910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4

Analysis

max time kernel
183s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe
Size

72KB
MD5

655b89b054b90b84d8cd3e2d7c12039a
SHA1

bb0703d20b90baffb0efd4ee062eb2839c81c1db
SHA256

910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4
SHA512

7de1dc1032c2ccc7846eb176a98f771d36ae96f2c47097692a8b311a9bd82f6de605b14b539fdd064b5bc44ae2d5ef7a53ec748cc12eec1f8134051449b6e81d
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2M:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrA

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
3644	backup.exe
388	backup.exe
4380	backup.exe
1028	backup.exe
4624	backup.exe
3128	backup.exe
4680	backup.exe
3816	backup.exe
1216	backup.exe
4032	backup.exe
2860	backup.exe
4180	backup.exe
4328	backup.exe
4260	backup.exe
2284	backup.exe
3452	backup.exe
4308	backup.exe
3812	backup.exe
3652	backup.exe
4928	System Restore.exe
3152	backup.exe
3576	backup.exe
4384	backup.exe
3068	backup.exe
3936	backup.exe
4852	backup.exe
4448	backup.exe
3268	backup.exe
4176	update.exe
3996	backup.exe
4148	backup.exe
4108	backup.exe
3108	backup.exe
4104	backup.exe
4916	backup.exe
4484	backup.exe
2384	backup.exe
2776	backup.exe
3128	backup.exe
3612	backup.exe
4704	backup.exe
3816	backup.exe
2532	backup.exe
1100	backup.exe
3604	backup.exe
4080	backup.exe
3028	backup.exe
3104	backup.exe
1152	backup.exe
3792	backup.exe
456	backup.exe
1168	backup.exe
1528	backup.exe
3164	backup.exe
4308	data.exe
4964	backup.exe
4808	backup.exe
3064	backup.exe
5104	backup.exe
2752	backup.exe
4416	backup.exe
4588	backup.exe
4620	backup.exe
3580	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\update.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe
3644	backup.exe
388	backup.exe
4380	backup.exe
1028	backup.exe
4624	backup.exe
3128	backup.exe
4680	backup.exe
3816	backup.exe
1216	backup.exe
4032	backup.exe
2860	backup.exe
4180	backup.exe
4328	backup.exe
4260	backup.exe
2284	backup.exe
3452	backup.exe
4308	backup.exe
3812	backup.exe
3652	backup.exe
4928	System Restore.exe
3152	backup.exe
3576	backup.exe
4384	backup.exe
3068	backup.exe
4852	backup.exe
3936	backup.exe
4448	backup.exe
4176	update.exe
3268	backup.exe
3996	backup.exe
4148	backup.exe
4108	backup.exe
4104	backup.exe
3108	backup.exe
4916	backup.exe
4484	backup.exe
2384	backup.exe
2776	backup.exe
3128	backup.exe
3612	backup.exe
3604	backup.exe
1100	backup.exe
4704	backup.exe
2532	backup.exe
3816	backup.exe
4080	backup.exe
3028	backup.exe
3104	backup.exe
1152	backup.exe
3792	backup.exe
456	backup.exe
1168	backup.exe
1528	backup.exe
3164	backup.exe
4308	data.exe
4964	backup.exe
4808	backup.exe
3064	backup.exe
2752	backup.exe
5104	backup.exe
4416	backup.exe
4588	backup.exe
3580	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 3644	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	83
PID 1960 wrote to memory of 3644	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	83
PID 1960 wrote to memory of 3644	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	83
PID 1960 wrote to memory of 388	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	85
PID 1960 wrote to memory of 388	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	85
PID 1960 wrote to memory of 388	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	85
PID 1960 wrote to memory of 4380	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	86
PID 1960 wrote to memory of 4380	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	86
PID 1960 wrote to memory of 4380	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	86
PID 1960 wrote to memory of 1028	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	87
PID 1960 wrote to memory of 1028	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	87
PID 1960 wrote to memory of 1028	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	87
PID 1960 wrote to memory of 4624	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	88
PID 1960 wrote to memory of 4624	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	88
PID 1960 wrote to memory of 4624	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	88
PID 1960 wrote to memory of 3128	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	89
PID 1960 wrote to memory of 3128	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	89
PID 1960 wrote to memory of 3128	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	89
PID 1960 wrote to memory of 3816	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	91
PID 1960 wrote to memory of 3816	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	91
PID 1960 wrote to memory of 3816	1960	910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe	91
PID 3644 wrote to memory of 4680	3644	backup.exe	90
PID 3644 wrote to memory of 4680	3644	backup.exe	90
PID 3644 wrote to memory of 4680	3644	backup.exe	90
PID 4680 wrote to memory of 1216	4680	backup.exe	92
PID 4680 wrote to memory of 1216	4680	backup.exe	92
PID 4680 wrote to memory of 1216	4680	backup.exe	92
PID 4680 wrote to memory of 4032	4680	backup.exe	93
PID 4680 wrote to memory of 4032	4680	backup.exe	93
PID 4680 wrote to memory of 4032	4680	backup.exe	93
PID 4680 wrote to memory of 2860	4680	backup.exe	94
PID 4680 wrote to memory of 2860	4680	backup.exe	94
PID 4680 wrote to memory of 2860	4680	backup.exe	94
PID 2860 wrote to memory of 4180	2860	backup.exe	95
PID 2860 wrote to memory of 4180	2860	backup.exe	95
PID 2860 wrote to memory of 4180	2860	backup.exe	95
PID 4180 wrote to memory of 4328	4180	backup.exe	96
PID 4180 wrote to memory of 4328	4180	backup.exe	96
PID 4180 wrote to memory of 4328	4180	backup.exe	96
PID 2860 wrote to memory of 4260	2860	backup.exe	97
PID 2860 wrote to memory of 4260	2860	backup.exe	97
PID 2860 wrote to memory of 4260	2860	backup.exe	97
PID 4260 wrote to memory of 2284	4260	backup.exe	98
PID 4260 wrote to memory of 2284	4260	backup.exe	98
PID 4260 wrote to memory of 2284	4260	backup.exe	98
PID 4260 wrote to memory of 3452	4260	backup.exe	99
PID 4260 wrote to memory of 3452	4260	backup.exe	99
PID 4260 wrote to memory of 3452	4260	backup.exe	99
PID 3452 wrote to memory of 4308	3452	backup.exe	100
PID 3452 wrote to memory of 4308	3452	backup.exe	100
PID 3452 wrote to memory of 4308	3452	backup.exe	100
PID 3452 wrote to memory of 3812	3452	backup.exe	101
PID 3452 wrote to memory of 3812	3452	backup.exe	101
PID 3452 wrote to memory of 3812	3452	backup.exe	101
PID 3812 wrote to memory of 3652	3812	backup.exe	102
PID 3812 wrote to memory of 3652	3812	backup.exe	102
PID 3812 wrote to memory of 3652	3812	backup.exe	102
PID 3812 wrote to memory of 4928	3812	backup.exe	103
PID 3812 wrote to memory of 4928	3812	backup.exe	103
PID 3812 wrote to memory of 4928	3812	backup.exe	103
PID 3812 wrote to memory of 3152	3812	backup.exe	104
PID 3812 wrote to memory of 3152	3812	backup.exe	104
PID 3812 wrote to memory of 3152	3812	backup.exe	104
PID 3812 wrote to memory of 3576	3812	backup.exe	105

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe
"C:\Users\Admin\AppData\Local\Temp\910e65d79f00d47993fb52607c7a83763346927a2e0d1b34f2decaea185862e4.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\2294086806\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2294086806\backup.exe C:\Users\Admin\AppData\Local\Temp\2294086806\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4680
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1216
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4032
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4180
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4328
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4260
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2284
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4308
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3652
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4928
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3152
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3576
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4384
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3068
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4176
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2384
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3816
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4964
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4416
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        
        PID:4272
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3304
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4908
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3988
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2384
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4228
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4180
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4468
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4416
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1496
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4176
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:2740
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2328
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:520
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:3580
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4448
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4108
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4104
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3612
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4080
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:456
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:4620
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3808
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\data.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:1272
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:4016
        
        C:\Program Files\Common Files\microsoft shared\TextConv\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\update.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:4004
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\update.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4920
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:636
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:4308
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:4588
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3892
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:3688
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:5008
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3268
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3108
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3104
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1168
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3164
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4808
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4480
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:696
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4300
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3268
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Disables RegEdit via registry modification
        
        PID:5064
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4444
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1508
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:5008
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        System policy modification
        
        PID:1308
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:3368
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:5016
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:3792
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4852
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4148
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4484
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3604
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3792
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4308
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2540
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        System policy modification
        
        PID:1044
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1676
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        System policy modification
        
        PID:5056
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4276
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:4112
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2444
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1504
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4600
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4456
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        System policy modification
        
        PID:1632
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:3332
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4928
      - C:\Program Files\Internet Explorer\it-IT\data.exe
        
        "C:\Program Files\Internet Explorer\it-IT\data.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:3576
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3320
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3168
    - - C:\Program Files\Java\System Restore.exe
        
        "C:\Program Files\Java\System Restore.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2076
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4004
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2700
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1480
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3936
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3996
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5104
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3580
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3892
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:544
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:5108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        System policy modification
        
        PID:5084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        System policy modification
        
        PID:4312
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2248
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2572
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:4300
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4188
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:4308
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4816
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        System policy modification
        
        PID:4812
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1340
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4108
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:4248
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3428
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:4964
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2520
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Disables RegEdit via registry modification
        
        PID:940
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:928
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        System policy modification
        
        PID:2784
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:4768
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:4616
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Windows directory
      PID:3628
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3124
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:4332
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:388
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1028
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4624
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3128
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
18dc56d71841ed6ed07491900ec3d25b

SHA1
07a426481c1c296a3efaece0b4827829e3f07cb5

SHA256
d520ec20553ecfd9dbf674137d44a3e0827d5b103319be0330dcf8c35f62411e

SHA512
3d78bc8895a7b8a06572fa5d52d758215b93fc2845f2caebedbaf18f7d3432e5b33bc13f26e3f523ef82bf9eedd7a7bdf3aa6616f5d4add8f214a9d06e6da76f

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
18dc56d71841ed6ed07491900ec3d25b

SHA1
07a426481c1c296a3efaece0b4827829e3f07cb5

SHA256
d520ec20553ecfd9dbf674137d44a3e0827d5b103319be0330dcf8c35f62411e

SHA512
3d78bc8895a7b8a06572fa5d52d758215b93fc2845f2caebedbaf18f7d3432e5b33bc13f26e3f523ef82bf9eedd7a7bdf3aa6616f5d4add8f214a9d06e6da76f

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
eb906eecc7233e84722e0cd0515bf3a7

SHA1
b0d3749be2a5d5372aee7eb0ffae8520749c3257

SHA256
17ef696d89d4a29ba0497266ffe7560cdbb64173fd312cc57399a04a3139a118

SHA512
aa2bf771c70ca2c6b7091bdfff5ff2743af9bc49badb61bbeed9f04d58c8eb73f27bb252647cae5e60a6c066f6589533690b420eda5cf053f9d3e1956ca8acb7

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
eb906eecc7233e84722e0cd0515bf3a7

SHA1
b0d3749be2a5d5372aee7eb0ffae8520749c3257

SHA256
17ef696d89d4a29ba0497266ffe7560cdbb64173fd312cc57399a04a3139a118

SHA512
aa2bf771c70ca2c6b7091bdfff5ff2743af9bc49badb61bbeed9f04d58c8eb73f27bb252647cae5e60a6c066f6589533690b420eda5cf053f9d3e1956ca8acb7

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
bca61e468e4e7e5d1e60898c0a77c56e

SHA1
b613629f8f798d59a0d9394fae4863c592de9860

SHA256
0dfe32f11e6034a210490c26eb7454df45d40d60a5d1a58f67361a702bdce169

SHA512
2ccdb5b8091519ab6b5c4b342a67d6683ab85f73e1b345f8af9c8d99142b244ac2ef0ec6e3ffc4cc4cc4ed15cc30f527a065b42c2da4e867ad8bd0a809426c01

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
bca61e468e4e7e5d1e60898c0a77c56e

SHA1
b613629f8f798d59a0d9394fae4863c592de9860

SHA256
0dfe32f11e6034a210490c26eb7454df45d40d60a5d1a58f67361a702bdce169

SHA512
2ccdb5b8091519ab6b5c4b342a67d6683ab85f73e1b345f8af9c8d99142b244ac2ef0ec6e3ffc4cc4cc4ed15cc30f527a065b42c2da4e867ad8bd0a809426c01

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
f0c95d90e598bf359c4ab73ab972d910

SHA1
8d77cd8794350b3a4996c61173d2134b3bb113e9

SHA256
6e200523c72838db0be190502ace0b798718bbe681de2e78ad41a0d63e190a6b

SHA512
af1614432b6572054dc7fc928c20a78e015d59d9ced886dac9a7674a1f5e053668199f703575af683040f7d7fbdbb671633c50f959715f776a9cef7c51353d98

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
f0c95d90e598bf359c4ab73ab972d910

SHA1
8d77cd8794350b3a4996c61173d2134b3bb113e9

SHA256
6e200523c72838db0be190502ace0b798718bbe681de2e78ad41a0d63e190a6b

SHA512
af1614432b6572054dc7fc928c20a78e015d59d9ced886dac9a7674a1f5e053668199f703575af683040f7d7fbdbb671633c50f959715f776a9cef7c51353d98

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ffa3e139cdee4372f76f42ffbcd6b716

SHA1
ff6d4778c9e46071f3fa5e4364c93781766d4a3c

SHA256
cc3b516d298c8a609222bbd0ece76db80a93d07d7e21f7a92b5b630889d69d8f

SHA512
cc28818d3deeda615f7303b016e59eb8bcc85042336b8b275371e2057acea2d8843b0d8508fcc91765e30c3b9ff9ef93ec0ca1918d62d7898fca854a3cc4f26e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ffa3e139cdee4372f76f42ffbcd6b716

SHA1
ff6d4778c9e46071f3fa5e4364c93781766d4a3c

SHA256
cc3b516d298c8a609222bbd0ece76db80a93d07d7e21f7a92b5b630889d69d8f

SHA512
cc28818d3deeda615f7303b016e59eb8bcc85042336b8b275371e2057acea2d8843b0d8508fcc91765e30c3b9ff9ef93ec0ca1918d62d7898fca854a3cc4f26e

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
f0d9d08a944f2360af4e9152ddf3b680

SHA1
f9034c52fa1f1c40ea43d5f709e0f47227592e48

SHA256
c4d94e4b9cbf0a1c2e9fb4a9bcc08944de718606534cfe4115b5af2c59f5345e

SHA512
17eab9c2e0a08a499f65ba688bb1696073b3e4ba2ad5848b6f2c9085d711eb565d4de065c34856751ef386ed69f586afd0aaa50fa3f95232a66ca2b23087d0ee

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
f0d9d08a944f2360af4e9152ddf3b680

SHA1
f9034c52fa1f1c40ea43d5f709e0f47227592e48

SHA256
c4d94e4b9cbf0a1c2e9fb4a9bcc08944de718606534cfe4115b5af2c59f5345e

SHA512
17eab9c2e0a08a499f65ba688bb1696073b3e4ba2ad5848b6f2c9085d711eb565d4de065c34856751ef386ed69f586afd0aaa50fa3f95232a66ca2b23087d0ee

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
2945668b8b03eaca2dfba00624c3a402

SHA1
2797591be4326a055c4d97f7929a9b3538bfa1a8

SHA256
fe0b7a547890439481df1622eae078d61f080077edd8dfb950ca42882e8fd2ef

SHA512
23d494ea0fd8f8b154e5d94c6da648e6a5b70178b1312153c796cc45727f2d7ea3c5587db5602f20af664a36ab25ceb6da635f31eeeba14f2318fa58d262fc43

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
2945668b8b03eaca2dfba00624c3a402

SHA1
2797591be4326a055c4d97f7929a9b3538bfa1a8

SHA256
fe0b7a547890439481df1622eae078d61f080077edd8dfb950ca42882e8fd2ef

SHA512
23d494ea0fd8f8b154e5d94c6da648e6a5b70178b1312153c796cc45727f2d7ea3c5587db5602f20af664a36ab25ceb6da635f31eeeba14f2318fa58d262fc43

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
27714ac2bc30cf68a871233d3d687002

SHA1
30eab2da09bc0f1e8383543f9d3aa5400ec2e4a1

SHA256
2cba9f85c7d7d665f0c4dc21a2607b4822fda453cb023cca202d4c1673291850

SHA512
19a78f42740992ffb165cd04ecfdab54f22266ca4d83be52fd4738bc1e4c3096d5affced5552a237a54d820665ea274c32736759e9f3f69e3278b82e35011d00

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
27714ac2bc30cf68a871233d3d687002

SHA1
30eab2da09bc0f1e8383543f9d3aa5400ec2e4a1

SHA256
2cba9f85c7d7d665f0c4dc21a2607b4822fda453cb023cca202d4c1673291850

SHA512
19a78f42740992ffb165cd04ecfdab54f22266ca4d83be52fd4738bc1e4c3096d5affced5552a237a54d820665ea274c32736759e9f3f69e3278b82e35011d00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
5bb8d05e5bf68da62a294a0be87fba65

SHA1
cb569296ea6d0fb18a213d032261f487d9b35b42

SHA256
7240afeea02be2c4d0cdfa6525d35765a8cadf83ea4a5841bc2e2265c88de408

SHA512
c04f839d0711193f58c0627b84f149604d62303fbf10aafea6795bc56339f57d3784dd21a27ff774ce35210730faefd0b75be67afe1249d745e5ece81c615847

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
5bb8d05e5bf68da62a294a0be87fba65

SHA1
cb569296ea6d0fb18a213d032261f487d9b35b42

SHA256
7240afeea02be2c4d0cdfa6525d35765a8cadf83ea4a5841bc2e2265c88de408

SHA512
c04f839d0711193f58c0627b84f149604d62303fbf10aafea6795bc56339f57d3784dd21a27ff774ce35210730faefd0b75be67afe1249d745e5ece81c615847

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
e639068ae059b290fadf19fbffb173ab

SHA1
b127c7d57fb5adfec4aeb87520921959fb355c70

SHA256
801df589301e919a8c692311d1f8c9c60863b1f8231a32f9918d93f47c87c430

SHA512
92c4ae4a1e5b6a0720ee5ae216360841b34dcb2ea793a9d781a6257b5a11d74bc5a16e0aa406cae1c4635e093de7efcca6b7fd2fdc19ee77c5a331f86646d8f0

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
e639068ae059b290fadf19fbffb173ab

SHA1
b127c7d57fb5adfec4aeb87520921959fb355c70

SHA256
801df589301e919a8c692311d1f8c9c60863b1f8231a32f9918d93f47c87c430

SHA512
92c4ae4a1e5b6a0720ee5ae216360841b34dcb2ea793a9d781a6257b5a11d74bc5a16e0aa406cae1c4635e093de7efcca6b7fd2fdc19ee77c5a331f86646d8f0

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
310277a07081260e87246aa299ced5ec

SHA1
31fed0a6528cc2a122e24d6ea0ee17194ec36c1d

SHA256
3a801c8f1be64493cf50e3edd5b306310b40f772f63c6cbc476fdac15ecb6705

SHA512
0352e570b60b3335712fa24dbc62fba75675afbd9bb930e50e5dbf0203d4dd477efc1384201b364b33b934dce555bc87f03bee5c72f7b28916641b321c900874

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
310277a07081260e87246aa299ced5ec

SHA1
31fed0a6528cc2a122e24d6ea0ee17194ec36c1d

SHA256
3a801c8f1be64493cf50e3edd5b306310b40f772f63c6cbc476fdac15ecb6705

SHA512
0352e570b60b3335712fa24dbc62fba75675afbd9bb930e50e5dbf0203d4dd477efc1384201b364b33b934dce555bc87f03bee5c72f7b28916641b321c900874

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
f0d9d08a944f2360af4e9152ddf3b680

SHA1
f9034c52fa1f1c40ea43d5f709e0f47227592e48

SHA256
c4d94e4b9cbf0a1c2e9fb4a9bcc08944de718606534cfe4115b5af2c59f5345e

SHA512
17eab9c2e0a08a499f65ba688bb1696073b3e4ba2ad5848b6f2c9085d711eb565d4de065c34856751ef386ed69f586afd0aaa50fa3f95232a66ca2b23087d0ee

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
f0d9d08a944f2360af4e9152ddf3b680

SHA1
f9034c52fa1f1c40ea43d5f709e0f47227592e48

SHA256
c4d94e4b9cbf0a1c2e9fb4a9bcc08944de718606534cfe4115b5af2c59f5345e

SHA512
17eab9c2e0a08a499f65ba688bb1696073b3e4ba2ad5848b6f2c9085d711eb565d4de065c34856751ef386ed69f586afd0aaa50fa3f95232a66ca2b23087d0ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
90a57ce2e5e66ec0361191c2d3cd7d70

SHA1
36e14f108c7bb0b0578719a1bc3d7c69a33f399d

SHA256
e8c89294ea761585d2240a6947323258d08618e8b83da3283273a3a445a7f732

SHA512
045a3018f3d16f878dcef3b7a89c8c48acfbeb61c221c9e0d9c28e39a79c19c5b87e380ac9dd94de7e6afedfa020d28a6148616c429f79e64573d1503c11a1e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
90a57ce2e5e66ec0361191c2d3cd7d70

SHA1
36e14f108c7bb0b0578719a1bc3d7c69a33f399d

SHA256
e8c89294ea761585d2240a6947323258d08618e8b83da3283273a3a445a7f732

SHA512
045a3018f3d16f878dcef3b7a89c8c48acfbeb61c221c9e0d9c28e39a79c19c5b87e380ac9dd94de7e6afedfa020d28a6148616c429f79e64573d1503c11a1e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
5bb8d05e5bf68da62a294a0be87fba65

SHA1
cb569296ea6d0fb18a213d032261f487d9b35b42

SHA256
7240afeea02be2c4d0cdfa6525d35765a8cadf83ea4a5841bc2e2265c88de408

SHA512
c04f839d0711193f58c0627b84f149604d62303fbf10aafea6795bc56339f57d3784dd21a27ff774ce35210730faefd0b75be67afe1249d745e5ece81c615847

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
5bb8d05e5bf68da62a294a0be87fba65

SHA1
cb569296ea6d0fb18a213d032261f487d9b35b42

SHA256
7240afeea02be2c4d0cdfa6525d35765a8cadf83ea4a5841bc2e2265c88de408

SHA512
c04f839d0711193f58c0627b84f149604d62303fbf10aafea6795bc56339f57d3784dd21a27ff774ce35210730faefd0b75be67afe1249d745e5ece81c615847

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\System Restore.exe

Filesize
72KB

MD5
c9903ee7ef022003cd4bfed96a74eee3

SHA1
a200c4a17c553d16d305272cbd0665cb018a4862

SHA256
76c172df8dfb9cfa0e2a88d253832b4dbe039fd555e1c4228a2c1b2dc267878c

SHA512
55d3635916618da10a3f3ac4acba3d15e3b50941459b87c75a489910a1cc6536a522e08128e0d3d809d9aa235f7938b37c45cefc2ec15660b84bd61642370a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\System Restore.exe

Filesize
72KB

MD5
c9903ee7ef022003cd4bfed96a74eee3

SHA1
a200c4a17c553d16d305272cbd0665cb018a4862

SHA256
76c172df8dfb9cfa0e2a88d253832b4dbe039fd555e1c4228a2c1b2dc267878c

SHA512
55d3635916618da10a3f3ac4acba3d15e3b50941459b87c75a489910a1cc6536a522e08128e0d3d809d9aa235f7938b37c45cefc2ec15660b84bd61642370a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
c9903ee7ef022003cd4bfed96a74eee3

SHA1
a200c4a17c553d16d305272cbd0665cb018a4862

SHA256
76c172df8dfb9cfa0e2a88d253832b4dbe039fd555e1c4228a2c1b2dc267878c

SHA512
55d3635916618da10a3f3ac4acba3d15e3b50941459b87c75a489910a1cc6536a522e08128e0d3d809d9aa235f7938b37c45cefc2ec15660b84bd61642370a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
c9903ee7ef022003cd4bfed96a74eee3

SHA1
a200c4a17c553d16d305272cbd0665cb018a4862

SHA256
76c172df8dfb9cfa0e2a88d253832b4dbe039fd555e1c4228a2c1b2dc267878c

SHA512
55d3635916618da10a3f3ac4acba3d15e3b50941459b87c75a489910a1cc6536a522e08128e0d3d809d9aa235f7938b37c45cefc2ec15660b84bd61642370a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
c9903ee7ef022003cd4bfed96a74eee3

SHA1
a200c4a17c553d16d305272cbd0665cb018a4862

SHA256
76c172df8dfb9cfa0e2a88d253832b4dbe039fd555e1c4228a2c1b2dc267878c

SHA512
55d3635916618da10a3f3ac4acba3d15e3b50941459b87c75a489910a1cc6536a522e08128e0d3d809d9aa235f7938b37c45cefc2ec15660b84bd61642370a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
c9903ee7ef022003cd4bfed96a74eee3

SHA1
a200c4a17c553d16d305272cbd0665cb018a4862

SHA256
76c172df8dfb9cfa0e2a88d253832b4dbe039fd555e1c4228a2c1b2dc267878c

SHA512
55d3635916618da10a3f3ac4acba3d15e3b50941459b87c75a489910a1cc6536a522e08128e0d3d809d9aa235f7938b37c45cefc2ec15660b84bd61642370a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
c9903ee7ef022003cd4bfed96a74eee3

SHA1
a200c4a17c553d16d305272cbd0665cb018a4862

SHA256
76c172df8dfb9cfa0e2a88d253832b4dbe039fd555e1c4228a2c1b2dc267878c

SHA512
55d3635916618da10a3f3ac4acba3d15e3b50941459b87c75a489910a1cc6536a522e08128e0d3d809d9aa235f7938b37c45cefc2ec15660b84bd61642370a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
c9903ee7ef022003cd4bfed96a74eee3

SHA1
a200c4a17c553d16d305272cbd0665cb018a4862

SHA256
76c172df8dfb9cfa0e2a88d253832b4dbe039fd555e1c4228a2c1b2dc267878c

SHA512
55d3635916618da10a3f3ac4acba3d15e3b50941459b87c75a489910a1cc6536a522e08128e0d3d809d9aa235f7938b37c45cefc2ec15660b84bd61642370a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
c9903ee7ef022003cd4bfed96a74eee3

SHA1
a200c4a17c553d16d305272cbd0665cb018a4862

SHA256
76c172df8dfb9cfa0e2a88d253832b4dbe039fd555e1c4228a2c1b2dc267878c

SHA512
55d3635916618da10a3f3ac4acba3d15e3b50941459b87c75a489910a1cc6536a522e08128e0d3d809d9aa235f7938b37c45cefc2ec15660b84bd61642370a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
c9903ee7ef022003cd4bfed96a74eee3

SHA1
a200c4a17c553d16d305272cbd0665cb018a4862

SHA256
76c172df8dfb9cfa0e2a88d253832b4dbe039fd555e1c4228a2c1b2dc267878c

SHA512
55d3635916618da10a3f3ac4acba3d15e3b50941459b87c75a489910a1cc6536a522e08128e0d3d809d9aa235f7938b37c45cefc2ec15660b84bd61642370a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe

Filesize
72KB

MD5
c89f3818c6b842273ea373a0ec0cb84d

SHA1
f7c2635d47a73a7e6fcc1880c4d3a88367d71d77

SHA256
72ea8b734c551c32958462cd672cf951803e572d8ddcc9fbd8d4dcf431d56364

SHA512
2d749f2bd7f7c04a9209f23246e9b3719bb324289c4e1bf97e6e129a4a4ec15e7a70977891e2e4b30dff60b0bf6e5cc67678a84991f6212c4d30fcbf832c0596

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe

Filesize
72KB

MD5
c89f3818c6b842273ea373a0ec0cb84d

SHA1
f7c2635d47a73a7e6fcc1880c4d3a88367d71d77

SHA256
72ea8b734c551c32958462cd672cf951803e572d8ddcc9fbd8d4dcf431d56364

SHA512
2d749f2bd7f7c04a9209f23246e9b3719bb324289c4e1bf97e6e129a4a4ec15e7a70977891e2e4b30dff60b0bf6e5cc67678a84991f6212c4d30fcbf832c0596

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
b69c93d833788a2852fb6e1994ee66f5

SHA1
a0c8b32a42cc768ebb08bcc4b13a5c3fd0a52d4a

SHA256
dc45fcf9c7dd07c84820dcae35ef8edf07b99bec8d0d8e39ef89663d11f67ef1

SHA512
0baced255bfd2fed30a6497da1adb008e1dff54c9261a82179a01607045e20870cf8b447dd227612357b576d323a2c901a1f5557e9e3de311d901f8dda43c70b

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
b69c93d833788a2852fb6e1994ee66f5

SHA1
a0c8b32a42cc768ebb08bcc4b13a5c3fd0a52d4a

SHA256
dc45fcf9c7dd07c84820dcae35ef8edf07b99bec8d0d8e39ef89663d11f67ef1

SHA512
0baced255bfd2fed30a6497da1adb008e1dff54c9261a82179a01607045e20870cf8b447dd227612357b576d323a2c901a1f5557e9e3de311d901f8dda43c70b

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
e1da1e70671a28770d63d53dddd7ef49

SHA1
5a3692e80042b36634d98e0d499a7648af87236d

SHA256
d9346d10e7174ae4277d4344f9905b3fb81703c9fc8f4b3c930a0c96be3cc504

SHA512
a6aded404846d3b310a55b6863b686ddee689b06423ffafa7392ef0652e15d25797e1286e8169e4ab62a63704ab629b2d4dbaf7eb66b7c0ef925b24c5a3bef2a

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
e1da1e70671a28770d63d53dddd7ef49

SHA1
5a3692e80042b36634d98e0d499a7648af87236d

SHA256
d9346d10e7174ae4277d4344f9905b3fb81703c9fc8f4b3c930a0c96be3cc504

SHA512
a6aded404846d3b310a55b6863b686ddee689b06423ffafa7392ef0652e15d25797e1286e8169e4ab62a63704ab629b2d4dbaf7eb66b7c0ef925b24c5a3bef2a

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
18dc56d71841ed6ed07491900ec3d25b

SHA1
07a426481c1c296a3efaece0b4827829e3f07cb5

SHA256
d520ec20553ecfd9dbf674137d44a3e0827d5b103319be0330dcf8c35f62411e

SHA512
3d78bc8895a7b8a06572fa5d52d758215b93fc2845f2caebedbaf18f7d3432e5b33bc13f26e3f523ef82bf9eedd7a7bdf3aa6616f5d4add8f214a9d06e6da76f

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
18dc56d71841ed6ed07491900ec3d25b

SHA1
07a426481c1c296a3efaece0b4827829e3f07cb5

SHA256
d520ec20553ecfd9dbf674137d44a3e0827d5b103319be0330dcf8c35f62411e

SHA512
3d78bc8895a7b8a06572fa5d52d758215b93fc2845f2caebedbaf18f7d3432e5b33bc13f26e3f523ef82bf9eedd7a7bdf3aa6616f5d4add8f214a9d06e6da76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2294086806\backup.exe

Filesize
72KB

MD5
bf81395af8c9674305781e2878632aea

SHA1
e9950b1bc4017f62c2ed724627a10c28b77c4170

SHA256
32cb851d760b165aac63c1bc2ef82478603e052fad04bd1cddf147ad9da514e0

SHA512
39db5c576da38c513c30824fca6b0e9b3b04c6b8127be4187108bf6618944a14141f06ed191589f76fc8d7ca997a8fc0f20d74428650da6246f9a75c65c747eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2294086806\backup.exe

Filesize
72KB

MD5
bf81395af8c9674305781e2878632aea

SHA1
e9950b1bc4017f62c2ed724627a10c28b77c4170

SHA256
32cb851d760b165aac63c1bc2ef82478603e052fad04bd1cddf147ad9da514e0

SHA512
39db5c576da38c513c30824fca6b0e9b3b04c6b8127be4187108bf6618944a14141f06ed191589f76fc8d7ca997a8fc0f20d74428650da6246f9a75c65c747eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
bf81395af8c9674305781e2878632aea

SHA1
e9950b1bc4017f62c2ed724627a10c28b77c4170

SHA256
32cb851d760b165aac63c1bc2ef82478603e052fad04bd1cddf147ad9da514e0

SHA512
39db5c576da38c513c30824fca6b0e9b3b04c6b8127be4187108bf6618944a14141f06ed191589f76fc8d7ca997a8fc0f20d74428650da6246f9a75c65c747eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
bf81395af8c9674305781e2878632aea

SHA1
e9950b1bc4017f62c2ed724627a10c28b77c4170

SHA256
32cb851d760b165aac63c1bc2ef82478603e052fad04bd1cddf147ad9da514e0

SHA512
39db5c576da38c513c30824fca6b0e9b3b04c6b8127be4187108bf6618944a14141f06ed191589f76fc8d7ca997a8fc0f20d74428650da6246f9a75c65c747eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bf81395af8c9674305781e2878632aea

SHA1
e9950b1bc4017f62c2ed724627a10c28b77c4170

SHA256
32cb851d760b165aac63c1bc2ef82478603e052fad04bd1cddf147ad9da514e0

SHA512
39db5c576da38c513c30824fca6b0e9b3b04c6b8127be4187108bf6618944a14141f06ed191589f76fc8d7ca997a8fc0f20d74428650da6246f9a75c65c747eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bf81395af8c9674305781e2878632aea

SHA1
e9950b1bc4017f62c2ed724627a10c28b77c4170

SHA256
32cb851d760b165aac63c1bc2ef82478603e052fad04bd1cddf147ad9da514e0

SHA512
39db5c576da38c513c30824fca6b0e9b3b04c6b8127be4187108bf6618944a14141f06ed191589f76fc8d7ca997a8fc0f20d74428650da6246f9a75c65c747eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1991371728d4d24b2817d83ea3f814dd

SHA1
6d8e29237573261bd173052be60fcbda9dbcc7d4

SHA256
9ccb618542b8341f595933abe147079005cec47189322d19dd9f6d42bdf7b48b

SHA512
175c8be12e2f17bb3d51e3e9ecd57ffb8678be85f80d30d11cd43ca4a1710f5493dcb37efce228d9879fe064e86ef88c7610324a1e59a5071d4c1a428c205e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1991371728d4d24b2817d83ea3f814dd

SHA1
6d8e29237573261bd173052be60fcbda9dbcc7d4

SHA256
9ccb618542b8341f595933abe147079005cec47189322d19dd9f6d42bdf7b48b

SHA512
175c8be12e2f17bb3d51e3e9ecd57ffb8678be85f80d30d11cd43ca4a1710f5493dcb37efce228d9879fe064e86ef88c7610324a1e59a5071d4c1a428c205e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
bf81395af8c9674305781e2878632aea

SHA1
e9950b1bc4017f62c2ed724627a10c28b77c4170

SHA256
32cb851d760b165aac63c1bc2ef82478603e052fad04bd1cddf147ad9da514e0

SHA512
39db5c576da38c513c30824fca6b0e9b3b04c6b8127be4187108bf6618944a14141f06ed191589f76fc8d7ca997a8fc0f20d74428650da6246f9a75c65c747eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
bf81395af8c9674305781e2878632aea

SHA1
e9950b1bc4017f62c2ed724627a10c28b77c4170

SHA256
32cb851d760b165aac63c1bc2ef82478603e052fad04bd1cddf147ad9da514e0

SHA512
39db5c576da38c513c30824fca6b0e9b3b04c6b8127be4187108bf6618944a14141f06ed191589f76fc8d7ca997a8fc0f20d74428650da6246f9a75c65c747eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
bf81395af8c9674305781e2878632aea

SHA1
e9950b1bc4017f62c2ed724627a10c28b77c4170

SHA256
32cb851d760b165aac63c1bc2ef82478603e052fad04bd1cddf147ad9da514e0

SHA512
39db5c576da38c513c30824fca6b0e9b3b04c6b8127be4187108bf6618944a14141f06ed191589f76fc8d7ca997a8fc0f20d74428650da6246f9a75c65c747eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
bf81395af8c9674305781e2878632aea

SHA1
e9950b1bc4017f62c2ed724627a10c28b77c4170

SHA256
32cb851d760b165aac63c1bc2ef82478603e052fad04bd1cddf147ad9da514e0

SHA512
39db5c576da38c513c30824fca6b0e9b3b04c6b8127be4187108bf6618944a14141f06ed191589f76fc8d7ca997a8fc0f20d74428650da6246f9a75c65c747eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
1991371728d4d24b2817d83ea3f814dd

SHA1
6d8e29237573261bd173052be60fcbda9dbcc7d4

SHA256
9ccb618542b8341f595933abe147079005cec47189322d19dd9f6d42bdf7b48b

SHA512
175c8be12e2f17bb3d51e3e9ecd57ffb8678be85f80d30d11cd43ca4a1710f5493dcb37efce228d9879fe064e86ef88c7610324a1e59a5071d4c1a428c205e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
1991371728d4d24b2817d83ea3f814dd

SHA1
6d8e29237573261bd173052be60fcbda9dbcc7d4

SHA256
9ccb618542b8341f595933abe147079005cec47189322d19dd9f6d42bdf7b48b

SHA512
175c8be12e2f17bb3d51e3e9ecd57ffb8678be85f80d30d11cd43ca4a1710f5493dcb37efce228d9879fe064e86ef88c7610324a1e59a5071d4c1a428c205e3e

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7d7a8853c50b65414a363e119f227406

SHA1
df3278736ea398671bba151b48bd5d47571c1298

SHA256
e1fbb0ab1f57061121f43085a27b817f8c393c427dc7a146531fb59bab732517

SHA512
a78bf510b3782898d54e31eb8f4c223ca22b7245553012e6978f19400dcfad321f6d8a2c193fe7063d751790203c5d0d1bb33c8f436ea8980837b9dbec2d7baf

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7d7a8853c50b65414a363e119f227406

SHA1
df3278736ea398671bba151b48bd5d47571c1298

SHA256
e1fbb0ab1f57061121f43085a27b817f8c393c427dc7a146531fb59bab732517

SHA512
a78bf510b3782898d54e31eb8f4c223ca22b7245553012e6978f19400dcfad321f6d8a2c193fe7063d751790203c5d0d1bb33c8f436ea8980837b9dbec2d7baf

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
b1b79c334e9a2974dd61bb1560bcb19b

SHA1
7f501e404aa6dadc36260a2bf57eecf8f1a40cfa

SHA256
3a01b22b6f18912a4cedf27fa2da5aed5115ecdd83fb4ab0c400b74b72c5e9f9

SHA512
dc67e8bc873f42d8713ef94af0f6187841e52f230b36c188878e16a9faeb7b210b3e1eae496cf435aa94de8bdc81c8d443bf97e0cf90844d2177bb08892ba003

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
b1b79c334e9a2974dd61bb1560bcb19b

SHA1
7f501e404aa6dadc36260a2bf57eecf8f1a40cfa

SHA256
3a01b22b6f18912a4cedf27fa2da5aed5115ecdd83fb4ab0c400b74b72c5e9f9

SHA512
dc67e8bc873f42d8713ef94af0f6187841e52f230b36c188878e16a9faeb7b210b3e1eae496cf435aa94de8bdc81c8d443bf97e0cf90844d2177bb08892ba003

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads