Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
23-11-2022 18:53
General
-
Target
49f3a08d04a4569e9343dfc4939dff12c302523e5d6b8e3f558812d39b18c229.exe
-
Size
72KB
-
MD5
52beb85a368fcddd0a8c3c521c7ec9c0
-
SHA1
9f5d9d1c03495771f5ef47bd4128f6c428de4373
-
SHA256
49f3a08d04a4569e9343dfc4939dff12c302523e5d6b8e3f558812d39b18c229
-
SHA512
6da391e5e805edaf91ee870fff661b38ede84f4dfa0c58369cf5979fc5a8b98f209e0d96ab94b77adef635cc68cbf7346541dcfab53ecdc6cd95ab2d4c01a05d
-
SSDEEP
384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2b:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrX
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
Disables RegEdit via registry modification 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\49f3a08d04a4569e9343dfc4939dff12c302523e5d6b8e3f558812d39b18c229.exe"C:\Users\Admin\AppData\Local\Temp\49f3a08d04a4569e9343dfc4939dff12c302523e5d6b8e3f558812d39b18c229.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\1799636423\backup.exeC:\Users\Admin\AppData\Local\Temp\1799636423\backup.exe C:\Users\Admin\AppData\Local\Temp\1799636423\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\data.exe\data.exe \3⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\PerfLogs\backup.exeC:\PerfLogs\backup.exe C:\PerfLogs\4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\PerfLogs\Admin\backup.exeC:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\update.exe"C:\Program Files\update.exe" C:\Program Files\4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\backup.exe"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\7-Zip\Lang\backup.exe"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\backup.exe"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\backup.exe"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\7⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\data.exe"C:\Program Files\Common Files\Microsoft Shared\ink\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\update.exe"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\8⤵
- Modifies visibility of file extensions in Explorer
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\7⤵
- Drops file in Program Files directory
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\8⤵
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\8⤵
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\8⤵
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\8⤵
-
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
-
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\8⤵
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\7⤵
-
C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\7⤵
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\7⤵
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\7⤵
-
C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\7⤵
-
C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\7⤵
-
C:\Program Files\Common Files\Services\backup.exe"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\6⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\SpeechEngines\backup.exe"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
-
C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
-
C:\Program Files\Common Files\System\backup.exe"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
-
C:\Program Files\Common Files\System\ado\update.exe"C:\Program Files\Common Files\System\ado\update.exe" C:\Program Files\Common Files\System\ado\7⤵
- Drops file in Program Files directory
-
C:\Program Files\Common Files\System\ado\de-DE\backup.exe"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\8⤵
-
C:\Program Files\Common Files\System\ado\en-US\backup.exe"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\8⤵
-
C:\Program Files\Common Files\System\ado\es-ES\backup.exe"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\8⤵
-
C:\Program Files\Common Files\System\ado\fr-FR\backup.exe"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\8⤵
-
C:\Program Files\Common Files\System\ado\it-IT\backup.exe"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\8⤵
-
C:\Program Files\Common Files\System\ado\ja-JP\backup.exe"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\8⤵
-
C:\Program Files\Common Files\System\de-DE\backup.exe"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\7⤵
- Modifies visibility of file extensions in Explorer
-
C:\Program Files\Common Files\System\en-US\backup.exe"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\7⤵
-
C:\Program Files\Common Files\System\es-ES\backup.exe"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\7⤵
-
C:\Program Files\Common Files\System\fr-FR\backup.exe"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\7⤵
-
C:\Program Files\Common Files\System\it-IT\backup.exe"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\7⤵
-
C:\Program Files\Common Files\System\ja-JP\backup.exe"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\7⤵
-
C:\Program Files\Common Files\System\msadc\backup.exe"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\7⤵
-
C:\Program Files\DVD Maker\backup.exe"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files\DVD Maker\de-DE\backup.exe"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
-
C:\Program Files\DVD Maker\en-US\backup.exe"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\6⤵
- Modifies visibility of file extensions in Explorer
-
C:\Program Files\DVD Maker\es-ES\backup.exe"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\6⤵
- Modifies visibility of file extensions in Explorer
-
C:\Program Files\DVD Maker\fr-FR\backup.exe"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
-
C:\Program Files\DVD Maker\it-IT\backup.exe"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
-
C:\Program Files\DVD Maker\ja-JP\backup.exe"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\6⤵
-
C:\Program Files\DVD Maker\Shared\backup.exe"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\6⤵
-
C:\Program Files\Google\backup.exe"C:\Program Files\Google\backup.exe" C:\Program Files\Google\5⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
-
C:\Program Files\Google\Chrome\backup.exe"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\Application\backup.exe"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\8⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\9⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\9⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\9⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\9⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\9⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\9⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\9⤵
-
C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe"C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\8⤵
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\8⤵
-
C:\Program Files\Internet Explorer\backup.exe"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\5⤵
-
C:\Program Files\Java\backup.exe"C:\Program Files\Java\backup.exe" C:\Program Files\Java\5⤵
-
C:\Program Files\Microsoft Games\backup.exe"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\5⤵
-
C:\Program Files\Microsoft Office\backup.exe"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\5⤵
-
C:\Program Files\Mozilla Firefox\backup.exe"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\5⤵
-
C:\Program Files\MSBuild\backup.exe"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\5⤵
-
C:\Program Files\Reference Assemblies\backup.exe"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\5⤵
-
C:\Program Files (x86)\backup.exe"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\4⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
-
C:\Program Files (x86)\Adobe\System Restore.exe"C:\Program Files (x86)\Adobe\System Restore.exe" C:\Program Files (x86)\Adobe\5⤵
- Drops file in Program Files directory
- System policy modification
-
C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\7⤵
- Modifies visibility of file extensions in Explorer
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\7⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\data.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\8⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\8⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\8⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\8⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\8⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\8⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\8⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\7⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\7⤵
-
C:\Program Files (x86)\Common Files\backup.exe"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\5⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
-
C:\Program Files (x86)\Common Files\Adobe\backup.exe"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\6⤵
-
C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\6⤵
-
C:\Program Files (x86)\Common Files\DESIGNER\backup.exe"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\6⤵
-
C:\Program Files (x86)\Common Files\microsoft shared\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\6⤵
-
C:\Program Files (x86)\Common Files\Services\backup.exe"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\6⤵
-
C:\Program Files (x86)\Google\System Restore.exe"C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\5⤵
-
C:\Program Files (x86)\Internet Explorer\backup.exe"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\5⤵
-
C:\Program Files (x86)\Microsoft Analysis Services\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\5⤵
-
C:\Program Files (x86)\Microsoft Office\update.exe"C:\Program Files (x86)\Microsoft Office\update.exe" C:\Program Files (x86)\Microsoft Office\5⤵
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\5⤵
-
C:\Program Files (x86)\Microsoft Sync Framework\backup.exe"C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\5⤵
-
C:\Users\update.exeC:\Users\update.exe C:\Users\4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
-
C:\Users\Admin\backup.exeC:\Users\Admin\backup.exe C:\Users\Admin\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
-
C:\Users\Admin\Contacts\backup.exeC:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\6⤵
-
C:\Users\Admin\Desktop\backup.exeC:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\6⤵
-
C:\Users\Admin\Documents\backup.exeC:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\6⤵
- Modifies visibility of file extensions in Explorer
-
C:\Users\Admin\Downloads\backup.exeC:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\6⤵
-
C:\Users\Admin\Favorites\backup.exeC:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\6⤵
-
C:\Users\Admin\Links\backup.exeC:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\6⤵
-
C:\Users\Admin\Music\backup.exeC:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\6⤵
-
C:\Users\Public\backup.exeC:\Users\Public\backup.exe C:\Users\Public\5⤵
-
C:\Windows\backup.exeC:\Windows\backup.exe C:\Windows\4⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Windows directory
-
C:\Windows\addins\backup.exeC:\Windows\addins\backup.exe C:\Windows\addins\5⤵
-
C:\Windows\AppCompat\backup.exeC:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\5⤵
-
C:\Windows\AppPatch\backup.exeC:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\5⤵
-
C:\Windows\assembly\backup.exeC:\Windows\assembly\backup.exe C:\Windows\assembly\5⤵
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe"C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Low\backup.exeC:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeC:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exeC:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\Admin\backup.exeFilesize
72KB
MD5182338729c397cd276c8118f1266d2e3
SHA11f16a0f2f693d32c5397160b7d306a2437ca15e2
SHA256f74abcf49ada7b8c9a4b59f1cdf858fa6470d1a4980e4b5c79adc9b19c89101f
SHA512fb299a9245657ce94f0101341dd2dee7dedd78019a991a5da8f183d10c5e8653d7323dd13d3b7d4e2531074e62d988ff88353898f82986d7ddde03f0508e4b7d
-
C:\PerfLogs\backup.exeFilesize
72KB
MD5f097eef49956355257435cb374594f9e
SHA13eb2a787c1090bce74016313d26b2729a418dc08
SHA25679df10dd8bcb2b9fd6cee912c8820b84875f93c4559fbf1681afc9bb3926a88b
SHA51240117a201fba9a94bc40fefe495359b5aedaa7b9f9a12a5cd735ce3e6d009a4dcb652e35aeee4e5f02a68547ac01bfe7ec8e3da8ab40f7bd149e1170152d2591
-
C:\PerfLogs\backup.exeFilesize
72KB
MD5f097eef49956355257435cb374594f9e
SHA13eb2a787c1090bce74016313d26b2729a418dc08
SHA25679df10dd8bcb2b9fd6cee912c8820b84875f93c4559fbf1681afc9bb3926a88b
SHA51240117a201fba9a94bc40fefe495359b5aedaa7b9f9a12a5cd735ce3e6d009a4dcb652e35aeee4e5f02a68547ac01bfe7ec8e3da8ab40f7bd149e1170152d2591
-
C:\Program Files\7-Zip\Lang\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
C:\Program Files\7-Zip\Lang\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
C:\Program Files\7-Zip\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
C:\Program Files\7-Zip\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
C:\Program Files\Common Files\Microsoft Shared\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
C:\Program Files\Common Files\Microsoft Shared\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
C:\Program Files\Common Files\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
C:\Program Files\Common Files\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
C:\Program Files\update.exeFilesize
72KB
MD5f097eef49956355257435cb374594f9e
SHA13eb2a787c1090bce74016313d26b2729a418dc08
SHA25679df10dd8bcb2b9fd6cee912c8820b84875f93c4559fbf1681afc9bb3926a88b
SHA51240117a201fba9a94bc40fefe495359b5aedaa7b9f9a12a5cd735ce3e6d009a4dcb652e35aeee4e5f02a68547ac01bfe7ec8e3da8ab40f7bd149e1170152d2591
-
C:\Program Files\update.exeFilesize
72KB
MD5f097eef49956355257435cb374594f9e
SHA13eb2a787c1090bce74016313d26b2729a418dc08
SHA25679df10dd8bcb2b9fd6cee912c8820b84875f93c4559fbf1681afc9bb3926a88b
SHA51240117a201fba9a94bc40fefe495359b5aedaa7b9f9a12a5cd735ce3e6d009a4dcb652e35aeee4e5f02a68547ac01bfe7ec8e3da8ab40f7bd149e1170152d2591
-
C:\Users\Admin\AppData\Local\Temp\1799636423\backup.exeFilesize
72KB
MD54542d729b487d15c914c99a87f38159c
SHA177687bb52f3b20441a51dbc27722461c5bbb1108
SHA256feb360758cbeae37d042e85058dd3ec04d1f65cc95ba431f5f6a4685730ecc3a
SHA5127a2813d3d7423db32e5e5763f568a5a59f89269b58712c64822d29a634af334a293831103eb578018d02e9265e46423afe627286662d47cc92bcd488a68c426d
-
C:\Users\Admin\AppData\Local\Temp\1799636423\backup.exeFilesize
72KB
MD54542d729b487d15c914c99a87f38159c
SHA177687bb52f3b20441a51dbc27722461c5bbb1108
SHA256feb360758cbeae37d042e85058dd3ec04d1f65cc95ba431f5f6a4685730ecc3a
SHA5127a2813d3d7423db32e5e5763f568a5a59f89269b58712c64822d29a634af334a293831103eb578018d02e9265e46423afe627286662d47cc92bcd488a68c426d
-
C:\Users\Admin\AppData\Local\Temp\Low\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exeFilesize
72KB
MD54542d729b487d15c914c99a87f38159c
SHA177687bb52f3b20441a51dbc27722461c5bbb1108
SHA256feb360758cbeae37d042e85058dd3ec04d1f65cc95ba431f5f6a4685730ecc3a
SHA5127a2813d3d7423db32e5e5763f568a5a59f89269b58712c64822d29a634af334a293831103eb578018d02e9265e46423afe627286662d47cc92bcd488a68c426d
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
C:\data.exeFilesize
72KB
MD5e74276ef22708fed0d8df34420e7d560
SHA1cc9241c8546365324def814bbc2c9ac644f4f11e
SHA256254266b78cda8a887a979d4f95013e484e5c743d48be3560369675faf1d54791
SHA512509366f67c27a8baca7ee329f1c32cc5fbbb4fc01ac7396e92353a87de5dd429e6da30167cd8bdaed60c9eeb9f26d5464f6e5defec72b9adc643554f17b2f17d
-
C:\data.exeFilesize
72KB
MD5e74276ef22708fed0d8df34420e7d560
SHA1cc9241c8546365324def814bbc2c9ac644f4f11e
SHA256254266b78cda8a887a979d4f95013e484e5c743d48be3560369675faf1d54791
SHA512509366f67c27a8baca7ee329f1c32cc5fbbb4fc01ac7396e92353a87de5dd429e6da30167cd8bdaed60c9eeb9f26d5464f6e5defec72b9adc643554f17b2f17d
-
\PerfLogs\Admin\backup.exeFilesize
72KB
MD5182338729c397cd276c8118f1266d2e3
SHA11f16a0f2f693d32c5397160b7d306a2437ca15e2
SHA256f74abcf49ada7b8c9a4b59f1cdf858fa6470d1a4980e4b5c79adc9b19c89101f
SHA512fb299a9245657ce94f0101341dd2dee7dedd78019a991a5da8f183d10c5e8653d7323dd13d3b7d4e2531074e62d988ff88353898f82986d7ddde03f0508e4b7d
-
\PerfLogs\Admin\backup.exeFilesize
72KB
MD5182338729c397cd276c8118f1266d2e3
SHA11f16a0f2f693d32c5397160b7d306a2437ca15e2
SHA256f74abcf49ada7b8c9a4b59f1cdf858fa6470d1a4980e4b5c79adc9b19c89101f
SHA512fb299a9245657ce94f0101341dd2dee7dedd78019a991a5da8f183d10c5e8653d7323dd13d3b7d4e2531074e62d988ff88353898f82986d7ddde03f0508e4b7d
-
\PerfLogs\backup.exeFilesize
72KB
MD5f097eef49956355257435cb374594f9e
SHA13eb2a787c1090bce74016313d26b2729a418dc08
SHA25679df10dd8bcb2b9fd6cee912c8820b84875f93c4559fbf1681afc9bb3926a88b
SHA51240117a201fba9a94bc40fefe495359b5aedaa7b9f9a12a5cd735ce3e6d009a4dcb652e35aeee4e5f02a68547ac01bfe7ec8e3da8ab40f7bd149e1170152d2591
-
\PerfLogs\backup.exeFilesize
72KB
MD5f097eef49956355257435cb374594f9e
SHA13eb2a787c1090bce74016313d26b2729a418dc08
SHA25679df10dd8bcb2b9fd6cee912c8820b84875f93c4559fbf1681afc9bb3926a88b
SHA51240117a201fba9a94bc40fefe495359b5aedaa7b9f9a12a5cd735ce3e6d009a4dcb652e35aeee4e5f02a68547ac01bfe7ec8e3da8ab40f7bd149e1170152d2591
-
\Program Files\7-Zip\Lang\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
\Program Files\7-Zip\Lang\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
\Program Files\7-Zip\Lang\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
\Program Files\7-Zip\Lang\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
\Program Files\7-Zip\Lang\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
\Program Files\7-Zip\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
\Program Files\7-Zip\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
\Program Files\7-Zip\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
\Program Files\7-Zip\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
\Program Files\7-Zip\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
\Program Files\Common Files\Microsoft Shared\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
\Program Files\Common Files\Microsoft Shared\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
\Program Files\Common Files\Microsoft Shared\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
\Program Files\Common Files\Microsoft Shared\backup.exeFilesize
72KB
MD5d095ddc8be066f1e6b7f9f5a823fcb44
SHA12e5654b94ee2a7c3b5f4faf7d9e7afa0a9760048
SHA256fe50dc578e147cc4d1943bd3c5a84f0d628716b79c984f8df1b7b6192f50f36f
SHA512353f885d235553c6b619ad42541209e69e950e020f8d283d6512250fb70085ac66d7b748b5a4486a49194a61ff3eb8a7c679515842196212666d9f5d6d92b220
-
\Program Files\Common Files\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
\Program Files\Common Files\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
\Program Files\Common Files\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
\Program Files\Common Files\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
\Program Files\Common Files\backup.exeFilesize
72KB
MD5b3d54a889d3f0fa5234b46f042059f6f
SHA1d1885d0b858b05639b4f0524d01dd7bbca66fe44
SHA2564cb948555bf3bc107247e686bd5562b42dd83c05406ca026b52e3fa598ee882f
SHA5123388ec6e4edb4502587b3b75de67ff8b3e17e21aa970b53c23e17927f1dc206e2f248a7ea13d5ffbc4a89ce56f56724e74ceaad6780ed89c08ec5779334efc7f
-
\Program Files\update.exeFilesize
72KB
MD5f097eef49956355257435cb374594f9e
SHA13eb2a787c1090bce74016313d26b2729a418dc08
SHA25679df10dd8bcb2b9fd6cee912c8820b84875f93c4559fbf1681afc9bb3926a88b
SHA51240117a201fba9a94bc40fefe495359b5aedaa7b9f9a12a5cd735ce3e6d009a4dcb652e35aeee4e5f02a68547ac01bfe7ec8e3da8ab40f7bd149e1170152d2591
-
\Program Files\update.exeFilesize
72KB
MD5f097eef49956355257435cb374594f9e
SHA13eb2a787c1090bce74016313d26b2729a418dc08
SHA25679df10dd8bcb2b9fd6cee912c8820b84875f93c4559fbf1681afc9bb3926a88b
SHA51240117a201fba9a94bc40fefe495359b5aedaa7b9f9a12a5cd735ce3e6d009a4dcb652e35aeee4e5f02a68547ac01bfe7ec8e3da8ab40f7bd149e1170152d2591
-
\Program Files\update.exeFilesize
72KB
MD5f097eef49956355257435cb374594f9e
SHA13eb2a787c1090bce74016313d26b2729a418dc08
SHA25679df10dd8bcb2b9fd6cee912c8820b84875f93c4559fbf1681afc9bb3926a88b
SHA51240117a201fba9a94bc40fefe495359b5aedaa7b9f9a12a5cd735ce3e6d009a4dcb652e35aeee4e5f02a68547ac01bfe7ec8e3da8ab40f7bd149e1170152d2591
-
\Program Files\update.exeFilesize
72KB
MD5f097eef49956355257435cb374594f9e
SHA13eb2a787c1090bce74016313d26b2729a418dc08
SHA25679df10dd8bcb2b9fd6cee912c8820b84875f93c4559fbf1681afc9bb3926a88b
SHA51240117a201fba9a94bc40fefe495359b5aedaa7b9f9a12a5cd735ce3e6d009a4dcb652e35aeee4e5f02a68547ac01bfe7ec8e3da8ab40f7bd149e1170152d2591
-
\Users\Admin\AppData\Local\Temp\1799636423\backup.exeFilesize
72KB
MD54542d729b487d15c914c99a87f38159c
SHA177687bb52f3b20441a51dbc27722461c5bbb1108
SHA256feb360758cbeae37d042e85058dd3ec04d1f65cc95ba431f5f6a4685730ecc3a
SHA5127a2813d3d7423db32e5e5763f568a5a59f89269b58712c64822d29a634af334a293831103eb578018d02e9265e46423afe627286662d47cc92bcd488a68c426d
-
\Users\Admin\AppData\Local\Temp\1799636423\backup.exeFilesize
72KB
MD54542d729b487d15c914c99a87f38159c
SHA177687bb52f3b20441a51dbc27722461c5bbb1108
SHA256feb360758cbeae37d042e85058dd3ec04d1f65cc95ba431f5f6a4685730ecc3a
SHA5127a2813d3d7423db32e5e5763f568a5a59f89269b58712c64822d29a634af334a293831103eb578018d02e9265e46423afe627286662d47cc92bcd488a68c426d
-
\Users\Admin\AppData\Local\Temp\Low\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
\Users\Admin\AppData\Local\Temp\Low\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exeFilesize
72KB
MD54542d729b487d15c914c99a87f38159c
SHA177687bb52f3b20441a51dbc27722461c5bbb1108
SHA256feb360758cbeae37d042e85058dd3ec04d1f65cc95ba431f5f6a4685730ecc3a
SHA5127a2813d3d7423db32e5e5763f568a5a59f89269b58712c64822d29a634af334a293831103eb578018d02e9265e46423afe627286662d47cc92bcd488a68c426d
-
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exeFilesize
72KB
MD54542d729b487d15c914c99a87f38159c
SHA177687bb52f3b20441a51dbc27722461c5bbb1108
SHA256feb360758cbeae37d042e85058dd3ec04d1f65cc95ba431f5f6a4685730ecc3a
SHA5127a2813d3d7423db32e5e5763f568a5a59f89269b58712c64822d29a634af334a293831103eb578018d02e9265e46423afe627286662d47cc92bcd488a68c426d
-
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeFilesize
72KB
MD5fad8b0c88e12eb4b4a91490e55e070e0
SHA124b28b4441d74c51f976a964beaba71f8c80bd1d
SHA2560a72504c47f7b9ea0ae5027de14007d591e1d6100da686eb741a58befdd35392
SHA5122ae33d5857ef4045852164165be43ba6d4e1e932ca41907692cd7f0b9c70f6e7755d392fb035da1e0856a0f797d8f8a2925afbbd0a616fda5515946de8a7ba7a
-
memory/328-142-0x0000000000000000-mapping.dmp
-
memory/432-296-0x0000000000000000-mapping.dmp
-
memory/460-184-0x0000000000000000-mapping.dmp
-
memory/520-94-0x0000000000000000-mapping.dmp
-
memory/552-292-0x0000000000000000-mapping.dmp
-
memory/584-188-0x0000000000000000-mapping.dmp
-
memory/600-224-0x0000000000000000-mapping.dmp
-
memory/628-164-0x0000000000000000-mapping.dmp
-
memory/664-280-0x0000000000000000-mapping.dmp
-
memory/680-276-0x0000000000000000-mapping.dmp
-
memory/760-82-0x0000000000000000-mapping.dmp
-
memory/760-196-0x0000000000000000-mapping.dmp
-
memory/792-200-0x0000000000000000-mapping.dmp
-
memory/824-131-0x0000000000000000-mapping.dmp
-
memory/844-356-0x0000000000000000-mapping.dmp
-
memory/864-76-0x0000000000000000-mapping.dmp
-
memory/900-256-0x0000000000000000-mapping.dmp
-
memory/928-216-0x0000000000000000-mapping.dmp
-
memory/932-114-0x0000000000000000-mapping.dmp
-
memory/932-312-0x0000000000000000-mapping.dmp
-
memory/944-98-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/944-128-0x0000000074BB1000-0x0000000074BB3000-memory.dmpFilesize
8KB
-
memory/1048-248-0x0000000000000000-mapping.dmp
-
memory/1080-340-0x0000000000000000-mapping.dmp
-
memory/1176-360-0x0000000000000000-mapping.dmp
-
memory/1180-70-0x0000000000000000-mapping.dmp
-
memory/1196-107-0x0000000000000000-mapping.dmp
-
memory/1200-88-0x0000000000000000-mapping.dmp
-
memory/1236-324-0x0000000000000000-mapping.dmp
-
memory/1244-288-0x0000000000000000-mapping.dmp
-
memory/1280-180-0x0000000000000000-mapping.dmp
-
memory/1352-304-0x0000000000000000-mapping.dmp
-
memory/1408-320-0x0000000000000000-mapping.dmp
-
memory/1432-232-0x0000000000000000-mapping.dmp
-
memory/1440-204-0x0000000000000000-mapping.dmp
-
memory/1476-192-0x0000000000000000-mapping.dmp
-
memory/1500-284-0x0000000000000000-mapping.dmp
-
memory/1512-236-0x0000000000000000-mapping.dmp
-
memory/1536-100-0x0000000000000000-mapping.dmp
-
memory/1548-332-0x0000000000000000-mapping.dmp
-
memory/1568-300-0x0000000000000000-mapping.dmp
-
memory/1596-119-0x0000000000000000-mapping.dmp
-
memory/1620-228-0x0000000000000000-mapping.dmp
-
memory/1644-268-0x0000000000000000-mapping.dmp
-
memory/1644-172-0x0000000000000000-mapping.dmp
-
memory/1660-344-0x0000000000000000-mapping.dmp
-
memory/1728-244-0x0000000000000000-mapping.dmp
-
memory/1736-348-0x0000000000000000-mapping.dmp
-
memory/1740-176-0x0000000000000000-mapping.dmp
-
memory/1752-264-0x0000000000000000-mapping.dmp
-
memory/1768-153-0x0000000000000000-mapping.dmp
-
memory/1788-260-0x0000000000000000-mapping.dmp
-
memory/1868-212-0x0000000000000000-mapping.dmp
-
memory/1872-316-0x0000000000000000-mapping.dmp
-
memory/1952-240-0x0000000000000000-mapping.dmp
-
memory/1964-220-0x0000000000000000-mapping.dmp
-
memory/1968-308-0x0000000000000000-mapping.dmp
-
memory/1976-328-0x0000000000000000-mapping.dmp
-
memory/1988-336-0x0000000000000000-mapping.dmp
-
memory/1992-208-0x0000000000000000-mapping.dmp
-
memory/1996-252-0x0000000000000000-mapping.dmp
-
memory/2004-361-0x0000000000000000-mapping.dmp
-
memory/2012-352-0x0000000000000000-mapping.dmp
-
memory/2040-58-0x0000000000000000-mapping.dmp
-
memory/2044-272-0x0000000000000000-mapping.dmp
-
memory/2044-64-0x0000000000000000-mapping.dmp