32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2

Analysis

max time kernel
176s
max time network
239s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe
Size

72KB
MD5

048fd872c64fb0cdade22c4901f89fec
SHA1

2ba375492286ed83480ab8ad8c84591409680659
SHA256

32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2
SHA512

1819776313f28c1fb87afc4dbb1dd37b5253d065d547b32bebc5c194a592283fad87329587bee37b02320a1846de4aecf4b7acc4c6cd68c623759c68ad56a4ea
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2P:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP7

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2208	backup.exe
3684	backup.exe
2356	backup.exe
1428	backup.exe
1636	backup.exe
1360	backup.exe
1904	backup.exe
3032	backup.exe
2844	backup.exe
976	backup.exe
4308	backup.exe
4720	backup.exe
4620	backup.exe
4640	backup.exe
776	backup.exe
3016	backup.exe
1976	backup.exe
1192	backup.exe
4828	backup.exe
640	backup.exe
396	backup.exe
1368	backup.exe
1296	backup.exe
4860	data.exe
3040	backup.exe
1560	backup.exe
4864	backup.exe
4612	backup.exe
4960	backup.exe
1972	backup.exe
3668	backup.exe
1776	backup.exe
3192	backup.exe
3180	backup.exe
3524	backup.exe
328	backup.exe
3580	backup.exe
1452	backup.exe
2140	backup.exe
4748	backup.exe
3876	backup.exe
4644	backup.exe
2876	backup.exe
3716	backup.exe
4624	backup.exe
4320	backup.exe
1952	System Restore.exe
4164	backup.exe
1976	backup.exe
1144	backup.exe
3172	backup.exe
5096	backup.exe
3680	backup.exe
2004	backup.exe
4364	backup.exe
3456	backup.exe
1620	backup.exe
4856	backup.exe
1296	backup.exe
4884	backup.exe
4908	backup.exe
4020	backup.exe
4312	backup.exe
2504	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\data.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe	backup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe
2208	backup.exe
3684	backup.exe
2356	backup.exe
1428	backup.exe
1636	backup.exe
1904	backup.exe
1360	backup.exe
3032	backup.exe
2844	backup.exe
976	backup.exe
4308	backup.exe
4720	backup.exe
4620	backup.exe
4640	backup.exe
776	backup.exe
3016	backup.exe
1976	backup.exe
1192	backup.exe
4828	backup.exe
640	backup.exe
396	backup.exe
1368	backup.exe
1296	backup.exe
4860	data.exe
3040	backup.exe
1560	backup.exe
4864	backup.exe
4612	backup.exe
1972	backup.exe
4960	backup.exe
1776	backup.exe
3668	backup.exe
3192	backup.exe
3180	backup.exe
3524	backup.exe
328	backup.exe
3580	backup.exe
1452	backup.exe
2140	backup.exe
4748	backup.exe
3876	backup.exe
4644	backup.exe
2876	backup.exe
3716	backup.exe
4624	backup.exe
4164	backup.exe
1952	System Restore.exe
4320	backup.exe
1976	backup.exe
3680	backup.exe
5096	backup.exe
2004	backup.exe
1144	backup.exe
3172	backup.exe
4364	backup.exe
3456	backup.exe
1620	backup.exe
4856	backup.exe
4884	backup.exe
4312	backup.exe
4908	backup.exe
4268	backup.exe
4020	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 2208	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	84
PID 4752 wrote to memory of 2208	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	84
PID 4752 wrote to memory of 2208	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	84
PID 4752 wrote to memory of 3684	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	85
PID 4752 wrote to memory of 3684	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	85
PID 4752 wrote to memory of 3684	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	85
PID 4752 wrote to memory of 2356	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	86
PID 4752 wrote to memory of 2356	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	86
PID 4752 wrote to memory of 2356	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	86
PID 2208 wrote to memory of 1428	2208	backup.exe	87
PID 2208 wrote to memory of 1428	2208	backup.exe	87
PID 2208 wrote to memory of 1428	2208	backup.exe	87
PID 4752 wrote to memory of 1636	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	88
PID 4752 wrote to memory of 1636	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	88
PID 4752 wrote to memory of 1636	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	88
PID 1428 wrote to memory of 1360	1428	backup.exe	89
PID 1428 wrote to memory of 1360	1428	backup.exe	89
PID 1428 wrote to memory of 1360	1428	backup.exe	89
PID 4752 wrote to memory of 1904	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	90
PID 4752 wrote to memory of 1904	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	90
PID 4752 wrote to memory of 1904	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	90
PID 1428 wrote to memory of 2844	1428	backup.exe	92
PID 1428 wrote to memory of 2844	1428	backup.exe	92
PID 1428 wrote to memory of 2844	1428	backup.exe	92
PID 4752 wrote to memory of 3032	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	91
PID 4752 wrote to memory of 3032	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	91
PID 4752 wrote to memory of 3032	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	91
PID 4752 wrote to memory of 976	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	93
PID 4752 wrote to memory of 976	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	93
PID 4752 wrote to memory of 976	4752	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe	93
PID 1428 wrote to memory of 4308	1428	backup.exe	94
PID 1428 wrote to memory of 4308	1428	backup.exe	94
PID 1428 wrote to memory of 4308	1428	backup.exe	94
PID 4308 wrote to memory of 4720	4308	backup.exe	95
PID 4308 wrote to memory of 4720	4308	backup.exe	95
PID 4308 wrote to memory of 4720	4308	backup.exe	95
PID 4720 wrote to memory of 4620	4720	backup.exe	96
PID 4720 wrote to memory of 4620	4720	backup.exe	96
PID 4720 wrote to memory of 4620	4720	backup.exe	96
PID 4308 wrote to memory of 4640	4308	backup.exe	97
PID 4308 wrote to memory of 4640	4308	backup.exe	97
PID 4308 wrote to memory of 4640	4308	backup.exe	97
PID 4640 wrote to memory of 776	4640	backup.exe	98
PID 4640 wrote to memory of 776	4640	backup.exe	98
PID 4640 wrote to memory of 776	4640	backup.exe	98
PID 4640 wrote to memory of 3016	4640	backup.exe	99
PID 4640 wrote to memory of 3016	4640	backup.exe	99
PID 4640 wrote to memory of 3016	4640	backup.exe	99
PID 3016 wrote to memory of 1976	3016	backup.exe	100
PID 3016 wrote to memory of 1976	3016	backup.exe	100
PID 3016 wrote to memory of 1976	3016	backup.exe	100
PID 3016 wrote to memory of 1192	3016	backup.exe	101
PID 3016 wrote to memory of 1192	3016	backup.exe	101
PID 3016 wrote to memory of 1192	3016	backup.exe	101
PID 1192 wrote to memory of 4828	1192	backup.exe	102
PID 1192 wrote to memory of 4828	1192	backup.exe	102
PID 1192 wrote to memory of 4828	1192	backup.exe	102
PID 1192 wrote to memory of 640	1192	backup.exe	103
PID 1192 wrote to memory of 640	1192	backup.exe	103
PID 1192 wrote to memory of 640	1192	backup.exe	103
PID 1192 wrote to memory of 396	1192	backup.exe	104
PID 1192 wrote to memory of 396	1192	backup.exe	104
PID 1192 wrote to memory of 396	1192	backup.exe	104
PID 1192 wrote to memory of 1368	1192	backup.exe	105

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe

C:\Users\Admin\AppData\Local\Temp\32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe
"C:\Users\Admin\AppData\Local\Temp\32b11d2f78b1cf46048403afaabb8b36042ff336606c0d0669f5652ba206bcc2.exe"
1⤵
- Disables RegEdit via registry modification
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4752
- C:\Users\Admin\AppData\Local\Temp\3955709850\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3955709850\backup.exe C:\Users\Admin\AppData\Local\Temp\3955709850\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2208
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1360
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2844
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4620
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4640
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:776
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4828
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:396
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\data.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4860
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3040
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1560
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:328
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2876
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3680
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:2504
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4872
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:2860
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:664
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:2128
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3524
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3876
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4908
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:4024
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:3640
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        9⤵
        
        PID:1452
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4320
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        System policy modification
        
        PID:1216
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        System policy modification
        
        PID:1296
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4544
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2876
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4364
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:1796
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3640
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3180
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4644
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2152
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4732
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:4264
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4828
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5096
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3456
        
        C:\Program Files\Common Files\System\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\es-ES\data.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3388
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3832
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:2320
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4040
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:4504
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:3484
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:5088
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:3224
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4864
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3668
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3580
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3716
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1568
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        System policy modification
        
        PID:240
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1368
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:4112
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:204
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:3388
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:4160
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:3376
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4364
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4164
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:940
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4436
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1152
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:4668
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:3776
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2728
      - C:\Program Files\Internet Explorer\fr-FR\System Restore.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\System Restore.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1568
    - - C:\Program Files\Java\data.exe
        
        "C:\Program Files\Java\data.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        
        PID:1060
      - C:\Program Files\Java\jdk1.8.0_66\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\data.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1972
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:1812
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:3652
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:3144
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        
        PID:4452
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:4076
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        
        PID:5004
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        
        PID:2508
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        
        PID:3496
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:2840
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3552
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:2788
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:3980
        
        C:\Program Files\Microsoft Office\root\Client\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Client\System Restore.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:1408
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:2012
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:3228
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2504
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4612
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3192
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1360
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:2452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:2432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:4480
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1560
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3164
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        System policy modification
        
        PID:2584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:3592
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3172
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3916
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\data.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1344
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:2140
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:756
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\data.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:1564
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:3816
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2000
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:1300
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:3896
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:2084
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4884
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4292
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2100
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2280
        
        C:\Program Files (x86)\Google\Update\Download\data.exe
        
        "C:\Program Files (x86)\Google\Update\Download\data.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:3572
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:240
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:4852
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:2844
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
      - C:\Program Files (x86)\Internet Explorer\fr-FR\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\data.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:3476
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:4156
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:2504
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2312
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1976
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4268
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:2280
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1800
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:3244
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2772
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:3044
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:3732
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:4052
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4360
      - C:\Users\Public\Documents\update.exe
        
        C:\Users\Public\Documents\update.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5068
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1428
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:3448
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:3936
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:4752
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4312
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4408
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:4928
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        System policy modification
        
        PID:1236
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:1980
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:4696
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:3160
    - - C:\Windows\apppatch\System Restore.exe
        
        "C:\Windows\apppatch\System Restore.exe" C:\Windows\apppatch\
        5⤵
        
        PID:4584
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3684
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:976

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
1⤵
PID:4616
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
  2⤵
  PID:1760
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
  2⤵
  PID:340
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\System Restore.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
    3⤵
    PID:4636

C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
1⤵
PID:1708

C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
e6559f4994540c1000ee5c4455bc3342

SHA1
aa264260bc95ec4b4ce9d3f3edc584896fb94916

SHA256
90a8b29815f40bba6dff39cabe42d816fd2a984959f5953c1eb5b566c32da979

SHA512
65553c670f8a182a9fc2e1f41ab883836a00cf0a46fd50b082c47aa69d8e810c2451bbbdc15b9789f4f18fdafd312bc300e1cff69bb3830062b210cb68ab47cc

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
e6559f4994540c1000ee5c4455bc3342

SHA1
aa264260bc95ec4b4ce9d3f3edc584896fb94916

SHA256
90a8b29815f40bba6dff39cabe42d816fd2a984959f5953c1eb5b566c32da979

SHA512
65553c670f8a182a9fc2e1f41ab883836a00cf0a46fd50b082c47aa69d8e810c2451bbbdc15b9789f4f18fdafd312bc300e1cff69bb3830062b210cb68ab47cc

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
dd2fa12e7b3a578e291afb00a2046c17

SHA1
7140c1c6d6e0101c9ddaed0b94bf6b33a000949c

SHA256
0c608aae0214f3667f9d4468c0297bb95afe6b695923ddd396ce6ac3b76e11a8

SHA512
3a7332574778f9d6775487f0236b9d01b557d669ed48853f9caca7dcd78150456d46f1b399762e2e1b2904b2fb658800b7c43ebbf53aece212980d597b257441

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
dd2fa12e7b3a578e291afb00a2046c17

SHA1
7140c1c6d6e0101c9ddaed0b94bf6b33a000949c

SHA256
0c608aae0214f3667f9d4468c0297bb95afe6b695923ddd396ce6ac3b76e11a8

SHA512
3a7332574778f9d6775487f0236b9d01b557d669ed48853f9caca7dcd78150456d46f1b399762e2e1b2904b2fb658800b7c43ebbf53aece212980d597b257441

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a0b23334c4f5c9db2234788c0b5c635b

SHA1
819ce0caea6fe539eba78addf6e3b05bda591734

SHA256
f85bb7b164258f0594e1f1fbf2e2eedc9aa2dcbec295d4ead0c64c0b28948500

SHA512
4204908b745977718851ec2bd5140be694b55b05e6b4824a44e23adf3771a2b5495178ec1815dc0ae74985b9af5ab8c7978603e01c5b7b2321903ae4fc285f38

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a0b23334c4f5c9db2234788c0b5c635b

SHA1
819ce0caea6fe539eba78addf6e3b05bda591734

SHA256
f85bb7b164258f0594e1f1fbf2e2eedc9aa2dcbec295d4ead0c64c0b28948500

SHA512
4204908b745977718851ec2bd5140be694b55b05e6b4824a44e23adf3771a2b5495178ec1815dc0ae74985b9af5ab8c7978603e01c5b7b2321903ae4fc285f38

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7d4a3524283429a2afdb119c5672cc1c

SHA1
9f4a45354f0c968dba5ec5e1e17be87eadae7096

SHA256
b92fa00e13532494f7edc6ab764ef1dc5395b56c493cd772eb88d6cd2d9d5331

SHA512
9831b4ca2e5ddcfacca23ba623674b50d6fa7583d86bbca713dbe250cd0260e15cc5d48c77393b221fa7d99627e7421272035982daee23406960cf1ff22510ff

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7d4a3524283429a2afdb119c5672cc1c

SHA1
9f4a45354f0c968dba5ec5e1e17be87eadae7096

SHA256
b92fa00e13532494f7edc6ab764ef1dc5395b56c493cd772eb88d6cd2d9d5331

SHA512
9831b4ca2e5ddcfacca23ba623674b50d6fa7583d86bbca713dbe250cd0260e15cc5d48c77393b221fa7d99627e7421272035982daee23406960cf1ff22510ff

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
9648ecc34336838efa8d0bec89cdde9d

SHA1
123c9bf472e3896bce280674d61df84fd1b60cb6

SHA256
43cf7dd8e357ab0666a4de800fe826eb3d009223e6ab5f29d42cc157d5867e7c

SHA512
d863eedfd2d376dbbd410c4fa4ecb76d880d3548ff0c46d87b3b411a39ebfc616a3c457c8899dea31dc25cf34cd14626452abfc824079f058f44cfef9ffb81c3

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
9648ecc34336838efa8d0bec89cdde9d

SHA1
123c9bf472e3896bce280674d61df84fd1b60cb6

SHA256
43cf7dd8e357ab0666a4de800fe826eb3d009223e6ab5f29d42cc157d5867e7c

SHA512
d863eedfd2d376dbbd410c4fa4ecb76d880d3548ff0c46d87b3b411a39ebfc616a3c457c8899dea31dc25cf34cd14626452abfc824079f058f44cfef9ffb81c3

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
e28a33dc0fd63b134cee4e9003e8602d

SHA1
a3a446af1952c3d7c378e8d18f138a3dd5c4acc1

SHA256
a6aa38a701b042908b4fd9853f022b0094d656b10fe3c82b1dccc0f0dce09a04

SHA512
bfbf63433a6abc79a98ebbdbf1bfd67a1f7e944377474a85c830cdf0f5eff642cb16cf209d1e9c54ebf3efab43bdfa42bde17cf790cfbd0bdb782f04ec1e8f8f

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
e28a33dc0fd63b134cee4e9003e8602d

SHA1
a3a446af1952c3d7c378e8d18f138a3dd5c4acc1

SHA256
a6aa38a701b042908b4fd9853f022b0094d656b10fe3c82b1dccc0f0dce09a04

SHA512
bfbf63433a6abc79a98ebbdbf1bfd67a1f7e944377474a85c830cdf0f5eff642cb16cf209d1e9c54ebf3efab43bdfa42bde17cf790cfbd0bdb782f04ec1e8f8f

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
4fbdc1b548555b46bd96300af64960cf

SHA1
54b8adf3dbbbd0ae9cd59d154bdb2559d2b4e58c

SHA256
0413b8210998ec307a11135f65cc4824cb7489c95c5eb59c74af2b0d6e3bf86d

SHA512
c798f74db4e2cd696e136745f5e7000a92f149eb93befcadeda526a03a5517defa8f471e0a4cba186031ff73bb488158c3733b9519436a84400247771b201e47

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
4fbdc1b548555b46bd96300af64960cf

SHA1
54b8adf3dbbbd0ae9cd59d154bdb2559d2b4e58c

SHA256
0413b8210998ec307a11135f65cc4824cb7489c95c5eb59c74af2b0d6e3bf86d

SHA512
c798f74db4e2cd696e136745f5e7000a92f149eb93befcadeda526a03a5517defa8f471e0a4cba186031ff73bb488158c3733b9519436a84400247771b201e47

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
036c2fe1da01d6f69da277f499d538f9

SHA1
631c17e66e0e70774e69eb26e08305d1aeee71a8

SHA256
07967f27bba2494a9f241161c705a6b66a7370d18a4a5b9eac9e36b422f895be

SHA512
3852dc658939005a6d3048a4ff39a368c37fba1476d2be89581faf60c9bbca0bfd75604cc942747fb981ea9f21d1dcbc651b1339d8778c67160876c17abbce63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
036c2fe1da01d6f69da277f499d538f9

SHA1
631c17e66e0e70774e69eb26e08305d1aeee71a8

SHA256
07967f27bba2494a9f241161c705a6b66a7370d18a4a5b9eac9e36b422f895be

SHA512
3852dc658939005a6d3048a4ff39a368c37fba1476d2be89581faf60c9bbca0bfd75604cc942747fb981ea9f21d1dcbc651b1339d8778c67160876c17abbce63

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
8206c6b178a13ecfb8d5c28f95780678

SHA1
64b567c5d55cc2c6bf1f4f040cecdc4b5ee41d32

SHA256
2bf64dfce3ca3df195af01e0cf3b9a1e624aa0ef53f4b39cea7b9ee2444801ce

SHA512
404ab601971e0359096c0a46702eed6f2d1ff4f2c651b2dcc39390e1ebdbdf3381bee45fd480a6850e05c8c3c3d17d5794c36215d256641a9cfe28a216fda94e

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
8206c6b178a13ecfb8d5c28f95780678

SHA1
64b567c5d55cc2c6bf1f4f040cecdc4b5ee41d32

SHA256
2bf64dfce3ca3df195af01e0cf3b9a1e624aa0ef53f4b39cea7b9ee2444801ce

SHA512
404ab601971e0359096c0a46702eed6f2d1ff4f2c651b2dcc39390e1ebdbdf3381bee45fd480a6850e05c8c3c3d17d5794c36215d256641a9cfe28a216fda94e

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
9648ecc34336838efa8d0bec89cdde9d

SHA1
123c9bf472e3896bce280674d61df84fd1b60cb6

SHA256
43cf7dd8e357ab0666a4de800fe826eb3d009223e6ab5f29d42cc157d5867e7c

SHA512
d863eedfd2d376dbbd410c4fa4ecb76d880d3548ff0c46d87b3b411a39ebfc616a3c457c8899dea31dc25cf34cd14626452abfc824079f058f44cfef9ffb81c3

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
9648ecc34336838efa8d0bec89cdde9d

SHA1
123c9bf472e3896bce280674d61df84fd1b60cb6

SHA256
43cf7dd8e357ab0666a4de800fe826eb3d009223e6ab5f29d42cc157d5867e7c

SHA512
d863eedfd2d376dbbd410c4fa4ecb76d880d3548ff0c46d87b3b411a39ebfc616a3c457c8899dea31dc25cf34cd14626452abfc824079f058f44cfef9ffb81c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
08cda29c8d970ac0659ba6e0444455ce

SHA1
dacc7f6d3b359c3dfdc796bd6614e957b60330e7

SHA256
676e2ea8c4e68b386456dd4fb96ef2bc06979fc824d77ce2fcf1f39e183c90cf

SHA512
202a56fbfde377583dc352f95a2340de9ab6b71fe73dab4ca536d3d4a37aeb220f7c536b86532d754c25643d10949e9d95618b7eb4e107ee3477062e83f1fcb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
08cda29c8d970ac0659ba6e0444455ce

SHA1
dacc7f6d3b359c3dfdc796bd6614e957b60330e7

SHA256
676e2ea8c4e68b386456dd4fb96ef2bc06979fc824d77ce2fcf1f39e183c90cf

SHA512
202a56fbfde377583dc352f95a2340de9ab6b71fe73dab4ca536d3d4a37aeb220f7c536b86532d754c25643d10949e9d95618b7eb4e107ee3477062e83f1fcb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
036c2fe1da01d6f69da277f499d538f9

SHA1
631c17e66e0e70774e69eb26e08305d1aeee71a8

SHA256
07967f27bba2494a9f241161c705a6b66a7370d18a4a5b9eac9e36b422f895be

SHA512
3852dc658939005a6d3048a4ff39a368c37fba1476d2be89581faf60c9bbca0bfd75604cc942747fb981ea9f21d1dcbc651b1339d8778c67160876c17abbce63

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
036c2fe1da01d6f69da277f499d538f9

SHA1
631c17e66e0e70774e69eb26e08305d1aeee71a8

SHA256
07967f27bba2494a9f241161c705a6b66a7370d18a4a5b9eac9e36b422f895be

SHA512
3852dc658939005a6d3048a4ff39a368c37fba1476d2be89581faf60c9bbca0bfd75604cc942747fb981ea9f21d1dcbc651b1339d8778c67160876c17abbce63

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
08cda29c8d970ac0659ba6e0444455ce

SHA1
dacc7f6d3b359c3dfdc796bd6614e957b60330e7

SHA256
676e2ea8c4e68b386456dd4fb96ef2bc06979fc824d77ce2fcf1f39e183c90cf

SHA512
202a56fbfde377583dc352f95a2340de9ab6b71fe73dab4ca536d3d4a37aeb220f7c536b86532d754c25643d10949e9d95618b7eb4e107ee3477062e83f1fcb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
08cda29c8d970ac0659ba6e0444455ce

SHA1
dacc7f6d3b359c3dfdc796bd6614e957b60330e7

SHA256
676e2ea8c4e68b386456dd4fb96ef2bc06979fc824d77ce2fcf1f39e183c90cf

SHA512
202a56fbfde377583dc352f95a2340de9ab6b71fe73dab4ca536d3d4a37aeb220f7c536b86532d754c25643d10949e9d95618b7eb4e107ee3477062e83f1fcb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
20f4c115994ce62916f195f767cd4642

SHA1
8fa9f90deb147bacc38e4fe54c2ea1af04bb5e21

SHA256
707a1d333bb3fa23bd0141a71ca47a510a272c59aebeef3d3ccf624113c531b4

SHA512
774d9ab83616967ad522cb2195d90ecdc749639500c22718f300e2af280596a0660fc73d6f095a061cb0b63e7f876e9e6ca3bf45738e42960362d7397f93ab14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
20f4c115994ce62916f195f767cd4642

SHA1
8fa9f90deb147bacc38e4fe54c2ea1af04bb5e21

SHA256
707a1d333bb3fa23bd0141a71ca47a510a272c59aebeef3d3ccf624113c531b4

SHA512
774d9ab83616967ad522cb2195d90ecdc749639500c22718f300e2af280596a0660fc73d6f095a061cb0b63e7f876e9e6ca3bf45738e42960362d7397f93ab14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
20f4c115994ce62916f195f767cd4642

SHA1
8fa9f90deb147bacc38e4fe54c2ea1af04bb5e21

SHA256
707a1d333bb3fa23bd0141a71ca47a510a272c59aebeef3d3ccf624113c531b4

SHA512
774d9ab83616967ad522cb2195d90ecdc749639500c22718f300e2af280596a0660fc73d6f095a061cb0b63e7f876e9e6ca3bf45738e42960362d7397f93ab14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
20f4c115994ce62916f195f767cd4642

SHA1
8fa9f90deb147bacc38e4fe54c2ea1af04bb5e21

SHA256
707a1d333bb3fa23bd0141a71ca47a510a272c59aebeef3d3ccf624113c531b4

SHA512
774d9ab83616967ad522cb2195d90ecdc749639500c22718f300e2af280596a0660fc73d6f095a061cb0b63e7f876e9e6ca3bf45738e42960362d7397f93ab14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
20f4c115994ce62916f195f767cd4642

SHA1
8fa9f90deb147bacc38e4fe54c2ea1af04bb5e21

SHA256
707a1d333bb3fa23bd0141a71ca47a510a272c59aebeef3d3ccf624113c531b4

SHA512
774d9ab83616967ad522cb2195d90ecdc749639500c22718f300e2af280596a0660fc73d6f095a061cb0b63e7f876e9e6ca3bf45738e42960362d7397f93ab14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
20f4c115994ce62916f195f767cd4642

SHA1
8fa9f90deb147bacc38e4fe54c2ea1af04bb5e21

SHA256
707a1d333bb3fa23bd0141a71ca47a510a272c59aebeef3d3ccf624113c531b4

SHA512
774d9ab83616967ad522cb2195d90ecdc749639500c22718f300e2af280596a0660fc73d6f095a061cb0b63e7f876e9e6ca3bf45738e42960362d7397f93ab14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\data.exe

Filesize
72KB

MD5
20f4c115994ce62916f195f767cd4642

SHA1
8fa9f90deb147bacc38e4fe54c2ea1af04bb5e21

SHA256
707a1d333bb3fa23bd0141a71ca47a510a272c59aebeef3d3ccf624113c531b4

SHA512
774d9ab83616967ad522cb2195d90ecdc749639500c22718f300e2af280596a0660fc73d6f095a061cb0b63e7f876e9e6ca3bf45738e42960362d7397f93ab14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\data.exe

Filesize
72KB

MD5
20f4c115994ce62916f195f767cd4642

SHA1
8fa9f90deb147bacc38e4fe54c2ea1af04bb5e21

SHA256
707a1d333bb3fa23bd0141a71ca47a510a272c59aebeef3d3ccf624113c531b4

SHA512
774d9ab83616967ad522cb2195d90ecdc749639500c22718f300e2af280596a0660fc73d6f095a061cb0b63e7f876e9e6ca3bf45738e42960362d7397f93ab14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
20f4c115994ce62916f195f767cd4642

SHA1
8fa9f90deb147bacc38e4fe54c2ea1af04bb5e21

SHA256
707a1d333bb3fa23bd0141a71ca47a510a272c59aebeef3d3ccf624113c531b4

SHA512
774d9ab83616967ad522cb2195d90ecdc749639500c22718f300e2af280596a0660fc73d6f095a061cb0b63e7f876e9e6ca3bf45738e42960362d7397f93ab14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
20f4c115994ce62916f195f767cd4642

SHA1
8fa9f90deb147bacc38e4fe54c2ea1af04bb5e21

SHA256
707a1d333bb3fa23bd0141a71ca47a510a272c59aebeef3d3ccf624113c531b4

SHA512
774d9ab83616967ad522cb2195d90ecdc749639500c22718f300e2af280596a0660fc73d6f095a061cb0b63e7f876e9e6ca3bf45738e42960362d7397f93ab14

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
6a524412b26f2cb02148c613f5960671

SHA1
53d919ac9c6915c9f5eaf76f782329923ccecea8

SHA256
371dd0a640630bf385fc2af7340b0b9becd3115296cef5b77fe1882c85f1a8f6

SHA512
a9d34b9a493c47c1382075e383c9aeb605dbb83942fe9a3f88170a423259d4b9d9f4fa66b1a8aa9d70ce05860016cfbe4fdc53ab7248e2783d607f4a02dfde2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
6a524412b26f2cb02148c613f5960671

SHA1
53d919ac9c6915c9f5eaf76f782329923ccecea8

SHA256
371dd0a640630bf385fc2af7340b0b9becd3115296cef5b77fe1882c85f1a8f6

SHA512
a9d34b9a493c47c1382075e383c9aeb605dbb83942fe9a3f88170a423259d4b9d9f4fa66b1a8aa9d70ce05860016cfbe4fdc53ab7248e2783d607f4a02dfde2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
8920370144d6f3916a2c00032266ab79

SHA1
0a3e5703fd56b982e20d838a6a2a8840f847d70f

SHA256
f3213a9cfc8b481b3748aa462462d8ce2609ecf701279ea609abdfece95db2ea

SHA512
bdbf8abd72d5a1efc6f902561841e3b3e68419496b8e495866c3f0e5dc3099769e58009f12c522965b06fd3b32f8decfdb979c334b2ff004f6c3566ccb78f1eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
8920370144d6f3916a2c00032266ab79

SHA1
0a3e5703fd56b982e20d838a6a2a8840f847d70f

SHA256
f3213a9cfc8b481b3748aa462462d8ce2609ecf701279ea609abdfece95db2ea

SHA512
bdbf8abd72d5a1efc6f902561841e3b3e68419496b8e495866c3f0e5dc3099769e58009f12c522965b06fd3b32f8decfdb979c334b2ff004f6c3566ccb78f1eb

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
290b62c9dcaffe9238bd2fa3c7eebd5d

SHA1
b9088f130cfbee97834ede7b716ed50c0a53723e

SHA256
816ae4b3217d2f285809b39038ec446d7a443ee0a31d634dc9942eba5401df1e

SHA512
0e6fc54a467224d720ec04d353a862a990c6c54e968ea296ec80403a69e985b91ff415d27a063f3c8852a141f0f2dbce8aa0a483c6df3caf4a56755b05563e0a

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
290b62c9dcaffe9238bd2fa3c7eebd5d

SHA1
b9088f130cfbee97834ede7b716ed50c0a53723e

SHA256
816ae4b3217d2f285809b39038ec446d7a443ee0a31d634dc9942eba5401df1e

SHA512
0e6fc54a467224d720ec04d353a862a990c6c54e968ea296ec80403a69e985b91ff415d27a063f3c8852a141f0f2dbce8aa0a483c6df3caf4a56755b05563e0a

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
53db35ae272762fff633a7a144759017

SHA1
d1e14bcb54716380b8097cc031a4b9f27dd260ac

SHA256
8b3f3d543b95e90e2c217c2c0ae22be30e6e786fa9c0fed3a2489335455aea99

SHA512
bc63025b9c4039509e1991b8e9e81dae2053510d758bf275fb02cf6994ccb0110d730e684e9b1eb32f1976c658d96497573c347811fe473df233bce91f7b7747

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
53db35ae272762fff633a7a144759017

SHA1
d1e14bcb54716380b8097cc031a4b9f27dd260ac

SHA256
8b3f3d543b95e90e2c217c2c0ae22be30e6e786fa9c0fed3a2489335455aea99

SHA512
bc63025b9c4039509e1991b8e9e81dae2053510d758bf275fb02cf6994ccb0110d730e684e9b1eb32f1976c658d96497573c347811fe473df233bce91f7b7747

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
e6559f4994540c1000ee5c4455bc3342

SHA1
aa264260bc95ec4b4ce9d3f3edc584896fb94916

SHA256
90a8b29815f40bba6dff39cabe42d816fd2a984959f5953c1eb5b566c32da979

SHA512
65553c670f8a182a9fc2e1f41ab883836a00cf0a46fd50b082c47aa69d8e810c2451bbbdc15b9789f4f18fdafd312bc300e1cff69bb3830062b210cb68ab47cc

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
e6559f4994540c1000ee5c4455bc3342

SHA1
aa264260bc95ec4b4ce9d3f3edc584896fb94916

SHA256
90a8b29815f40bba6dff39cabe42d816fd2a984959f5953c1eb5b566c32da979

SHA512
65553c670f8a182a9fc2e1f41ab883836a00cf0a46fd50b082c47aa69d8e810c2451bbbdc15b9789f4f18fdafd312bc300e1cff69bb3830062b210cb68ab47cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3955709850\backup.exe

Filesize
72KB

MD5
43aeabbc3c307a4b14e70bd83c4995aa

SHA1
947c90191ceddf71944241439695e5de96d3fd0f

SHA256
a2ce9420fda070825d103a14b7930df7e05b8ec80cd3387266f05c44af3d2809

SHA512
86697f0f8ababea15a26a14342e8bb1be71c4069e1edeae20415cfb32a21a1682e5eac8b13115e28daea773ea38f597083dd9de7e7e9eb4cc1b361caa1a49abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3955709850\backup.exe

Filesize
72KB

MD5
43aeabbc3c307a4b14e70bd83c4995aa

SHA1
947c90191ceddf71944241439695e5de96d3fd0f

SHA256
a2ce9420fda070825d103a14b7930df7e05b8ec80cd3387266f05c44af3d2809

SHA512
86697f0f8ababea15a26a14342e8bb1be71c4069e1edeae20415cfb32a21a1682e5eac8b13115e28daea773ea38f597083dd9de7e7e9eb4cc1b361caa1a49abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
87be287c8840e0b7e7a903d321e6c0dd

SHA1
7f34d3d689d9c44a203a9c0d96feb5bd56d2a39f

SHA256
649c9d5997c884fddb6a9962f821cf09bc88f79305905b4d53aa4e6169145b07

SHA512
54950023266dacc02a39c2ae49d761b5fcb2bcb7dd3d5114aad15e91f623ebe9eaf57dd8c6f847a61796a3eba974075bc248d12114c19227ed02b9c44919ae4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
87be287c8840e0b7e7a903d321e6c0dd

SHA1
7f34d3d689d9c44a203a9c0d96feb5bd56d2a39f

SHA256
649c9d5997c884fddb6a9962f821cf09bc88f79305905b4d53aa4e6169145b07

SHA512
54950023266dacc02a39c2ae49d761b5fcb2bcb7dd3d5114aad15e91f623ebe9eaf57dd8c6f847a61796a3eba974075bc248d12114c19227ed02b9c44919ae4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cb15a723afb17431eff11e7e140c5cfb

SHA1
167e0eb255be42611a6dbda7f74e6709bea4da3d

SHA256
96a5ec9e56979da706f96584864ad66bf4420f78fb7fc877886dff6a6a167ffa

SHA512
b8a6b55625b0cb20eb785845072b755ba7591872cf7a5e03e4cb067e605b3eac10852badf18f1789dbbe535ce296ff957c8ba95b6c5ae6c15ed00b027d38bb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cb15a723afb17431eff11e7e140c5cfb

SHA1
167e0eb255be42611a6dbda7f74e6709bea4da3d

SHA256
96a5ec9e56979da706f96584864ad66bf4420f78fb7fc877886dff6a6a167ffa

SHA512
b8a6b55625b0cb20eb785845072b755ba7591872cf7a5e03e4cb067e605b3eac10852badf18f1789dbbe535ce296ff957c8ba95b6c5ae6c15ed00b027d38bb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bd69c9c3303c25058d885e4fccc1f049

SHA1
295102986a17fd919e11808791425f99990bf573

SHA256
1a9c0752ec98bffe9a1d2641d00766c1f61d81b7029a46a419349240613bc8aa

SHA512
f27e2388785850e96ca347789e8a56d5004086a290a5ae810f737b1543e2925077a2b48cc1d5494f5c2ce7f47d9d1927222c950f98eafe56a5543dad157498c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bd69c9c3303c25058d885e4fccc1f049

SHA1
295102986a17fd919e11808791425f99990bf573

SHA256
1a9c0752ec98bffe9a1d2641d00766c1f61d81b7029a46a419349240613bc8aa

SHA512
f27e2388785850e96ca347789e8a56d5004086a290a5ae810f737b1543e2925077a2b48cc1d5494f5c2ce7f47d9d1927222c950f98eafe56a5543dad157498c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
43aeabbc3c307a4b14e70bd83c4995aa

SHA1
947c90191ceddf71944241439695e5de96d3fd0f

SHA256
a2ce9420fda070825d103a14b7930df7e05b8ec80cd3387266f05c44af3d2809

SHA512
86697f0f8ababea15a26a14342e8bb1be71c4069e1edeae20415cfb32a21a1682e5eac8b13115e28daea773ea38f597083dd9de7e7e9eb4cc1b361caa1a49abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
43aeabbc3c307a4b14e70bd83c4995aa

SHA1
947c90191ceddf71944241439695e5de96d3fd0f

SHA256
a2ce9420fda070825d103a14b7930df7e05b8ec80cd3387266f05c44af3d2809

SHA512
86697f0f8ababea15a26a14342e8bb1be71c4069e1edeae20415cfb32a21a1682e5eac8b13115e28daea773ea38f597083dd9de7e7e9eb4cc1b361caa1a49abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
87be287c8840e0b7e7a903d321e6c0dd

SHA1
7f34d3d689d9c44a203a9c0d96feb5bd56d2a39f

SHA256
649c9d5997c884fddb6a9962f821cf09bc88f79305905b4d53aa4e6169145b07

SHA512
54950023266dacc02a39c2ae49d761b5fcb2bcb7dd3d5114aad15e91f623ebe9eaf57dd8c6f847a61796a3eba974075bc248d12114c19227ed02b9c44919ae4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
87be287c8840e0b7e7a903d321e6c0dd

SHA1
7f34d3d689d9c44a203a9c0d96feb5bd56d2a39f

SHA256
649c9d5997c884fddb6a9962f821cf09bc88f79305905b4d53aa4e6169145b07

SHA512
54950023266dacc02a39c2ae49d761b5fcb2bcb7dd3d5114aad15e91f623ebe9eaf57dd8c6f847a61796a3eba974075bc248d12114c19227ed02b9c44919ae4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
bd69c9c3303c25058d885e4fccc1f049

SHA1
295102986a17fd919e11808791425f99990bf573

SHA256
1a9c0752ec98bffe9a1d2641d00766c1f61d81b7029a46a419349240613bc8aa

SHA512
f27e2388785850e96ca347789e8a56d5004086a290a5ae810f737b1543e2925077a2b48cc1d5494f5c2ce7f47d9d1927222c950f98eafe56a5543dad157498c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
bd69c9c3303c25058d885e4fccc1f049

SHA1
295102986a17fd919e11808791425f99990bf573

SHA256
1a9c0752ec98bffe9a1d2641d00766c1f61d81b7029a46a419349240613bc8aa

SHA512
f27e2388785850e96ca347789e8a56d5004086a290a5ae810f737b1543e2925077a2b48cc1d5494f5c2ce7f47d9d1927222c950f98eafe56a5543dad157498c4

Download Submit
C:\backup.exe

Filesize
72KB

MD5
72ec60903719b8defc98ae1907396369

SHA1
6ae1f127a9105aa7cba9b7065a9728a7f9fe8c8c

SHA256
88405899b95b6ba26f4b59a0d7c65959b5f21d5de1273a3dcd1d9786913d8232

SHA512
1888f34a1bf13b616b3a9dfdd9f5f2d0cf9052703309acce0200490b6038720bdde5b5a6548bb56c0ea905e1496e03f7a0e4722af77f877654524b979876a171

Download Submit
C:\backup.exe

Filesize
72KB

MD5
72ec60903719b8defc98ae1907396369

SHA1
6ae1f127a9105aa7cba9b7065a9728a7f9fe8c8c

SHA256
88405899b95b6ba26f4b59a0d7c65959b5f21d5de1273a3dcd1d9786913d8232

SHA512
1888f34a1bf13b616b3a9dfdd9f5f2d0cf9052703309acce0200490b6038720bdde5b5a6548bb56c0ea905e1496e03f7a0e4722af77f877654524b979876a171

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
da7597a21df3d22f3935537ffafe103f

SHA1
b507574647c7945ce5487e92d6980902055159a4

SHA256
ac85dbd782436d880472b9171a3a6a531886ec5114491d7262728edfb5e3da28

SHA512
49a553cb5a1c882c546e5d6048867d3777f2151140388a280816f6e2072cb3258f7c75a0b7c484d27ff37a1374f9bd6b1ef32b1ff0978d076394ea392106b885

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
da7597a21df3d22f3935537ffafe103f

SHA1
b507574647c7945ce5487e92d6980902055159a4

SHA256
ac85dbd782436d880472b9171a3a6a531886ec5114491d7262728edfb5e3da28

SHA512
49a553cb5a1c882c546e5d6048867d3777f2151140388a280816f6e2072cb3258f7c75a0b7c484d27ff37a1374f9bd6b1ef32b1ff0978d076394ea392106b885

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads