6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91

Analysis

max time kernel
206s
max time network
251s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe
Size

72KB
MD5

053b9fb28dd6098e6a960605bb5ab492
SHA1

f33cbe30d14c488b4b7aa8d90054a7a7353e54fc
SHA256

6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91
SHA512

a52d45165b25153a340ae7a4cd274c8762b2db0877c54d7698a86acfb12ed3f5b8d4835626941340d8e73a8840882c863299fbd7e81e1d2adbbe39a94018d076
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf27:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPP

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
5076	backup.exe
328	backup.exe
3944	backup.exe
3692	backup.exe
1984	backup.exe
4600	backup.exe
1280	backup.exe
3768	backup.exe
1812	backup.exe
2636	backup.exe
4352	backup.exe
1516	backup.exe
2324	update.exe
5020	backup.exe
1008	backup.exe
1100	data.exe
516	update.exe
4484	backup.exe
392	backup.exe
4612	backup.exe
3724	backup.exe
1568	backup.exe
3260	backup.exe
4736	backup.exe
5016	backup.exe
1364	backup.exe
4712	backup.exe
1596	backup.exe
4264	backup.exe
544	backup.exe
4292	update.exe
3328	backup.exe
3588	backup.exe
4664	backup.exe
4780	backup.exe
4708	backup.exe
3032	backup.exe
3120	backup.exe
3956	backup.exe
1156	backup.exe
4316	backup.exe
2768	backup.exe
3924	backup.exe
4084	backup.exe
440	backup.exe
2872	backup.exe
5100	update.exe
2248	backup.exe
384	backup.exe
1812	backup.exe
1616	data.exe
2636	backup.exe
644	backup.exe
1192	backup.exe
2344	backup.exe
4480	backup.exe
4492	backup.exe
2052	backup.exe
2984	System Restore.exe
1260	backup.exe
4256	backup.exe
1568	backup.exe
3100	backup.exe
2228	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe
5076	backup.exe
328	backup.exe
3944	backup.exe
3692	backup.exe
1984	backup.exe
4600	backup.exe
1280	backup.exe
3768	backup.exe
1812	backup.exe
2636	backup.exe
4352	backup.exe
1516	backup.exe
2324	update.exe
5020	backup.exe
1008	backup.exe
1100	data.exe
516	update.exe
4484	backup.exe
392	backup.exe
4612	backup.exe
3724	backup.exe
1568	backup.exe
3260	backup.exe
4736	backup.exe
4264	backup.exe
5016	backup.exe
1364	backup.exe
1596	backup.exe
4712	backup.exe
544	backup.exe
3328	backup.exe
4292	update.exe
3588	backup.exe
4780	backup.exe
4664	backup.exe
4708	backup.exe
3032	backup.exe
3120	backup.exe
3956	backup.exe
3924	backup.exe
1156	backup.exe
4316	backup.exe
2768	backup.exe
4084	backup.exe
440	backup.exe
2872	backup.exe
5100	update.exe
2248	backup.exe
384	backup.exe
1812	backup.exe
2636	backup.exe
644	backup.exe
1616	data.exe
4480	backup.exe
1192	backup.exe
2344	backup.exe
4492	backup.exe
2052	backup.exe
2984	System Restore.exe
2228	backup.exe
1260	backup.exe
3100	backup.exe
1568	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 5076	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	81
PID 208 wrote to memory of 5076	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	81
PID 208 wrote to memory of 5076	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	81
PID 208 wrote to memory of 328	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	82
PID 208 wrote to memory of 328	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	82
PID 208 wrote to memory of 328	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	82
PID 208 wrote to memory of 3944	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	83
PID 208 wrote to memory of 3944	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	83
PID 208 wrote to memory of 3944	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	83
PID 208 wrote to memory of 3692	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	84
PID 208 wrote to memory of 3692	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	84
PID 208 wrote to memory of 3692	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	84
PID 208 wrote to memory of 1984	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	85
PID 208 wrote to memory of 1984	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	85
PID 208 wrote to memory of 1984	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	85
PID 208 wrote to memory of 4600	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	86
PID 208 wrote to memory of 4600	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	86
PID 208 wrote to memory of 4600	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	86
PID 5076 wrote to memory of 1280	5076	backup.exe	87
PID 5076 wrote to memory of 1280	5076	backup.exe	87
PID 5076 wrote to memory of 1280	5076	backup.exe	87
PID 208 wrote to memory of 3768	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	88
PID 208 wrote to memory of 3768	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	88
PID 208 wrote to memory of 3768	208	6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe	88
PID 1280 wrote to memory of 1812	1280	backup.exe	89
PID 1280 wrote to memory of 1812	1280	backup.exe	89
PID 1280 wrote to memory of 1812	1280	backup.exe	89
PID 1280 wrote to memory of 2636	1280	backup.exe	90
PID 1280 wrote to memory of 2636	1280	backup.exe	90
PID 1280 wrote to memory of 2636	1280	backup.exe	90
PID 1280 wrote to memory of 4352	1280	backup.exe	91
PID 1280 wrote to memory of 4352	1280	backup.exe	91
PID 1280 wrote to memory of 4352	1280	backup.exe	91
PID 4352 wrote to memory of 1516	4352	backup.exe	92
PID 4352 wrote to memory of 1516	4352	backup.exe	92
PID 4352 wrote to memory of 1516	4352	backup.exe	92
PID 1516 wrote to memory of 2324	1516	backup.exe	93
PID 1516 wrote to memory of 2324	1516	backup.exe	93
PID 1516 wrote to memory of 2324	1516	backup.exe	93
PID 4352 wrote to memory of 5020	4352	backup.exe	94
PID 4352 wrote to memory of 5020	4352	backup.exe	94
PID 4352 wrote to memory of 5020	4352	backup.exe	94
PID 5020 wrote to memory of 1008	5020	backup.exe	95
PID 5020 wrote to memory of 1008	5020	backup.exe	95
PID 5020 wrote to memory of 1008	5020	backup.exe	95
PID 5020 wrote to memory of 1100	5020	backup.exe	96
PID 5020 wrote to memory of 1100	5020	backup.exe	96
PID 5020 wrote to memory of 1100	5020	backup.exe	96
PID 1100 wrote to memory of 516	1100	data.exe	97
PID 1100 wrote to memory of 516	1100	data.exe	97
PID 1100 wrote to memory of 516	1100	data.exe	97
PID 1100 wrote to memory of 4484	1100	data.exe	98
PID 1100 wrote to memory of 4484	1100	data.exe	98
PID 1100 wrote to memory of 4484	1100	data.exe	98
PID 4484 wrote to memory of 392	4484	backup.exe	99
PID 4484 wrote to memory of 392	4484	backup.exe	99
PID 4484 wrote to memory of 392	4484	backup.exe	99
PID 4484 wrote to memory of 4612	4484	backup.exe	100
PID 4484 wrote to memory of 4612	4484	backup.exe	100
PID 4484 wrote to memory of 4612	4484	backup.exe	100
PID 4484 wrote to memory of 3724	4484	backup.exe	101
PID 4484 wrote to memory of 3724	4484	backup.exe	101
PID 4484 wrote to memory of 3724	4484	backup.exe	101
PID 4484 wrote to memory of 1568	4484	backup.exe	102

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe
"C:\Users\Admin\AppData\Local\Temp\6a95185445bb5851d73738ce1c826da69171486e1f1ebe5de1684ba3cfc85c91.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\3336988748\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3336988748\backup.exe C:\Users\Admin\AppData\Local\Temp\3336988748\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5076
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1812
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2636
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4352
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Program Files\7-Zip\Lang\update.exe
        
        "C:\Program Files\7-Zip\Lang\update.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2324
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5020
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1008
      - C:\Program Files\Common Files\microsoft shared\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\data.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:516
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:392
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4612
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3260
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4736
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4264
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4664
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3924
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:440
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\data.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1616
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        
        PID:2964
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4100
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3644
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3736
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        System policy modification
        
        PID:4644
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:2016
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4296
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2348
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        System policy modification
        
        PID:3236
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5056
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:4412
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4712
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4780
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3120
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4316
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5100
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:644
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:384
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:760
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2156
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        System policy modification
        
        PID:2520
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3060
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:3552
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:3124
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2456
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4844
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        System policy modification
        
        PID:5068
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1364
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3328
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4480
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3100
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3156
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:4908
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3484
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4324
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:240
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:2320
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:2804
        
        C:\Program Files\Common Files\System\Ole DB\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4816
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1596
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3588
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2768
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2248
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        System policy modification
        
        PID:2016
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3540
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3616
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:5020
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1504
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:960
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:4392
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5068
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1192
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2308
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3236
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4680
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:3708
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:556
      - C:\Program Files\Internet Explorer\it-IT\System Restore.exe
        
        "C:\Program Files\Internet Explorer\it-IT\System Restore.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3284
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:4360
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:4664
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        
        PID:2356
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2108
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4532
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:2276
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        Drops file in Program Files directory
        
        PID:3920
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:5016
    - - C:\Program Files (x86)\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\update.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4292
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1156
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:3376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:3288
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4632
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Drops file in Program Files directory
        
        PID:1816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:4880
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:4980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:2192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        System policy modification
        
        PID:2368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4812
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:4744
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4492
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2268
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:3300
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\update.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:3452
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3640
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:4464
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3444
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1468
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2224
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4356
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4988
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4400
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        System policy modification
        
        PID:5100
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3472
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3736
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:4184
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2504
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:2156
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1812
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2052
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        System policy modification
        
        PID:4648
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2100
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1112
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3584
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:4528
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2744
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2408
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        System policy modification
        
        PID:3516
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2288
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Drops file in Windows directory
      System policy modification
      PID:3128
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Disables RegEdit via registry modification
        
        PID:3740
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:3092
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:328
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3944
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4600
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3768

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4708
- C:\Program Files\Common Files\System\ado\de-DE\backup.exe
  "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3956
- C:\Program Files\Common Files\System\ado\en-US\backup.exe
  "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4084
- C:\Program Files\Common Files\System\ado\es-ES\backup.exe
  "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2344
- C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
  "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - System policy modification
  PID:4864
- C:\Program Files\Common Files\System\ado\it-IT\backup.exe
  "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - System policy modification
  PID:668
- C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
  "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
  2⤵
  PID:4752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
9f6eeeb2ceecf19a71d85c4f8b10515c

SHA1
c9fa19767576b2535d524c0ce0883f11aca819c1

SHA256
dac86285b05483c4336a31035b7c9e452a3022c49df1d7870f5c678412f8d641

SHA512
6b58d04ce9586b96d794081d31269de0e6662df1198393b46d3470c480c7c7cd4b630716abf8f5d3d7f87ba0f342c602e57c8ea365585aaeb6eea85f139ff3cd

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
9f6eeeb2ceecf19a71d85c4f8b10515c

SHA1
c9fa19767576b2535d524c0ce0883f11aca819c1

SHA256
dac86285b05483c4336a31035b7c9e452a3022c49df1d7870f5c678412f8d641

SHA512
6b58d04ce9586b96d794081d31269de0e6662df1198393b46d3470c480c7c7cd4b630716abf8f5d3d7f87ba0f342c602e57c8ea365585aaeb6eea85f139ff3cd

Download Submit
C:\Program Files (x86)\Adobe\update.exe

Filesize
72KB

MD5
af4acd110f0893afba4ee8eb912d29eb

SHA1
cb7008c31b972ed57d300d1bc2ee3126b0ecd11d

SHA256
a1b1ce055af4568d4138b6841f8002eff62a3210a267b5483b1647b49eb35b57

SHA512
c44222fcd59fd219774ebecd236d5964d5a45f96e822071e593eb1fc96dbcb7c8066deff55a022f6408fe69377b7b15c1a8e551d02a460b2e9e1e0b2d56e9c88

Download Submit
C:\Program Files (x86)\Adobe\update.exe

Filesize
72KB

MD5
af4acd110f0893afba4ee8eb912d29eb

SHA1
cb7008c31b972ed57d300d1bc2ee3126b0ecd11d

SHA256
a1b1ce055af4568d4138b6841f8002eff62a3210a267b5483b1647b49eb35b57

SHA512
c44222fcd59fd219774ebecd236d5964d5a45f96e822071e593eb1fc96dbcb7c8066deff55a022f6408fe69377b7b15c1a8e551d02a460b2e9e1e0b2d56e9c88

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
033b43b4380a9ad23c4920daf7a9af4f

SHA1
7b40bc89bc4c06e8c29ca393f5a9d520e7bb76c2

SHA256
fff8f1360d3128c49fafa51f82b3aa7da81c53ee82e76843a771d34130d4d4b6

SHA512
4a747e6b6713fdafe27c14183bbed8e972e3f0e73fb85b342b62ba68c9029c5713266d8a03029c5a3e6b93c8dfc97bf4e448d60ad2899cc12126d5c28cfcfefe

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
033b43b4380a9ad23c4920daf7a9af4f

SHA1
7b40bc89bc4c06e8c29ca393f5a9d520e7bb76c2

SHA256
fff8f1360d3128c49fafa51f82b3aa7da81c53ee82e76843a771d34130d4d4b6

SHA512
4a747e6b6713fdafe27c14183bbed8e972e3f0e73fb85b342b62ba68c9029c5713266d8a03029c5a3e6b93c8dfc97bf4e448d60ad2899cc12126d5c28cfcfefe

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c42b6026d8a65d0d0fe16ea384684ac8

SHA1
393b876c37aebe01c5e7da5be5eabd6bb0d380ea

SHA256
2b46e87357656429b79ca8df1f069087c804396f1db802d80d01f9322cde26d1

SHA512
39b2557e1a96ce3360902b65eadf618b9e3bdf3f33ad07ff8cc4444c3757bf28a5d04d06f3c622c293afa1cd37652ea5e709b2770d99e9ae223b5b4ca2c2814c

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c42b6026d8a65d0d0fe16ea384684ac8

SHA1
393b876c37aebe01c5e7da5be5eabd6bb0d380ea

SHA256
2b46e87357656429b79ca8df1f069087c804396f1db802d80d01f9322cde26d1

SHA512
39b2557e1a96ce3360902b65eadf618b9e3bdf3f33ad07ff8cc4444c3757bf28a5d04d06f3c622c293afa1cd37652ea5e709b2770d99e9ae223b5b4ca2c2814c

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
aa3e49bbf40543ff363c345a3dfd5cf3

SHA1
6d8a1b112dae6707e2f927c4ebed4f8d23e6848e

SHA256
dd0b4acb942657219b159aae1de0b8094ffb3a18f7f59bf64cd978c7fc1b6547

SHA512
66d9b7760093d06c76ca8cca9a0daef18738cc856d8767deb3ef1b1c0ccb27769c168969a595adcbf4db116061cbd1c15f4b853abc36a967aa3e89a18fbf2afe

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
aa3e49bbf40543ff363c345a3dfd5cf3

SHA1
6d8a1b112dae6707e2f927c4ebed4f8d23e6848e

SHA256
dd0b4acb942657219b159aae1de0b8094ffb3a18f7f59bf64cd978c7fc1b6547

SHA512
66d9b7760093d06c76ca8cca9a0daef18738cc856d8767deb3ef1b1c0ccb27769c168969a595adcbf4db116061cbd1c15f4b853abc36a967aa3e89a18fbf2afe

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
149602fc4f305e1bbfdf12652fb9f65f

SHA1
9c6e5baa1f64d28c058659c0a1a959d1925fd8fe

SHA256
62bde287986a61fb7b6a53da9e8f7e6083db7092b18119e82165cb3463de9208

SHA512
abefe3375c03bbc66dfa7ceaa903b93ed7ffac602178ff5fe49d10f3adbed9628f0d0712415db07249c7fd4b8bd34d15c939bf4585e68d98b9f55d89307ec284

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
149602fc4f305e1bbfdf12652fb9f65f

SHA1
9c6e5baa1f64d28c058659c0a1a959d1925fd8fe

SHA256
62bde287986a61fb7b6a53da9e8f7e6083db7092b18119e82165cb3463de9208

SHA512
abefe3375c03bbc66dfa7ceaa903b93ed7ffac602178ff5fe49d10f3adbed9628f0d0712415db07249c7fd4b8bd34d15c939bf4585e68d98b9f55d89307ec284

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
0307c345a9c5e8c7dc7c15a739f45dad

SHA1
fbd889e3fe7bcdb309264012531dcd405649861c

SHA256
33a0b663ac5b24f19b26581aaf75693d921aa11898812a065775851fed358429

SHA512
39397f5ff57edb32a523bcc796f2564e9bd8402ac68bcade1808e19d8f84fca528520f0648612b0ff131224b218cd92e53352592e20d2b843b19054721d80882

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
0307c345a9c5e8c7dc7c15a739f45dad

SHA1
fbd889e3fe7bcdb309264012531dcd405649861c

SHA256
33a0b663ac5b24f19b26581aaf75693d921aa11898812a065775851fed358429

SHA512
39397f5ff57edb32a523bcc796f2564e9bd8402ac68bcade1808e19d8f84fca528520f0648612b0ff131224b218cd92e53352592e20d2b843b19054721d80882

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
b18d8411fe2d13c175301ca341689c8d

SHA1
01013093bda950c21271f45fc962b8b637783924

SHA256
229ddac210c9db368789dba861610896cfc7b57a4fb950b1fbd38a08aea51458

SHA512
2828247e54a660bb4c3c9da07e5ca9516e1eb9f3b0b537f65d9ddac35a4a8af1d4b507b708f5f3890a9c2eb1ac2757ecad2dbf3c5322bbf4759f694b44828215

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
1f0b97084465a39c0227c97d17cb306f

SHA1
f01fc32d75b35e6a11fd58c78472f2883fb8b446

SHA256
0124ba374be126e4fdc610e5cdddfcd3d5cd1bb5c6fe84a3422e2d0a7e4dd42e

SHA512
15e78b7890e2079cb58a09f0d11392f3bbfc871271a8117192dd44a0671046f09b4c5e57c07d87aec03ee8c45515f72db2f3e7799c7d6a31e622b487637f09b0

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
1f0b97084465a39c0227c97d17cb306f

SHA1
f01fc32d75b35e6a11fd58c78472f2883fb8b446

SHA256
0124ba374be126e4fdc610e5cdddfcd3d5cd1bb5c6fe84a3422e2d0a7e4dd42e

SHA512
15e78b7890e2079cb58a09f0d11392f3bbfc871271a8117192dd44a0671046f09b4c5e57c07d87aec03ee8c45515f72db2f3e7799c7d6a31e622b487637f09b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe

Filesize
72KB

MD5
e22b2f593579ce48802136be89f62e1e

SHA1
0537b738f37066a4d41c4552c82ceef9c1e35889

SHA256
60511f0c952014858d8e7e5397c817a617ee9bbfa5b20bd5cf1675d9ccc1434e

SHA512
a78a6b641e811aef3e209c92f30bfd657617088e5c98e065b7cf7636e454db014378da1b7d689afda5604141a0cfb69f58e6c68ad33c1f7eb5602823eccf54c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe

Filesize
72KB

MD5
e22b2f593579ce48802136be89f62e1e

SHA1
0537b738f37066a4d41c4552c82ceef9c1e35889

SHA256
60511f0c952014858d8e7e5397c817a617ee9bbfa5b20bd5cf1675d9ccc1434e

SHA512
a78a6b641e811aef3e209c92f30bfd657617088e5c98e065b7cf7636e454db014378da1b7d689afda5604141a0cfb69f58e6c68ad33c1f7eb5602823eccf54c1

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
5451506a5166fac93aa66f290ecff93a

SHA1
fe915ba10649cae45539ea3f5dcc5633b4b38883

SHA256
be3a1bb365dedd8107238e189f8a59042f6605c7b5632859f1f78572e6b49efc

SHA512
b399a2e56270e9bca5c49d93d6d2365e0f679fb04aa5683fc8ccffff133e6fd3cd9e12387efd11464f398276b3ee676b171797cd2e8bea6876395098e1134260

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
5451506a5166fac93aa66f290ecff93a

SHA1
fe915ba10649cae45539ea3f5dcc5633b4b38883

SHA256
be3a1bb365dedd8107238e189f8a59042f6605c7b5632859f1f78572e6b49efc

SHA512
b399a2e56270e9bca5c49d93d6d2365e0f679fb04aa5683fc8ccffff133e6fd3cd9e12387efd11464f398276b3ee676b171797cd2e8bea6876395098e1134260

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
dae3514294283dd1d779029aca141d69

SHA1
daccf1a13fd0999fb1890bedb361fd28be7822fa

SHA256
e3be00b2afb59429f0179c2beabbb5c03f9cb3c8e4f1304e19aeb0e82e7800e9

SHA512
7d82bd88b60161e0c5af269c00d3eea4ea37ef432348da8ae3b6c862c9ff4541313b6e0c513261bdad79c5c0e3e27f0758e8d9bf58acced7a769f5f8f473c834

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
dae3514294283dd1d779029aca141d69

SHA1
daccf1a13fd0999fb1890bedb361fd28be7822fa

SHA256
e3be00b2afb59429f0179c2beabbb5c03f9cb3c8e4f1304e19aeb0e82e7800e9

SHA512
7d82bd88b60161e0c5af269c00d3eea4ea37ef432348da8ae3b6c862c9ff4541313b6e0c513261bdad79c5c0e3e27f0758e8d9bf58acced7a769f5f8f473c834

Download Submit
C:\Program Files\Common Files\microsoft shared\data.exe

Filesize
72KB

MD5
149602fc4f305e1bbfdf12652fb9f65f

SHA1
9c6e5baa1f64d28c058659c0a1a959d1925fd8fe

SHA256
62bde287986a61fb7b6a53da9e8f7e6083db7092b18119e82165cb3463de9208

SHA512
abefe3375c03bbc66dfa7ceaa903b93ed7ffac602178ff5fe49d10f3adbed9628f0d0712415db07249c7fd4b8bd34d15c939bf4585e68d98b9f55d89307ec284

Download Submit
C:\Program Files\Common Files\microsoft shared\data.exe

Filesize
72KB

MD5
149602fc4f305e1bbfdf12652fb9f65f

SHA1
9c6e5baa1f64d28c058659c0a1a959d1925fd8fe

SHA256
62bde287986a61fb7b6a53da9e8f7e6083db7092b18119e82165cb3463de9208

SHA512
abefe3375c03bbc66dfa7ceaa903b93ed7ffac602178ff5fe49d10f3adbed9628f0d0712415db07249c7fd4b8bd34d15c939bf4585e68d98b9f55d89307ec284

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7cc9d6603aeeb42b10660b7e875c8eb1

SHA1
8e6f5ada2e0e8fa8c08bebda45dc16b05aeec2d7

SHA256
edea7c5ee77ce9a5c3665db1efa625e6c52dd25c00129bdf5e3b7a638ef4d0f5

SHA512
d2582f9ba80ed0d5e8614811aa83d8f331a0f765cec3d599af5c00010440fa2334521879017cd85ae45cc1d5ab3fd4417fc93a5fb8e8ad856e35af388276fba6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7cc9d6603aeeb42b10660b7e875c8eb1

SHA1
8e6f5ada2e0e8fa8c08bebda45dc16b05aeec2d7

SHA256
edea7c5ee77ce9a5c3665db1efa625e6c52dd25c00129bdf5e3b7a638ef4d0f5

SHA512
d2582f9ba80ed0d5e8614811aa83d8f331a0f765cec3d599af5c00010440fa2334521879017cd85ae45cc1d5ab3fd4417fc93a5fb8e8ad856e35af388276fba6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
e22b2f593579ce48802136be89f62e1e

SHA1
0537b738f37066a4d41c4552c82ceef9c1e35889

SHA256
60511f0c952014858d8e7e5397c817a617ee9bbfa5b20bd5cf1675d9ccc1434e

SHA512
a78a6b641e811aef3e209c92f30bfd657617088e5c98e065b7cf7636e454db014378da1b7d689afda5604141a0cfb69f58e6c68ad33c1f7eb5602823eccf54c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
e22b2f593579ce48802136be89f62e1e

SHA1
0537b738f37066a4d41c4552c82ceef9c1e35889

SHA256
60511f0c952014858d8e7e5397c817a617ee9bbfa5b20bd5cf1675d9ccc1434e

SHA512
a78a6b641e811aef3e209c92f30bfd657617088e5c98e065b7cf7636e454db014378da1b7d689afda5604141a0cfb69f58e6c68ad33c1f7eb5602823eccf54c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7cc9d6603aeeb42b10660b7e875c8eb1

SHA1
8e6f5ada2e0e8fa8c08bebda45dc16b05aeec2d7

SHA256
edea7c5ee77ce9a5c3665db1efa625e6c52dd25c00129bdf5e3b7a638ef4d0f5

SHA512
d2582f9ba80ed0d5e8614811aa83d8f331a0f765cec3d599af5c00010440fa2334521879017cd85ae45cc1d5ab3fd4417fc93a5fb8e8ad856e35af388276fba6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7cc9d6603aeeb42b10660b7e875c8eb1

SHA1
8e6f5ada2e0e8fa8c08bebda45dc16b05aeec2d7

SHA256
edea7c5ee77ce9a5c3665db1efa625e6c52dd25c00129bdf5e3b7a638ef4d0f5

SHA512
d2582f9ba80ed0d5e8614811aa83d8f331a0f765cec3d599af5c00010440fa2334521879017cd85ae45cc1d5ab3fd4417fc93a5fb8e8ad856e35af388276fba6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
7cc9d6603aeeb42b10660b7e875c8eb1

SHA1
8e6f5ada2e0e8fa8c08bebda45dc16b05aeec2d7

SHA256
edea7c5ee77ce9a5c3665db1efa625e6c52dd25c00129bdf5e3b7a638ef4d0f5

SHA512
d2582f9ba80ed0d5e8614811aa83d8f331a0f765cec3d599af5c00010440fa2334521879017cd85ae45cc1d5ab3fd4417fc93a5fb8e8ad856e35af388276fba6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
7cc9d6603aeeb42b10660b7e875c8eb1

SHA1
8e6f5ada2e0e8fa8c08bebda45dc16b05aeec2d7

SHA256
edea7c5ee77ce9a5c3665db1efa625e6c52dd25c00129bdf5e3b7a638ef4d0f5

SHA512
d2582f9ba80ed0d5e8614811aa83d8f331a0f765cec3d599af5c00010440fa2334521879017cd85ae45cc1d5ab3fd4417fc93a5fb8e8ad856e35af388276fba6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
eb8006824685236acb69dbe3b03b7bf8

SHA1
2f3737de19aeea3044374c406713cec61b258e54

SHA256
3dea3138aed3d0249350d554bce8f71a12959db8956ed8c802974627f12982c6

SHA512
42a85f95f4893e1180902604cef96ca4bda689e053841096c0a986663225d2b3d94b9ed1767df8e844e2a063b335d8340bccf82d8b3ac23011fe419aa5a63a56

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
eb8006824685236acb69dbe3b03b7bf8

SHA1
2f3737de19aeea3044374c406713cec61b258e54

SHA256
3dea3138aed3d0249350d554bce8f71a12959db8956ed8c802974627f12982c6

SHA512
42a85f95f4893e1180902604cef96ca4bda689e053841096c0a986663225d2b3d94b9ed1767df8e844e2a063b335d8340bccf82d8b3ac23011fe419aa5a63a56

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
eb8006824685236acb69dbe3b03b7bf8

SHA1
2f3737de19aeea3044374c406713cec61b258e54

SHA256
3dea3138aed3d0249350d554bce8f71a12959db8956ed8c802974627f12982c6

SHA512
42a85f95f4893e1180902604cef96ca4bda689e053841096c0a986663225d2b3d94b9ed1767df8e844e2a063b335d8340bccf82d8b3ac23011fe419aa5a63a56

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
eb8006824685236acb69dbe3b03b7bf8

SHA1
2f3737de19aeea3044374c406713cec61b258e54

SHA256
3dea3138aed3d0249350d554bce8f71a12959db8956ed8c802974627f12982c6

SHA512
42a85f95f4893e1180902604cef96ca4bda689e053841096c0a986663225d2b3d94b9ed1767df8e844e2a063b335d8340bccf82d8b3ac23011fe419aa5a63a56

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
eb8006824685236acb69dbe3b03b7bf8

SHA1
2f3737de19aeea3044374c406713cec61b258e54

SHA256
3dea3138aed3d0249350d554bce8f71a12959db8956ed8c802974627f12982c6

SHA512
42a85f95f4893e1180902604cef96ca4bda689e053841096c0a986663225d2b3d94b9ed1767df8e844e2a063b335d8340bccf82d8b3ac23011fe419aa5a63a56

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
eb8006824685236acb69dbe3b03b7bf8

SHA1
2f3737de19aeea3044374c406713cec61b258e54

SHA256
3dea3138aed3d0249350d554bce8f71a12959db8956ed8c802974627f12982c6

SHA512
42a85f95f4893e1180902604cef96ca4bda689e053841096c0a986663225d2b3d94b9ed1767df8e844e2a063b335d8340bccf82d8b3ac23011fe419aa5a63a56

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
477e18ce9695f22f1b79620dd43edca8

SHA1
7462fd25c33ecacb8771e9a191fe373c11980f2d

SHA256
6d7fc610419460893e39a7456dc1675df341a67251ce84c18647bbdafed8875d

SHA512
593d45f3c009199ca803f0a0316e5a95063a4904be9a7122f5ad88e00e0feb6da341675f43cfd8ddc1052ae740e8fcc5883970bb89492cec2ffe54dc2758dcd8

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
477e18ce9695f22f1b79620dd43edca8

SHA1
7462fd25c33ecacb8771e9a191fe373c11980f2d

SHA256
6d7fc610419460893e39a7456dc1675df341a67251ce84c18647bbdafed8875d

SHA512
593d45f3c009199ca803f0a0316e5a95063a4904be9a7122f5ad88e00e0feb6da341675f43cfd8ddc1052ae740e8fcc5883970bb89492cec2ffe54dc2758dcd8

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
9d0c91286393dd3a037d57e7bb8619c2

SHA1
229a0c8552ebec1f81663f741ed1d5e4e008136e

SHA256
d8987289ee962bbbd52d9a2558d3b67372e9a6ca3922771b3e341d42a220f247

SHA512
f633d5a568079240a0eecf3bcb7bc8dd8a106329393e10e199d05252021e7fc9e2996b3dcfc1cd56b70bb0fd4b1ffd18e8863ebfe78d8dff077f83852a9bf5c0

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
20047d2ebb30721af0ebb60c8c2d453d

SHA1
fa9455000a9ed77bcf800ba08963f607cf49837b

SHA256
e23f7e887d188660901ebf5ca2cd943f0aa2456d6983eb2d05b942e6af40416c

SHA512
3d87dadc24e004d53d0381874dd2777f48aa2d57ac100cdc9faa896c5636a6c18cbca363686edc045184f2a58bd5d55586c5b5d7e26fb1f92f92294fe74e5f53

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
20047d2ebb30721af0ebb60c8c2d453d

SHA1
fa9455000a9ed77bcf800ba08963f607cf49837b

SHA256
e23f7e887d188660901ebf5ca2cd943f0aa2456d6983eb2d05b942e6af40416c

SHA512
3d87dadc24e004d53d0381874dd2777f48aa2d57ac100cdc9faa896c5636a6c18cbca363686edc045184f2a58bd5d55586c5b5d7e26fb1f92f92294fe74e5f53

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ddd1bf754e3baee354fb265fba6d7f46

SHA1
71ef8d65cf7cdd096c97a31164c3ec3a7412578c

SHA256
76a2ca38781efaca943eec50cb8b867497347903859ada02e5c57cec523d52b5

SHA512
b360574d197e09143a098afe3df22fb78c897b4f9aaaac2093026443fb9b1a93b55269883c4bbc2ebd4628aaad447670a031117dd97f1241f174a896b3856b72

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ddd1bf754e3baee354fb265fba6d7f46

SHA1
71ef8d65cf7cdd096c97a31164c3ec3a7412578c

SHA256
76a2ca38781efaca943eec50cb8b867497347903859ada02e5c57cec523d52b5

SHA512
b360574d197e09143a098afe3df22fb78c897b4f9aaaac2093026443fb9b1a93b55269883c4bbc2ebd4628aaad447670a031117dd97f1241f174a896b3856b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\3336988748\backup.exe

Filesize
72KB

MD5
7614422a0aef21d25718b28e7c9377df

SHA1
85a1bfc972ebd7ec42cc114360249d8814b94fe7

SHA256
7690c8163d810b210aa2908e61a70e7d66922c72298451aabc2faa6ca8eaa2c3

SHA512
b93f123513721c4fc8df991a4cd57f767be1283f75db28c7851f8ebd1adf92d5e2004b296b3e886dc63d82a93afdf5ef2524f08cd4f40d578fa9b693784c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\3336988748\backup.exe

Filesize
72KB

MD5
7614422a0aef21d25718b28e7c9377df

SHA1
85a1bfc972ebd7ec42cc114360249d8814b94fe7

SHA256
7690c8163d810b210aa2908e61a70e7d66922c72298451aabc2faa6ca8eaa2c3

SHA512
b93f123513721c4fc8df991a4cd57f767be1283f75db28c7851f8ebd1adf92d5e2004b296b3e886dc63d82a93afdf5ef2524f08cd4f40d578fa9b693784c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7614422a0aef21d25718b28e7c9377df

SHA1
85a1bfc972ebd7ec42cc114360249d8814b94fe7

SHA256
7690c8163d810b210aa2908e61a70e7d66922c72298451aabc2faa6ca8eaa2c3

SHA512
b93f123513721c4fc8df991a4cd57f767be1283f75db28c7851f8ebd1adf92d5e2004b296b3e886dc63d82a93afdf5ef2524f08cd4f40d578fa9b693784c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7614422a0aef21d25718b28e7c9377df

SHA1
85a1bfc972ebd7ec42cc114360249d8814b94fe7

SHA256
7690c8163d810b210aa2908e61a70e7d66922c72298451aabc2faa6ca8eaa2c3

SHA512
b93f123513721c4fc8df991a4cd57f767be1283f75db28c7851f8ebd1adf92d5e2004b296b3e886dc63d82a93afdf5ef2524f08cd4f40d578fa9b693784c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7614422a0aef21d25718b28e7c9377df

SHA1
85a1bfc972ebd7ec42cc114360249d8814b94fe7

SHA256
7690c8163d810b210aa2908e61a70e7d66922c72298451aabc2faa6ca8eaa2c3

SHA512
b93f123513721c4fc8df991a4cd57f767be1283f75db28c7851f8ebd1adf92d5e2004b296b3e886dc63d82a93afdf5ef2524f08cd4f40d578fa9b693784c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7614422a0aef21d25718b28e7c9377df

SHA1
85a1bfc972ebd7ec42cc114360249d8814b94fe7

SHA256
7690c8163d810b210aa2908e61a70e7d66922c72298451aabc2faa6ca8eaa2c3

SHA512
b93f123513721c4fc8df991a4cd57f767be1283f75db28c7851f8ebd1adf92d5e2004b296b3e886dc63d82a93afdf5ef2524f08cd4f40d578fa9b693784c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
065eb8b125130b6df3084b212afc19a5

SHA1
121a8b1bd57ed622ef7e61e50dfcbc0221da511a

SHA256
e7f0de1a82d60285afdf3bdd854d6f0e758c4bb215369c568a68c540068e408d

SHA512
837beddd4ce132129fa71ee06e4420c8fa9d73638a6fa332e2386e8cade7ed6f985e305a76cc08bc5c91f664b712d85f47ec02142e883d93d37f471ce1976d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
065eb8b125130b6df3084b212afc19a5

SHA1
121a8b1bd57ed622ef7e61e50dfcbc0221da511a

SHA256
e7f0de1a82d60285afdf3bdd854d6f0e758c4bb215369c568a68c540068e408d

SHA512
837beddd4ce132129fa71ee06e4420c8fa9d73638a6fa332e2386e8cade7ed6f985e305a76cc08bc5c91f664b712d85f47ec02142e883d93d37f471ce1976d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
7614422a0aef21d25718b28e7c9377df

SHA1
85a1bfc972ebd7ec42cc114360249d8814b94fe7

SHA256
7690c8163d810b210aa2908e61a70e7d66922c72298451aabc2faa6ca8eaa2c3

SHA512
b93f123513721c4fc8df991a4cd57f767be1283f75db28c7851f8ebd1adf92d5e2004b296b3e886dc63d82a93afdf5ef2524f08cd4f40d578fa9b693784c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
7614422a0aef21d25718b28e7c9377df

SHA1
85a1bfc972ebd7ec42cc114360249d8814b94fe7

SHA256
7690c8163d810b210aa2908e61a70e7d66922c72298451aabc2faa6ca8eaa2c3

SHA512
b93f123513721c4fc8df991a4cd57f767be1283f75db28c7851f8ebd1adf92d5e2004b296b3e886dc63d82a93afdf5ef2524f08cd4f40d578fa9b693784c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7614422a0aef21d25718b28e7c9377df

SHA1
85a1bfc972ebd7ec42cc114360249d8814b94fe7

SHA256
7690c8163d810b210aa2908e61a70e7d66922c72298451aabc2faa6ca8eaa2c3

SHA512
b93f123513721c4fc8df991a4cd57f767be1283f75db28c7851f8ebd1adf92d5e2004b296b3e886dc63d82a93afdf5ef2524f08cd4f40d578fa9b693784c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7614422a0aef21d25718b28e7c9377df

SHA1
85a1bfc972ebd7ec42cc114360249d8814b94fe7

SHA256
7690c8163d810b210aa2908e61a70e7d66922c72298451aabc2faa6ca8eaa2c3

SHA512
b93f123513721c4fc8df991a4cd57f767be1283f75db28c7851f8ebd1adf92d5e2004b296b3e886dc63d82a93afdf5ef2524f08cd4f40d578fa9b693784c9040

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
065eb8b125130b6df3084b212afc19a5

SHA1
121a8b1bd57ed622ef7e61e50dfcbc0221da511a

SHA256
e7f0de1a82d60285afdf3bdd854d6f0e758c4bb215369c568a68c540068e408d

SHA512
837beddd4ce132129fa71ee06e4420c8fa9d73638a6fa332e2386e8cade7ed6f985e305a76cc08bc5c91f664b712d85f47ec02142e883d93d37f471ce1976d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
065eb8b125130b6df3084b212afc19a5

SHA1
121a8b1bd57ed622ef7e61e50dfcbc0221da511a

SHA256
e7f0de1a82d60285afdf3bdd854d6f0e758c4bb215369c568a68c540068e408d

SHA512
837beddd4ce132129fa71ee06e4420c8fa9d73638a6fa332e2386e8cade7ed6f985e305a76cc08bc5c91f664b712d85f47ec02142e883d93d37f471ce1976d90

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e7a300da6425d8bfdb6473582bda1405

SHA1
362b0ec298c18e3136d9164ac34bbdb40a5496a3

SHA256
4e1d8cfce71c5ea579731a67abd342de64dd4afd16b333c5da3961ecb80b4922

SHA512
32316f6cc8ba1477a854215963eef33f084468d51bae216dcf2ef5be4165baa74e4f86414063abfc6beb49ad6ff3be3a8cac307304bd82c459a4fecacba871ea

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e7a300da6425d8bfdb6473582bda1405

SHA1
362b0ec298c18e3136d9164ac34bbdb40a5496a3

SHA256
4e1d8cfce71c5ea579731a67abd342de64dd4afd16b333c5da3961ecb80b4922

SHA512
32316f6cc8ba1477a854215963eef33f084468d51bae216dcf2ef5be4165baa74e4f86414063abfc6beb49ad6ff3be3a8cac307304bd82c459a4fecacba871ea

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
9f6eeeb2ceecf19a71d85c4f8b10515c

SHA1
c9fa19767576b2535d524c0ce0883f11aca819c1

SHA256
dac86285b05483c4336a31035b7c9e452a3022c49df1d7870f5c678412f8d641

SHA512
6b58d04ce9586b96d794081d31269de0e6662df1198393b46d3470c480c7c7cd4b630716abf8f5d3d7f87ba0f342c602e57c8ea365585aaeb6eea85f139ff3cd

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
9f6eeeb2ceecf19a71d85c4f8b10515c

SHA1
c9fa19767576b2535d524c0ce0883f11aca819c1

SHA256
dac86285b05483c4336a31035b7c9e452a3022c49df1d7870f5c678412f8d641

SHA512
6b58d04ce9586b96d794081d31269de0e6662df1198393b46d3470c480c7c7cd4b630716abf8f5d3d7f87ba0f342c602e57c8ea365585aaeb6eea85f139ff3cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads