d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1

Analysis

max time kernel
163s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 13:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe
Size

72KB
MD5

0995e428e63b1b55b1133f8088f522ba
SHA1

580d71496198f2f809974366c1649017b45198c9
SHA256

d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1
SHA512

7ef341271f3e7f894cb432a22636a1689a697d1ad9b24ed8d79af0a2d03cdb384f1e083091a3faae0c9192903c158354d301b37c3518936186603dd0fdfd1392
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPhW:ieTce/U/hKYuKPhW

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
4924	backup.exe
764	backup.exe
3640	backup.exe
3728	backup.exe
3448	backup.exe
908	backup.exe
4768	data.exe
3368	backup.exe
1924	backup.exe
384	backup.exe
4220	backup.exe
1908	backup.exe
4032	backup.exe
1008	backup.exe
3128	backup.exe
4436	backup.exe
1440	backup.exe
5064	backup.exe
4088	data.exe
1684	backup.exe
3764	backup.exe
4868	backup.exe
364	backup.exe
3032	backup.exe
396	backup.exe
2676	backup.exe
4080	backup.exe
1724	backup.exe
1268	update.exe
4688	backup.exe
3136	backup.exe
1264	update.exe
4764	backup.exe
1416	backup.exe
4292	backup.exe
4348	backup.exe
2224	backup.exe
540	backup.exe
3556	backup.exe
4068	backup.exe
3004	backup.exe
3172	backup.exe
4536	backup.exe
2292	backup.exe
3496	backup.exe
4912	backup.exe
3600	backup.exe
3916	backup.exe
3540	backup.exe
3116	backup.exe
1848	backup.exe
3640	backup.exe
892	backup.exe
2688	backup.exe
4564	backup.exe
696	backup.exe
1356	backup.exe
1608	backup.exe
3616	backup.exe
3584	backup.exe
552	backup.exe
4876	System Restore.exe
1420	backup.exe
364	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\data.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\data.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe
4924	backup.exe
764	backup.exe
3640	backup.exe
3728	backup.exe
3448	backup.exe
908	backup.exe
4768	data.exe
3368	backup.exe
1924	backup.exe
384	backup.exe
4220	backup.exe
1908	backup.exe
4032	backup.exe
1008	backup.exe
3128	backup.exe
4436	backup.exe
1440	backup.exe
5064	backup.exe
4088	data.exe
1684	backup.exe
3764	backup.exe
4868	backup.exe
364	backup.exe
3032	backup.exe
396	backup.exe
2676	backup.exe
4080	backup.exe
1724	backup.exe
1268	update.exe
4688	backup.exe
3136	backup.exe
1264	update.exe
4764	backup.exe
1416	backup.exe
4292	backup.exe
4348	backup.exe
2224	backup.exe
540	backup.exe
3556	backup.exe
4068	backup.exe
3004	backup.exe
3172	backup.exe
4912	backup.exe
3496	backup.exe
2292	backup.exe
4536	backup.exe
3916	backup.exe
3640	backup.exe
1848	backup.exe
3116	backup.exe
3600	backup.exe
3540	backup.exe
892	backup.exe
2688	backup.exe
696	backup.exe
1356	backup.exe
1608	backup.exe
4564	backup.exe
552	backup.exe
4876	System Restore.exe
3584	backup.exe
3616	backup.exe
1420	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 4924	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	83
PID 5024 wrote to memory of 4924	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	83
PID 5024 wrote to memory of 4924	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	83
PID 5024 wrote to memory of 764	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	84
PID 5024 wrote to memory of 764	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	84
PID 5024 wrote to memory of 764	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	84
PID 5024 wrote to memory of 3640	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	85
PID 5024 wrote to memory of 3640	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	85
PID 5024 wrote to memory of 3640	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	85
PID 5024 wrote to memory of 3728	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	86
PID 5024 wrote to memory of 3728	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	86
PID 5024 wrote to memory of 3728	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	86
PID 5024 wrote to memory of 3448	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	87
PID 5024 wrote to memory of 3448	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	87
PID 5024 wrote to memory of 3448	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	87
PID 4924 wrote to memory of 908	4924	backup.exe	88
PID 4924 wrote to memory of 908	4924	backup.exe	88
PID 4924 wrote to memory of 908	4924	backup.exe	88
PID 5024 wrote to memory of 4768	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	89
PID 5024 wrote to memory of 4768	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	89
PID 5024 wrote to memory of 4768	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	89
PID 908 wrote to memory of 3368	908	backup.exe	90
PID 908 wrote to memory of 3368	908	backup.exe	90
PID 908 wrote to memory of 3368	908	backup.exe	90
PID 5024 wrote to memory of 1924	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	91
PID 5024 wrote to memory of 1924	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	91
PID 5024 wrote to memory of 1924	5024	d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe	91
PID 908 wrote to memory of 384	908	backup.exe	92
PID 908 wrote to memory of 384	908	backup.exe	92
PID 908 wrote to memory of 384	908	backup.exe	92
PID 908 wrote to memory of 4220	908	backup.exe	93
PID 908 wrote to memory of 4220	908	backup.exe	93
PID 908 wrote to memory of 4220	908	backup.exe	93
PID 4220 wrote to memory of 1908	4220	backup.exe	94
PID 4220 wrote to memory of 1908	4220	backup.exe	94
PID 4220 wrote to memory of 1908	4220	backup.exe	94
PID 1908 wrote to memory of 4032	1908	backup.exe	95
PID 1908 wrote to memory of 4032	1908	backup.exe	95
PID 1908 wrote to memory of 4032	1908	backup.exe	95
PID 4220 wrote to memory of 1008	4220	backup.exe	96
PID 4220 wrote to memory of 1008	4220	backup.exe	96
PID 4220 wrote to memory of 1008	4220	backup.exe	96
PID 1008 wrote to memory of 3128	1008	backup.exe	97
PID 1008 wrote to memory of 3128	1008	backup.exe	97
PID 1008 wrote to memory of 3128	1008	backup.exe	97
PID 1008 wrote to memory of 4436	1008	backup.exe	98
PID 1008 wrote to memory of 4436	1008	backup.exe	98
PID 1008 wrote to memory of 4436	1008	backup.exe	98
PID 4436 wrote to memory of 1440	4436	backup.exe	99
PID 4436 wrote to memory of 1440	4436	backup.exe	99
PID 4436 wrote to memory of 1440	4436	backup.exe	99
PID 4436 wrote to memory of 5064	4436	backup.exe	100
PID 4436 wrote to memory of 5064	4436	backup.exe	100
PID 4436 wrote to memory of 5064	4436	backup.exe	100
PID 5064 wrote to memory of 4088	5064	backup.exe	101
PID 5064 wrote to memory of 4088	5064	backup.exe	101
PID 5064 wrote to memory of 4088	5064	backup.exe	101
PID 5064 wrote to memory of 1684	5064	backup.exe	102
PID 5064 wrote to memory of 1684	5064	backup.exe	102
PID 5064 wrote to memory of 1684	5064	backup.exe	102
PID 5064 wrote to memory of 3764	5064	backup.exe	103
PID 5064 wrote to memory of 3764	5064	backup.exe	103
PID 5064 wrote to memory of 3764	5064	backup.exe	103
PID 5064 wrote to memory of 4868	5064	backup.exe	104

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe
"C:\Users\Admin\AppData\Local\Temp\d0f4c1d268baffe573ce2a969d66eadd6e1cbbe2d0b1eace8122e2949af077f1.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\4182239927\backup.exe
  C:\Users\Admin\AppData\Local\Temp\4182239927\backup.exe C:\Users\Admin\AppData\Local\Temp\4182239927\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4924
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3368
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:384
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1908
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4032
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3128
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4088
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1684
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3764
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4868
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:364
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3032
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:396
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4080
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1724
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1268
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4688
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3136
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4764
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1416
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4292
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4348
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:540
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3556
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:696
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3600
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4564
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        
        PID:944
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:1688
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:4128
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:1316
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4216
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:3448
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        System policy modification
        
        PID:4696
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        System policy modification
        
        PID:4364
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:856
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:2280
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:3656
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4912
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3584
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1068
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:2380
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5084
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2948
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3328
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:556
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1192
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2380
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4892
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1632
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1064
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:4884
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3172
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3116
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3616
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1500
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1264
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2732
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3432
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:732
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3584
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4928
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:3760
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:3280
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:4724
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4672
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4064
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        System policy modification
        
        PID:3144
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3064
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:3852
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3540
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3232
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:3136
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:4132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        10⤵
        Drops file in Program Files directory
        
        PID:2404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        11⤵
        
        PID:1996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        11⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4516
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:3144
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:2688
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:364
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3136
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        System policy modification
        
        PID:4704
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3984
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1552
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:1660
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1612
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3496
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2688
      - C:\Program Files\Internet Explorer\en-US\System Restore.exe
        
        "C:\Program Files\Internet Explorer\en-US\System Restore.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4876
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        System policy modification
        
        PID:2704
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4296
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1656
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:440
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:240
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        System policy modification
        
        PID:2636
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:636
      - C:\Program Files\Java\jdk1.8.0_66\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\update.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4888
        
        C:\Program Files\Java\jdk1.8.0_66\bin\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\data.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:2272
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Drops file in Program Files directory
        
        PID:5004
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:1152
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:4316
        
        C:\Program Files\Java\jdk1.8.0_66\include\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\data.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3588
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:824
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4068
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3640
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3224
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Drops file in Program Files directory
        
        PID:3316
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:4412
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:4516
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        System policy modification
        
        PID:3492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        System policy modification
        
        PID:2304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        System policy modification
        
        PID:2504
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:2152
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4792
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Drops file in Program Files directory
        
        PID:2148
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3768
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4132
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3556
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3916
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        
        PID:2364
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4616
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1840
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:1636
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:1908
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:3156
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1848
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2668
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2304
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3912
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:676
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        System policy modification
        
        PID:4020
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3692
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2644
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4952
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1380
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4088
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:544
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:3540
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
      - C:\Users\Public\Documents\update.exe
        
        C:\Users\Public\Documents\update.exe C:\Users\Public\Documents\
        6⤵
        
        PID:3516
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:940
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:452
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2972
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1492
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Windows directory
      PID:4772
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        System policy modification
        
        PID:1200
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:3404
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:1012
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3740
      - C:\Windows\appcompat\encapsulation\data.exe
        
        C:\Windows\appcompat\encapsulation\data.exe C:\Windows\appcompat\encapsulation\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4708
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3736
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        
        PID:380
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:764
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3728
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3448
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4768
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
9b6446501765022c16111671d726860f

SHA1
e37f22f8856f40f6cbae771ea0a22e34e4eb6a04

SHA256
0c8eb11870c01a9d8243846488973fdd1da5145075fb8f5ccadfe417aebcc205

SHA512
5f1561edd69e893842925498359f28b2a5f042e751a502e0e0c0aa79f59ad2d1474c8fe83d1ddbbd0523db243f2fa6c3120ab3c2a6cf244cb86c22248e86a71b

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
9b6446501765022c16111671d726860f

SHA1
e37f22f8856f40f6cbae771ea0a22e34e4eb6a04

SHA256
0c8eb11870c01a9d8243846488973fdd1da5145075fb8f5ccadfe417aebcc205

SHA512
5f1561edd69e893842925498359f28b2a5f042e751a502e0e0c0aa79f59ad2d1474c8fe83d1ddbbd0523db243f2fa6c3120ab3c2a6cf244cb86c22248e86a71b

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
71acc4a6f1b73fd741c51185a47a0d18

SHA1
77e7c8ea47c34299b4b5dae347617ef9b8c310a1

SHA256
daa7802f4f6c5afd1670057b6eccdb11527089985522aa63c2e0ec21871a6e58

SHA512
59cd98172e9cf17d635ecaeee478ce9e6f104acb5be3162faa218f203f61031eb6ec33196834800dc450290dd97bab2f61a0bdf258c56d59b00b0bd8124a49d0

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
71acc4a6f1b73fd741c51185a47a0d18

SHA1
77e7c8ea47c34299b4b5dae347617ef9b8c310a1

SHA256
daa7802f4f6c5afd1670057b6eccdb11527089985522aa63c2e0ec21871a6e58

SHA512
59cd98172e9cf17d635ecaeee478ce9e6f104acb5be3162faa218f203f61031eb6ec33196834800dc450290dd97bab2f61a0bdf258c56d59b00b0bd8124a49d0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6e06d7b9e89c511a745d3702d2779f8f

SHA1
201212bd839f86c8fed59c15c4d130ebb924f737

SHA256
4de06e8f886a15222c4b75696e46ce87d6ca58ad3e59ace3bd8f593d8a6ef301

SHA512
862359fca673dbdc3937d4461da8a33fd5b0a3b19bd6a2298a91bb069ad6574b015129c3303befe054cba5df8b7eb31e6941b2e4554982a7065b81f17dd0137c

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6e06d7b9e89c511a745d3702d2779f8f

SHA1
201212bd839f86c8fed59c15c4d130ebb924f737

SHA256
4de06e8f886a15222c4b75696e46ce87d6ca58ad3e59ace3bd8f593d8a6ef301

SHA512
862359fca673dbdc3937d4461da8a33fd5b0a3b19bd6a2298a91bb069ad6574b015129c3303befe054cba5df8b7eb31e6941b2e4554982a7065b81f17dd0137c

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
5826e8363583d182a208327774cb6def

SHA1
de103b4d042d760c4196a5331d1be947755d073b

SHA256
14f24512e69a4b3e2e3cbde74b5b5810cb9d530086541d059e64215d5ea7d377

SHA512
542ea6f625607f942f2475c79e430034f4a60d3227e5cb52bfbe4186fec166d191c3f537b8d34ec156012f6931e01d2f04399ebbab8d2bd1f558e4360d9cc33b

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
5826e8363583d182a208327774cb6def

SHA1
de103b4d042d760c4196a5331d1be947755d073b

SHA256
14f24512e69a4b3e2e3cbde74b5b5810cb9d530086541d059e64215d5ea7d377

SHA512
542ea6f625607f942f2475c79e430034f4a60d3227e5cb52bfbe4186fec166d191c3f537b8d34ec156012f6931e01d2f04399ebbab8d2bd1f558e4360d9cc33b

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
371734d84cb914bab6875abf02632797

SHA1
84f07e121016c8be67f28ae68aaf4b77bb7bfed9

SHA256
9dba6d8cd51b3bda18bbf7be6a004edd7d5f0181115b8b1f9bc5357bb4e0421e

SHA512
a6037211ba09faf72dfe564fd4fdcc8414f84b1ef83cb28dc0f4badc9012a18dc164b9dd02fc3dc7a1ffdea2db5779341e3caf253f2649177c03df06ea9eadc6

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
371734d84cb914bab6875abf02632797

SHA1
84f07e121016c8be67f28ae68aaf4b77bb7bfed9

SHA256
9dba6d8cd51b3bda18bbf7be6a004edd7d5f0181115b8b1f9bc5357bb4e0421e

SHA512
a6037211ba09faf72dfe564fd4fdcc8414f84b1ef83cb28dc0f4badc9012a18dc164b9dd02fc3dc7a1ffdea2db5779341e3caf253f2649177c03df06ea9eadc6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
21952c87d5e3525d11c220e787be7e63

SHA1
d76955957ad4565f9d8ec97fff29cadaa9997f40

SHA256
669aa74eab1855f4666cbc94eab556e774c92f746b76cd4b84f3497d3c655dce

SHA512
5409c6f0799f7399ca33ab201afb32d52b35c969675fa9e324adb9b66fcd16d7ec018bf7fd098c4c51c81f2a003ba1b18e8e91fcde28327443fa7779a4755f74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
21952c87d5e3525d11c220e787be7e63

SHA1
d76955957ad4565f9d8ec97fff29cadaa9997f40

SHA256
669aa74eab1855f4666cbc94eab556e774c92f746b76cd4b84f3497d3c655dce

SHA512
5409c6f0799f7399ca33ab201afb32d52b35c969675fa9e324adb9b66fcd16d7ec018bf7fd098c4c51c81f2a003ba1b18e8e91fcde28327443fa7779a4755f74

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
5826e8363583d182a208327774cb6def

SHA1
de103b4d042d760c4196a5331d1be947755d073b

SHA256
14f24512e69a4b3e2e3cbde74b5b5810cb9d530086541d059e64215d5ea7d377

SHA512
542ea6f625607f942f2475c79e430034f4a60d3227e5cb52bfbe4186fec166d191c3f537b8d34ec156012f6931e01d2f04399ebbab8d2bd1f558e4360d9cc33b

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
5826e8363583d182a208327774cb6def

SHA1
de103b4d042d760c4196a5331d1be947755d073b

SHA256
14f24512e69a4b3e2e3cbde74b5b5810cb9d530086541d059e64215d5ea7d377

SHA512
542ea6f625607f942f2475c79e430034f4a60d3227e5cb52bfbe4186fec166d191c3f537b8d34ec156012f6931e01d2f04399ebbab8d2bd1f558e4360d9cc33b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
e510779e0f49279b245a78b5eae8df63

SHA1
554721378962c4827047840d3ce593e336ecf0c4

SHA256
4fa522da5872c12b6fc1f4f1c37ddddcb35206f1d1abb0ab62abec4f68481d1a

SHA512
c9fd391f77ad58fc97ff78959936edb1dd103a17823975351af51b8490479e5fd760b11fb85e36da623e5c3b3cff93259232490b47b4e96044d4ce073db4d8ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
e510779e0f49279b245a78b5eae8df63

SHA1
554721378962c4827047840d3ce593e336ecf0c4

SHA256
4fa522da5872c12b6fc1f4f1c37ddddcb35206f1d1abb0ab62abec4f68481d1a

SHA512
c9fd391f77ad58fc97ff78959936edb1dd103a17823975351af51b8490479e5fd760b11fb85e36da623e5c3b3cff93259232490b47b4e96044d4ce073db4d8ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
21952c87d5e3525d11c220e787be7e63

SHA1
d76955957ad4565f9d8ec97fff29cadaa9997f40

SHA256
669aa74eab1855f4666cbc94eab556e774c92f746b76cd4b84f3497d3c655dce

SHA512
5409c6f0799f7399ca33ab201afb32d52b35c969675fa9e324adb9b66fcd16d7ec018bf7fd098c4c51c81f2a003ba1b18e8e91fcde28327443fa7779a4755f74

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
21952c87d5e3525d11c220e787be7e63

SHA1
d76955957ad4565f9d8ec97fff29cadaa9997f40

SHA256
669aa74eab1855f4666cbc94eab556e774c92f746b76cd4b84f3497d3c655dce

SHA512
5409c6f0799f7399ca33ab201afb32d52b35c969675fa9e324adb9b66fcd16d7ec018bf7fd098c4c51c81f2a003ba1b18e8e91fcde28327443fa7779a4755f74

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
e510779e0f49279b245a78b5eae8df63

SHA1
554721378962c4827047840d3ce593e336ecf0c4

SHA256
4fa522da5872c12b6fc1f4f1c37ddddcb35206f1d1abb0ab62abec4f68481d1a

SHA512
c9fd391f77ad58fc97ff78959936edb1dd103a17823975351af51b8490479e5fd760b11fb85e36da623e5c3b3cff93259232490b47b4e96044d4ce073db4d8ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
e510779e0f49279b245a78b5eae8df63

SHA1
554721378962c4827047840d3ce593e336ecf0c4

SHA256
4fa522da5872c12b6fc1f4f1c37ddddcb35206f1d1abb0ab62abec4f68481d1a

SHA512
c9fd391f77ad58fc97ff78959936edb1dd103a17823975351af51b8490479e5fd760b11fb85e36da623e5c3b3cff93259232490b47b4e96044d4ce073db4d8ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
e510779e0f49279b245a78b5eae8df63

SHA1
554721378962c4827047840d3ce593e336ecf0c4

SHA256
4fa522da5872c12b6fc1f4f1c37ddddcb35206f1d1abb0ab62abec4f68481d1a

SHA512
c9fd391f77ad58fc97ff78959936edb1dd103a17823975351af51b8490479e5fd760b11fb85e36da623e5c3b3cff93259232490b47b4e96044d4ce073db4d8ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
e510779e0f49279b245a78b5eae8df63

SHA1
554721378962c4827047840d3ce593e336ecf0c4

SHA256
4fa522da5872c12b6fc1f4f1c37ddddcb35206f1d1abb0ab62abec4f68481d1a

SHA512
c9fd391f77ad58fc97ff78959936edb1dd103a17823975351af51b8490479e5fd760b11fb85e36da623e5c3b3cff93259232490b47b4e96044d4ce073db4d8ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
e510779e0f49279b245a78b5eae8df63

SHA1
554721378962c4827047840d3ce593e336ecf0c4

SHA256
4fa522da5872c12b6fc1f4f1c37ddddcb35206f1d1abb0ab62abec4f68481d1a

SHA512
c9fd391f77ad58fc97ff78959936edb1dd103a17823975351af51b8490479e5fd760b11fb85e36da623e5c3b3cff93259232490b47b4e96044d4ce073db4d8ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
e510779e0f49279b245a78b5eae8df63

SHA1
554721378962c4827047840d3ce593e336ecf0c4

SHA256
4fa522da5872c12b6fc1f4f1c37ddddcb35206f1d1abb0ab62abec4f68481d1a

SHA512
c9fd391f77ad58fc97ff78959936edb1dd103a17823975351af51b8490479e5fd760b11fb85e36da623e5c3b3cff93259232490b47b4e96044d4ce073db4d8ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
f694d7f9576d69f26a83e2b47fd25756

SHA1
47c55b2fc55a9dc331edd83ca5a0a657e193cd40

SHA256
83aedeb009a2dc64d3349755e0f16a16e6e33b2c0fb75d41f6cf9b8c34f65f0d

SHA512
979966555ab07ffba7523dad604410a75e819417cd7f489057b0a9bb89a30e980296b8b032d134b67ec5054cb8e734ef083291dbe10572aceaa1e7060e5a2ea8

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
f694d7f9576d69f26a83e2b47fd25756

SHA1
47c55b2fc55a9dc331edd83ca5a0a657e193cd40

SHA256
83aedeb009a2dc64d3349755e0f16a16e6e33b2c0fb75d41f6cf9b8c34f65f0d

SHA512
979966555ab07ffba7523dad604410a75e819417cd7f489057b0a9bb89a30e980296b8b032d134b67ec5054cb8e734ef083291dbe10572aceaa1e7060e5a2ea8

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
f694d7f9576d69f26a83e2b47fd25756

SHA1
47c55b2fc55a9dc331edd83ca5a0a657e193cd40

SHA256
83aedeb009a2dc64d3349755e0f16a16e6e33b2c0fb75d41f6cf9b8c34f65f0d

SHA512
979966555ab07ffba7523dad604410a75e819417cd7f489057b0a9bb89a30e980296b8b032d134b67ec5054cb8e734ef083291dbe10572aceaa1e7060e5a2ea8

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
f694d7f9576d69f26a83e2b47fd25756

SHA1
47c55b2fc55a9dc331edd83ca5a0a657e193cd40

SHA256
83aedeb009a2dc64d3349755e0f16a16e6e33b2c0fb75d41f6cf9b8c34f65f0d

SHA512
979966555ab07ffba7523dad604410a75e819417cd7f489057b0a9bb89a30e980296b8b032d134b67ec5054cb8e734ef083291dbe10572aceaa1e7060e5a2ea8

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
f694d7f9576d69f26a83e2b47fd25756

SHA1
47c55b2fc55a9dc331edd83ca5a0a657e193cd40

SHA256
83aedeb009a2dc64d3349755e0f16a16e6e33b2c0fb75d41f6cf9b8c34f65f0d

SHA512
979966555ab07ffba7523dad604410a75e819417cd7f489057b0a9bb89a30e980296b8b032d134b67ec5054cb8e734ef083291dbe10572aceaa1e7060e5a2ea8

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
f694d7f9576d69f26a83e2b47fd25756

SHA1
47c55b2fc55a9dc331edd83ca5a0a657e193cd40

SHA256
83aedeb009a2dc64d3349755e0f16a16e6e33b2c0fb75d41f6cf9b8c34f65f0d

SHA512
979966555ab07ffba7523dad604410a75e819417cd7f489057b0a9bb89a30e980296b8b032d134b67ec5054cb8e734ef083291dbe10572aceaa1e7060e5a2ea8

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
e2964cf0df22f22d7c81921aa21d2274

SHA1
f60916220b0438e28c991ad267c856d1dd0a78cd

SHA256
ddb84351b1b4c7999e7535a825b56206c3953ea1cd6a761d3321ee78e727e4d9

SHA512
f73441435f5354516946262a0d4bd619c932a3a8f5a0f372e97cab654df60717c7b785afa704074e239c45bf9033a460895416c0c1fdcd8099b5008fe23477c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
e2964cf0df22f22d7c81921aa21d2274

SHA1
f60916220b0438e28c991ad267c856d1dd0a78cd

SHA256
ddb84351b1b4c7999e7535a825b56206c3953ea1cd6a761d3321ee78e727e4d9

SHA512
f73441435f5354516946262a0d4bd619c932a3a8f5a0f372e97cab654df60717c7b785afa704074e239c45bf9033a460895416c0c1fdcd8099b5008fe23477c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
e2964cf0df22f22d7c81921aa21d2274

SHA1
f60916220b0438e28c991ad267c856d1dd0a78cd

SHA256
ddb84351b1b4c7999e7535a825b56206c3953ea1cd6a761d3321ee78e727e4d9

SHA512
f73441435f5354516946262a0d4bd619c932a3a8f5a0f372e97cab654df60717c7b785afa704074e239c45bf9033a460895416c0c1fdcd8099b5008fe23477c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
e2964cf0df22f22d7c81921aa21d2274

SHA1
f60916220b0438e28c991ad267c856d1dd0a78cd

SHA256
ddb84351b1b4c7999e7535a825b56206c3953ea1cd6a761d3321ee78e727e4d9

SHA512
f73441435f5354516946262a0d4bd619c932a3a8f5a0f372e97cab654df60717c7b785afa704074e239c45bf9033a460895416c0c1fdcd8099b5008fe23477c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
e2964cf0df22f22d7c81921aa21d2274

SHA1
f60916220b0438e28c991ad267c856d1dd0a78cd

SHA256
ddb84351b1b4c7999e7535a825b56206c3953ea1cd6a761d3321ee78e727e4d9

SHA512
f73441435f5354516946262a0d4bd619c932a3a8f5a0f372e97cab654df60717c7b785afa704074e239c45bf9033a460895416c0c1fdcd8099b5008fe23477c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
e2964cf0df22f22d7c81921aa21d2274

SHA1
f60916220b0438e28c991ad267c856d1dd0a78cd

SHA256
ddb84351b1b4c7999e7535a825b56206c3953ea1cd6a761d3321ee78e727e4d9

SHA512
f73441435f5354516946262a0d4bd619c932a3a8f5a0f372e97cab654df60717c7b785afa704074e239c45bf9033a460895416c0c1fdcd8099b5008fe23477c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe

Filesize
72KB

MD5
a7a71d204f92b326a8c73a420a6ce1ed

SHA1
2e8c85a5167af9d811c718aeea2c5c470fa19290

SHA256
7c7fd524675b61af27ed95f413010bbfba0286974dceca5938bc57b9045659d1

SHA512
23dcf9ff55da5f0470b02b1e542eeabb6799c708fdfec930a929c13b6ba2c07c4f0f6fb41913e512356d229667e80aaea3c3077ee376f91a4d2426af6f98219c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe

Filesize
72KB

MD5
a7a71d204f92b326a8c73a420a6ce1ed

SHA1
2e8c85a5167af9d811c718aeea2c5c470fa19290

SHA256
7c7fd524675b61af27ed95f413010bbfba0286974dceca5938bc57b9045659d1

SHA512
23dcf9ff55da5f0470b02b1e542eeabb6799c708fdfec930a929c13b6ba2c07c4f0f6fb41913e512356d229667e80aaea3c3077ee376f91a4d2426af6f98219c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
a7a71d204f92b326a8c73a420a6ce1ed

SHA1
2e8c85a5167af9d811c718aeea2c5c470fa19290

SHA256
7c7fd524675b61af27ed95f413010bbfba0286974dceca5938bc57b9045659d1

SHA512
23dcf9ff55da5f0470b02b1e542eeabb6799c708fdfec930a929c13b6ba2c07c4f0f6fb41913e512356d229667e80aaea3c3077ee376f91a4d2426af6f98219c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
a7a71d204f92b326a8c73a420a6ce1ed

SHA1
2e8c85a5167af9d811c718aeea2c5c470fa19290

SHA256
7c7fd524675b61af27ed95f413010bbfba0286974dceca5938bc57b9045659d1

SHA512
23dcf9ff55da5f0470b02b1e542eeabb6799c708fdfec930a929c13b6ba2c07c4f0f6fb41913e512356d229667e80aaea3c3077ee376f91a4d2426af6f98219c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
a7a71d204f92b326a8c73a420a6ce1ed

SHA1
2e8c85a5167af9d811c718aeea2c5c470fa19290

SHA256
7c7fd524675b61af27ed95f413010bbfba0286974dceca5938bc57b9045659d1

SHA512
23dcf9ff55da5f0470b02b1e542eeabb6799c708fdfec930a929c13b6ba2c07c4f0f6fb41913e512356d229667e80aaea3c3077ee376f91a4d2426af6f98219c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
a7a71d204f92b326a8c73a420a6ce1ed

SHA1
2e8c85a5167af9d811c718aeea2c5c470fa19290

SHA256
7c7fd524675b61af27ed95f413010bbfba0286974dceca5938bc57b9045659d1

SHA512
23dcf9ff55da5f0470b02b1e542eeabb6799c708fdfec930a929c13b6ba2c07c4f0f6fb41913e512356d229667e80aaea3c3077ee376f91a4d2426af6f98219c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe

Filesize
72KB

MD5
a7a71d204f92b326a8c73a420a6ce1ed

SHA1
2e8c85a5167af9d811c718aeea2c5c470fa19290

SHA256
7c7fd524675b61af27ed95f413010bbfba0286974dceca5938bc57b9045659d1

SHA512
23dcf9ff55da5f0470b02b1e542eeabb6799c708fdfec930a929c13b6ba2c07c4f0f6fb41913e512356d229667e80aaea3c3077ee376f91a4d2426af6f98219c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe

Filesize
72KB

MD5
a7a71d204f92b326a8c73a420a6ce1ed

SHA1
2e8c85a5167af9d811c718aeea2c5c470fa19290

SHA256
7c7fd524675b61af27ed95f413010bbfba0286974dceca5938bc57b9045659d1

SHA512
23dcf9ff55da5f0470b02b1e542eeabb6799c708fdfec930a929c13b6ba2c07c4f0f6fb41913e512356d229667e80aaea3c3077ee376f91a4d2426af6f98219c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
583f3ee12a049059fabc8382019f46c8

SHA1
fa5fa4e4892251bab2c6f443c1eb7488eb815738

SHA256
0bcac51c3482bfcba61922831a5a3a87c0273d1d8b8d13e5a4bcff750e48ad16

SHA512
59a2a173ba23f5ac28e2eb41c499296c2da176abba25ef2b9d623891077325b4625df620480d48aa625090bd6432515f52d584bda3eed72e4a3936fe5df6a832

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
583f3ee12a049059fabc8382019f46c8

SHA1
fa5fa4e4892251bab2c6f443c1eb7488eb815738

SHA256
0bcac51c3482bfcba61922831a5a3a87c0273d1d8b8d13e5a4bcff750e48ad16

SHA512
59a2a173ba23f5ac28e2eb41c499296c2da176abba25ef2b9d623891077325b4625df620480d48aa625090bd6432515f52d584bda3eed72e4a3936fe5df6a832

Download Submit
C:\Users\Admin\AppData\Local\Temp\4182239927\backup.exe

Filesize
72KB

MD5
11cd2acfa42a0526111cfe971f2dcfc3

SHA1
7213b09b3102d3249d42d76319508107565d2298

SHA256
3ce827b4482353c2522a7c60193ae0a6f09945fbbdfbda8f6abe9c1f0e321be6

SHA512
f2d5a79618487934cc5262b5c413d795ffca7d45623a5f2baa9433aedcd7208bbff1abaea2000fb18cf62162f71cd7cbdb22257b2be2cab2d4217e99e59ff58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4182239927\backup.exe

Filesize
72KB

MD5
11cd2acfa42a0526111cfe971f2dcfc3

SHA1
7213b09b3102d3249d42d76319508107565d2298

SHA256
3ce827b4482353c2522a7c60193ae0a6f09945fbbdfbda8f6abe9c1f0e321be6

SHA512
f2d5a79618487934cc5262b5c413d795ffca7d45623a5f2baa9433aedcd7208bbff1abaea2000fb18cf62162f71cd7cbdb22257b2be2cab2d4217e99e59ff58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
635ce1f1c0153e899277c42e6035ba5a

SHA1
0dafb5dbbb76c5fae7b1213956dffdfaf0938481

SHA256
22b7aaae6e1bea2749fe5d22a1c26e9da2192b5e491fde9d13757758bbca1e69

SHA512
b1e31c4d96388773bcdf8ef29629d42691165f7ccb150b188a5727c843f20910fe33d7abea3268b55763a2e55eb3eb5300e6ead0aa5f5500808d74b9438fc0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
635ce1f1c0153e899277c42e6035ba5a

SHA1
0dafb5dbbb76c5fae7b1213956dffdfaf0938481

SHA256
22b7aaae6e1bea2749fe5d22a1c26e9da2192b5e491fde9d13757758bbca1e69

SHA512
b1e31c4d96388773bcdf8ef29629d42691165f7ccb150b188a5727c843f20910fe33d7abea3268b55763a2e55eb3eb5300e6ead0aa5f5500808d74b9438fc0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
635ce1f1c0153e899277c42e6035ba5a

SHA1
0dafb5dbbb76c5fae7b1213956dffdfaf0938481

SHA256
22b7aaae6e1bea2749fe5d22a1c26e9da2192b5e491fde9d13757758bbca1e69

SHA512
b1e31c4d96388773bcdf8ef29629d42691165f7ccb150b188a5727c843f20910fe33d7abea3268b55763a2e55eb3eb5300e6ead0aa5f5500808d74b9438fc0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
635ce1f1c0153e899277c42e6035ba5a

SHA1
0dafb5dbbb76c5fae7b1213956dffdfaf0938481

SHA256
22b7aaae6e1bea2749fe5d22a1c26e9da2192b5e491fde9d13757758bbca1e69

SHA512
b1e31c4d96388773bcdf8ef29629d42691165f7ccb150b188a5727c843f20910fe33d7abea3268b55763a2e55eb3eb5300e6ead0aa5f5500808d74b9438fc0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
635ce1f1c0153e899277c42e6035ba5a

SHA1
0dafb5dbbb76c5fae7b1213956dffdfaf0938481

SHA256
22b7aaae6e1bea2749fe5d22a1c26e9da2192b5e491fde9d13757758bbca1e69

SHA512
b1e31c4d96388773bcdf8ef29629d42691165f7ccb150b188a5727c843f20910fe33d7abea3268b55763a2e55eb3eb5300e6ead0aa5f5500808d74b9438fc0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
635ce1f1c0153e899277c42e6035ba5a

SHA1
0dafb5dbbb76c5fae7b1213956dffdfaf0938481

SHA256
22b7aaae6e1bea2749fe5d22a1c26e9da2192b5e491fde9d13757758bbca1e69

SHA512
b1e31c4d96388773bcdf8ef29629d42691165f7ccb150b188a5727c843f20910fe33d7abea3268b55763a2e55eb3eb5300e6ead0aa5f5500808d74b9438fc0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
11cd2acfa42a0526111cfe971f2dcfc3

SHA1
7213b09b3102d3249d42d76319508107565d2298

SHA256
3ce827b4482353c2522a7c60193ae0a6f09945fbbdfbda8f6abe9c1f0e321be6

SHA512
f2d5a79618487934cc5262b5c413d795ffca7d45623a5f2baa9433aedcd7208bbff1abaea2000fb18cf62162f71cd7cbdb22257b2be2cab2d4217e99e59ff58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
11cd2acfa42a0526111cfe971f2dcfc3

SHA1
7213b09b3102d3249d42d76319508107565d2298

SHA256
3ce827b4482353c2522a7c60193ae0a6f09945fbbdfbda8f6abe9c1f0e321be6

SHA512
f2d5a79618487934cc5262b5c413d795ffca7d45623a5f2baa9433aedcd7208bbff1abaea2000fb18cf62162f71cd7cbdb22257b2be2cab2d4217e99e59ff58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
11cd2acfa42a0526111cfe971f2dcfc3

SHA1
7213b09b3102d3249d42d76319508107565d2298

SHA256
3ce827b4482353c2522a7c60193ae0a6f09945fbbdfbda8f6abe9c1f0e321be6

SHA512
f2d5a79618487934cc5262b5c413d795ffca7d45623a5f2baa9433aedcd7208bbff1abaea2000fb18cf62162f71cd7cbdb22257b2be2cab2d4217e99e59ff58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
11cd2acfa42a0526111cfe971f2dcfc3

SHA1
7213b09b3102d3249d42d76319508107565d2298

SHA256
3ce827b4482353c2522a7c60193ae0a6f09945fbbdfbda8f6abe9c1f0e321be6

SHA512
f2d5a79618487934cc5262b5c413d795ffca7d45623a5f2baa9433aedcd7208bbff1abaea2000fb18cf62162f71cd7cbdb22257b2be2cab2d4217e99e59ff58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
635ce1f1c0153e899277c42e6035ba5a

SHA1
0dafb5dbbb76c5fae7b1213956dffdfaf0938481

SHA256
22b7aaae6e1bea2749fe5d22a1c26e9da2192b5e491fde9d13757758bbca1e69

SHA512
b1e31c4d96388773bcdf8ef29629d42691165f7ccb150b188a5727c843f20910fe33d7abea3268b55763a2e55eb3eb5300e6ead0aa5f5500808d74b9438fc0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
635ce1f1c0153e899277c42e6035ba5a

SHA1
0dafb5dbbb76c5fae7b1213956dffdfaf0938481

SHA256
22b7aaae6e1bea2749fe5d22a1c26e9da2192b5e491fde9d13757758bbca1e69

SHA512
b1e31c4d96388773bcdf8ef29629d42691165f7ccb150b188a5727c843f20910fe33d7abea3268b55763a2e55eb3eb5300e6ead0aa5f5500808d74b9438fc0d2

Download Submit
C:\backup.exe

Filesize
72KB

MD5
5e56e25925f192ebdf60b586fd599946

SHA1
85d15fc45f21c7e7ad70d8ca7725b4a1e6c6fc16

SHA256
db9f2c5f324feb5e17b50331529c91c52904840fca31b504255229ca12ee124c

SHA512
9fe306ed7e3f6a1b59d0f40a3ec944f81fcb66bccc2563a3c9dc9bc28f577362ff9eedb5e0745d3ec119c2dcdc53d7c38c8cb068b971ebd7e59c096ea79851c9

Download Submit
C:\backup.exe

Filesize
72KB

MD5
5e56e25925f192ebdf60b586fd599946

SHA1
85d15fc45f21c7e7ad70d8ca7725b4a1e6c6fc16

SHA256
db9f2c5f324feb5e17b50331529c91c52904840fca31b504255229ca12ee124c

SHA512
9fe306ed7e3f6a1b59d0f40a3ec944f81fcb66bccc2563a3c9dc9bc28f577362ff9eedb5e0745d3ec119c2dcdc53d7c38c8cb068b971ebd7e59c096ea79851c9

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
9b6446501765022c16111671d726860f

SHA1
e37f22f8856f40f6cbae771ea0a22e34e4eb6a04

SHA256
0c8eb11870c01a9d8243846488973fdd1da5145075fb8f5ccadfe417aebcc205

SHA512
5f1561edd69e893842925498359f28b2a5f042e751a502e0e0c0aa79f59ad2d1474c8fe83d1ddbbd0523db243f2fa6c3120ab3c2a6cf244cb86c22248e86a71b

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
9b6446501765022c16111671d726860f

SHA1
e37f22f8856f40f6cbae771ea0a22e34e4eb6a04

SHA256
0c8eb11870c01a9d8243846488973fdd1da5145075fb8f5ccadfe417aebcc205

SHA512
5f1561edd69e893842925498359f28b2a5f042e751a502e0e0c0aa79f59ad2d1474c8fe83d1ddbbd0523db243f2fa6c3120ab3c2a6cf244cb86c22248e86a71b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads