHA512
97ed59371ebe85b98622949535ad983b6c5354049e389aa48cbdd3b587a257c0dc53fca5befb3927f629b609b38d5cad698a9a6249e6a7b6708754913dde2008

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
efe0ffed7b169a56e4a1182c5ba98e36

SHA1
ac0053a44ca920f328eea7ac0b0ac4bbf72d5877

SHA256
197e94abc94b6361a9d8b42596b218a3b74c4a5619db21ae4f4873b645216d35

SHA512
97ed59371ebe85b98622949535ad983b6c5354049e389aa48cbdd3b587a257c0dc53fca5befb3927f629b609b38d5cad698a9a6249e6a7b6708754913dde2008

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
efe0ffed7b169a56e4a1182c5ba98e36

SHA1
ac0053a44ca920f328eea7ac0b0ac4bbf72d5877

SHA256
197e94abc94b6361a9d8b42596b218a3b74c4a5619db21ae4f4873b645216d35

SHA512
97ed59371ebe85b98622949535ad983b6c5354049e389aa48cbdd3b587a257c0dc53fca5befb3927f629b609b38d5cad698a9a6249e6a7b6708754913dde2008

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
efe0ffed7b169a56e4a1182c5ba98e36

SHA1
ac0053a44ca920f328eea7ac0b0ac4bbf72d5877

SHA256
197e94abc94b6361a9d8b42596b218a3b74c4a5619db21ae4f4873b645216d35

SHA512
97ed59371ebe85b98622949535ad983b6c5354049e389aa48cbdd3b587a257c0dc53fca5befb3927f629b609b38d5cad698a9a6249e6a7b6708754913dde2008

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
1d44397a8f9b51e64945a22fe909126b

SHA1
aad9073a975d9a2786b7e4befd011dcccc7a5513

SHA256
5c0732f4f8f28bc649ce21e089dd22cef6d6fd99f8bd5070fe9f06549427a8fb

SHA512
25bdd8a0d6df87796f8a5b76754b2e241e2823fd4f7627d4d77c827c4293d52a14df30e34b504a90ea22334a19c08c0a529a11493bca78135dec1051393b1f07

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
8617c488670fbc0e281e676fc35be7a8

SHA1
d9a458c1afe13a467664ab6d6cf6ec88f4f1cf69

SHA256
d3b3e1dee18e8bb1807e0b02717a827334fc06566c9d5cf6b101e9da10f55225

SHA512
7683b0d5a8b223d14f524e3570d957bb100953d2dec4daa21c0c27faefce3f2ef6cfd664e36cac51ac8c603979d547923f5c9752eba5f7df2a4c9c8d9c5dc188

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
8617c488670fbc0e281e676fc35be7a8

SHA1
d9a458c1afe13a467664ab6d6cf6ec88f4f1cf69

SHA256
d3b3e1dee18e8bb1807e0b02717a827334fc06566c9d5cf6b101e9da10f55225

SHA512
7683b0d5a8b223d14f524e3570d957bb100953d2dec4daa21c0c27faefce3f2ef6cfd664e36cac51ac8c603979d547923f5c9752eba5f7df2a4c9c8d9c5dc188

Download Submit
C:\Users\Admin\AppData\Local\Temp\3388051835\backup.exe

Filesize
72KB

MD5
beb4ef758731935e886554162164b540

SHA1
a2c15c0988f671098a84a7ae2b46e7f2702b80f4

SHA256
5ef228efcc97dcb745616521a6ea62af105a22aa7b3ba9c13efcef730d27220f

SHA512
8db3626bc34c5a3ea5940d0c230702f1b0951c1c5beb42622ba9016ef65108e15e990a736929291aacee4e1b01eae1e7196cf53b4ed005f4baec2346f81b07b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3388051835\backup.exe

Filesize
72KB

MD5
beb4ef758731935e886554162164b540

SHA1
a2c15c0988f671098a84a7ae2b46e7f2702b80f4

SHA256
5ef228efcc97dcb745616521a6ea62af105a22aa7b3ba9c13efcef730d27220f

SHA512
8db3626bc34c5a3ea5940d0c230702f1b0951c1c5beb42622ba9016ef65108e15e990a736929291aacee4e1b01eae1e7196cf53b4ed005f4baec2346f81b07b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
beb4ef758731935e886554162164b540

SHA1
a2c15c0988f671098a84a7ae2b46e7f2702b80f4

SHA256
5ef228efcc97dcb745616521a6ea62af105a22aa7b3ba9c13efcef730d27220f

SHA512
8db3626bc34c5a3ea5940d0c230702f1b0951c1c5beb42622ba9016ef65108e15e990a736929291aacee4e1b01eae1e7196cf53b4ed005f4baec2346f81b07b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
beb4ef758731935e886554162164b540

SHA1
a2c15c0988f671098a84a7ae2b46e7f2702b80f4

SHA256
5ef228efcc97dcb745616521a6ea62af105a22aa7b3ba9c13efcef730d27220f

SHA512
8db3626bc34c5a3ea5940d0c230702f1b0951c1c5beb42622ba9016ef65108e15e990a736929291aacee4e1b01eae1e7196cf53b4ed005f4baec2346f81b07b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
beb4ef758731935e886554162164b540

SHA1
a2c15c0988f671098a84a7ae2b46e7f2702b80f4

SHA256
5ef228efcc97dcb745616521a6ea62af105a22aa7b3ba9c13efcef730d27220f

SHA512
8db3626bc34c5a3ea5940d0c230702f1b0951c1c5beb42622ba9016ef65108e15e990a736929291aacee4e1b01eae1e7196cf53b4ed005f4baec2346f81b07b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
beb4ef758731935e886554162164b540

SHA1
a2c15c0988f671098a84a7ae2b46e7f2702b80f4

SHA256
5ef228efcc97dcb745616521a6ea62af105a22aa7b3ba9c13efcef730d27220f

SHA512
8db3626bc34c5a3ea5940d0c230702f1b0951c1c5beb42622ba9016ef65108e15e990a736929291aacee4e1b01eae1e7196cf53b4ed005f4baec2346f81b07b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4314172aa1b6470ea24f6bf00854a7c8

SHA1
83ed92807858740b4626816099f1549d12d78cae

SHA256
5aa826377612eb127073331797f2d283374b957b77bdbf0885a35d8c6882c5d5

SHA512
98a414c3bd035fad0983a550d3c91420adfd28fb25066cc1dd7881e151340d6bff8a62a5f9bb2dac42826f9f3475a2a27f4782d5fc31fcfc9924182e0de0ac44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4314172aa1b6470ea24f6bf00854a7c8

SHA1
83ed92807858740b4626816099f1549d12d78cae

SHA256
5aa826377612eb127073331797f2d283374b957b77bdbf0885a35d8c6882c5d5

SHA512
98a414c3bd035fad0983a550d3c91420adfd28fb25066cc1dd7881e151340d6bff8a62a5f9bb2dac42826f9f3475a2a27f4782d5fc31fcfc9924182e0de0ac44

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
beb4ef758731935e886554162164b540

SHA1
a2c15c0988f671098a84a7ae2b46e7f2702b80f4

SHA256
5ef228efcc97dcb745616521a6ea62af105a22aa7b3ba9c13efcef730d27220f

SHA512
8db3626bc34c5a3ea5940d0c230702f1b0951c1c5beb42622ba9016ef65108e15e990a736929291aacee4e1b01eae1e7196cf53b4ed005f4baec2346f81b07b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
beb4ef758731935e886554162164b540

SHA1
a2c15c0988f671098a84a7ae2b46e7f2702b80f4

SHA256
5ef228efcc97dcb745616521a6ea62af105a22aa7b3ba9c13efcef730d27220f

SHA512
8db3626bc34c5a3ea5940d0c230702f1b0951c1c5beb42622ba9016ef65108e15e990a736929291aacee4e1b01eae1e7196cf53b4ed005f4baec2346f81b07b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
beb4ef758731935e886554162164b540

SHA1
a2c15c0988f671098a84a7ae2b46e7f2702b80f4

SHA256
5ef228efcc97dcb745616521a6ea62af105a22aa7b3ba9c13efcef730d27220f

SHA512
8db3626bc34c5a3ea5940d0c230702f1b0951c1c5beb42622ba9016ef65108e15e990a736929291aacee4e1b01eae1e7196cf53b4ed005f4baec2346f81b07b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
beb4ef758731935e886554162164b540

SHA1
a2c15c0988f671098a84a7ae2b46e7f2702b80f4

SHA256
5ef228efcc97dcb745616521a6ea62af105a22aa7b3ba9c13efcef730d27220f

SHA512
8db3626bc34c5a3ea5940d0c230702f1b0951c1c5beb42622ba9016ef65108e15e990a736929291aacee4e1b01eae1e7196cf53b4ed005f4baec2346f81b07b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
4314172aa1b6470ea24f6bf00854a7c8

SHA1
83ed92807858740b4626816099f1549d12d78cae

SHA256
5aa826377612eb127073331797f2d283374b957b77bdbf0885a35d8c6882c5d5

SHA512
98a414c3bd035fad0983a550d3c91420adfd28fb25066cc1dd7881e151340d6bff8a62a5f9bb2dac42826f9f3475a2a27f4782d5fc31fcfc9924182e0de0ac44

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
4314172aa1b6470ea24f6bf00854a7c8

SHA1
83ed92807858740b4626816099f1549d12d78cae

SHA256
5aa826377612eb127073331797f2d283374b957b77bdbf0885a35d8c6882c5d5

SHA512
98a414c3bd035fad0983a550d3c91420adfd28fb25066cc1dd7881e151340d6bff8a62a5f9bb2dac42826f9f3475a2a27f4782d5fc31fcfc9924182e0de0ac44

Download Submit
C:\backup.exe

Filesize
72KB

MD5
68cd7a96fa64542ceb15b339da5715ec

SHA1
eed76033f5b42b0e6082f42b9288a38f08ca0372

SHA256
765f0bac03e0eec5a4ae12c3a42205745a3a9e5d114323582ade58cd83736eb4

SHA512
91ebb65d591f27d7796350fc5154ac3b46d5f4dbbd0e4f51df6f359770333e4255aa739f7ded6035f829188685d89825acc75e075773f5ce082452cdc6ae5de4

Download Submit
C:\backup.exe

Filesize
72KB

MD5
68cd7a96fa64542ceb15b339da5715ec

SHA1
eed76033f5b42b0e6082f42b9288a38f08ca0372

SHA256
765f0bac03e0eec5a4ae12c3a42205745a3a9e5d114323582ade58cd83736eb4

SHA512
91ebb65d591f27d7796350fc5154ac3b46d5f4dbbd0e4f51df6f359770333e4255aa739f7ded6035f829188685d89825acc75e075773f5ce082452cdc6ae5de4

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
8617c488670fbc0e281e676fc35be7a8

SHA1
d9a458c1afe13a467664ab6d6cf6ec88f4f1cf69

SHA256
d3b3e1dee18e8bb1807e0b02717a827334fc06566c9d5cf6b101e9da10f55225

SHA512
7683b0d5a8b223d14f524e3570d957bb100953d2dec4daa21c0c27faefce3f2ef6cfd664e36cac51ac8c603979d547923f5c9752eba5f7df2a4c9c8d9c5dc188

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
8617c488670fbc0e281e676fc35be7a8

SHA1
d9a458c1afe13a467664ab6d6cf6ec88f4f1cf69

SHA256
d3b3e1dee18e8bb1807e0b02717a827334fc06566c9d5cf6b101e9da10f55225

SHA512
7683b0d5a8b223d14f524e3570d957bb100953d2dec4daa21c0c27faefce3f2ef6cfd664e36cac51ac8c603979d547923f5c9752eba5f7df2a4c9c8d9c5dc188

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads