Analysis
-
max time kernel
152s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 13:54
Static task
static1
Behavioral task
behavioral1
Sample
aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe
Resource
win10v2004-20221111-en
General
-
Target
aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe
-
Size
72KB
-
MD5
330cd0826e5c477bb952ac637e605a00
-
SHA1
f5bae314b8380c1e1cd307e542785f62c1d8755c
-
SHA256
aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf
-
SHA512
3b48c0386bcb517fdafb28804ba3f291a0bcddf9c5917a0e697add28cd25a84793ee68ff063a2af04b07d6ad0433c2dc83775bf420067666148a241d26d59aff
-
SSDEEP
384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2Q:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrs
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 58 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe -
Disables RegEdit via registry modification 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe -
Executes dropped EXE 64 IoCs
pid Process 1256 backup.exe 1920 backup.exe 788 backup.exe 892 backup.exe 1304 backup.exe 1728 backup.exe 1960 backup.exe 384 backup.exe 1536 backup.exe 548 backup.exe 1516 backup.exe 1980 backup.exe 1224 backup.exe 1076 backup.exe 1204 backup.exe 1684 backup.exe 1396 backup.exe 1744 backup.exe 1216 data.exe 848 backup.exe 1464 backup.exe 556 backup.exe 1264 backup.exe 752 backup.exe 1788 backup.exe 1672 backup.exe 992 backup.exe 1724 data.exe 1580 backup.exe 616 backup.exe 1888 backup.exe 1312 backup.exe 292 backup.exe 1116 backup.exe 1864 System Restore.exe 976 update.exe 784 backup.exe 1156 backup.exe 1664 backup.exe 1832 backup.exe 972 backup.exe 2004 backup.exe 2024 backup.exe 1600 backup.exe 1748 backup.exe 1916 backup.exe 1196 backup.exe 572 backup.exe 1816 backup.exe 396 backup.exe 1508 backup.exe 744 backup.exe 1780 backup.exe 316 backup.exe 1788 backup.exe 1312 backup.exe 528 backup.exe 384 backup.exe 1868 backup.exe 2000 backup.exe 1116 backup.exe 672 backup.exe 784 backup.exe 560 backup.exe -
Loads dropped DLL 64 IoCs
pid Process 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 788 backup.exe 788 backup.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 788 backup.exe 788 backup.exe 1304 backup.exe 1304 backup.exe 788 backup.exe 788 backup.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1960 backup.exe 1960 backup.exe 1536 backup.exe 1536 backup.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1516 backup.exe 1516 backup.exe 1980 backup.exe 1980 backup.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1960 backup.exe 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1960 backup.exe 1204 backup.exe 1204 backup.exe 1396 backup.exe 1204 backup.exe 1204 backup.exe 1396 backup.exe 848 backup.exe 848 backup.exe 1216 data.exe 1216 data.exe 1216 data.exe 848 backup.exe 1216 data.exe 848 backup.exe 1264 backup.exe 1264 backup.exe 1216 data.exe 1216 data.exe 1264 backup.exe 1264 backup.exe 1216 data.exe 1216 data.exe 1264 backup.exe 1264 backup.exe 1264 backup.exe 1724 data.exe 1724 data.exe 1264 backup.exe 1264 backup.exe 1264 backup.exe 1264 backup.exe 1216 data.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\backup.exe backup.exe File opened for modification C:\Program Files\7-Zip\Lang\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe data.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\System Restore.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\de-DE\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\en-US\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe data.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe data.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe System Restore.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe data.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe data.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe data.exe File opened for modification C:\Program Files\Common Files\System\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\es-ES\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe data.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe data.exe File opened for modification C:\Program Files\Internet Explorer\backup.exe backup.exe File opened for modification C:\Program Files\Java\update.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe data.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe backup.exe File opened for modification C:\Program Files\backup.exe backup.exe File opened for modification C:\Program Files (x86)\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe data.exe File opened for modification C:\Program Files\Common Files\Services\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe data.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe backup.exe File opened for modification C:\Program Files\Google\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe backup.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\backup.exe backup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 1256 backup.exe 1920 backup.exe 788 backup.exe 892 backup.exe 1304 backup.exe 1728 backup.exe 1960 backup.exe 384 backup.exe 1536 backup.exe 548 backup.exe 1516 backup.exe 1980 backup.exe 1224 backup.exe 1076 backup.exe 1204 backup.exe 1684 backup.exe 1396 backup.exe 1744 backup.exe 1216 data.exe 848 backup.exe 1464 backup.exe 556 backup.exe 752 backup.exe 1264 backup.exe 1788 backup.exe 1672 backup.exe 992 backup.exe 1724 data.exe 1580 backup.exe 616 backup.exe 1888 backup.exe 1312 backup.exe 1116 backup.exe 292 backup.exe 1864 System Restore.exe 784 backup.exe 1156 backup.exe 1664 backup.exe 1832 backup.exe 972 backup.exe 2004 backup.exe 976 update.exe 2024 backup.exe 1600 backup.exe 1748 backup.exe 1916 backup.exe 1196 backup.exe 1816 backup.exe 572 backup.exe 1788 backup.exe 744 backup.exe 316 backup.exe 1508 backup.exe 1780 backup.exe 396 backup.exe 528 backup.exe 1312 backup.exe 384 backup.exe 2000 backup.exe 1868 backup.exe 560 backup.exe 784 backup.exe 1864 backup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1188 wrote to memory of 1256 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 28 PID 1188 wrote to memory of 1256 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 28 PID 1188 wrote to memory of 1256 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 28 PID 1188 wrote to memory of 1256 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 28 PID 1188 wrote to memory of 1920 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 29 PID 1188 wrote to memory of 1920 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 29 PID 1188 wrote to memory of 1920 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 29 PID 1188 wrote to memory of 1920 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 29 PID 1256 wrote to memory of 788 1256 backup.exe 30 PID 1256 wrote to memory of 788 1256 backup.exe 30 PID 1256 wrote to memory of 788 1256 backup.exe 30 PID 1256 wrote to memory of 788 1256 backup.exe 30 PID 1188 wrote to memory of 892 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 31 PID 1188 wrote to memory of 892 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 31 PID 1188 wrote to memory of 892 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 31 PID 1188 wrote to memory of 892 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 31 PID 788 wrote to memory of 1304 788 backup.exe 32 PID 788 wrote to memory of 1304 788 backup.exe 32 PID 788 wrote to memory of 1304 788 backup.exe 32 PID 788 wrote to memory of 1304 788 backup.exe 32 PID 1188 wrote to memory of 1728 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 33 PID 1188 wrote to memory of 1728 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 33 PID 1188 wrote to memory of 1728 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 33 PID 1188 wrote to memory of 1728 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 33 PID 788 wrote to memory of 1960 788 backup.exe 34 PID 788 wrote to memory of 1960 788 backup.exe 34 PID 788 wrote to memory of 1960 788 backup.exe 34 PID 788 wrote to memory of 1960 788 backup.exe 34 PID 1304 wrote to memory of 384 1304 backup.exe 35 PID 1304 wrote to memory of 384 1304 backup.exe 35 PID 1304 wrote to memory of 384 1304 backup.exe 35 PID 1304 wrote to memory of 384 1304 backup.exe 35 PID 788 wrote to memory of 1536 788 backup.exe 36 PID 788 wrote to memory of 1536 788 backup.exe 36 PID 788 wrote to memory of 1536 788 backup.exe 36 PID 788 wrote to memory of 1536 788 backup.exe 36 PID 1188 wrote to memory of 548 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 37 PID 1188 wrote to memory of 548 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 37 PID 1188 wrote to memory of 548 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 37 PID 1188 wrote to memory of 548 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 37 PID 1960 wrote to memory of 1516 1960 backup.exe 38 PID 1960 wrote to memory of 1516 1960 backup.exe 38 PID 1960 wrote to memory of 1516 1960 backup.exe 38 PID 1960 wrote to memory of 1516 1960 backup.exe 38 PID 1536 wrote to memory of 1980 1536 backup.exe 39 PID 1536 wrote to memory of 1980 1536 backup.exe 39 PID 1536 wrote to memory of 1980 1536 backup.exe 39 PID 1536 wrote to memory of 1980 1536 backup.exe 39 PID 1188 wrote to memory of 1224 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 40 PID 1188 wrote to memory of 1224 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 40 PID 1188 wrote to memory of 1224 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 40 PID 1188 wrote to memory of 1224 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 40 PID 1516 wrote to memory of 1076 1516 backup.exe 41 PID 1516 wrote to memory of 1076 1516 backup.exe 41 PID 1516 wrote to memory of 1076 1516 backup.exe 41 PID 1516 wrote to memory of 1076 1516 backup.exe 41 PID 1980 wrote to memory of 1204 1980 backup.exe 42 PID 1980 wrote to memory of 1204 1980 backup.exe 42 PID 1980 wrote to memory of 1204 1980 backup.exe 42 PID 1980 wrote to memory of 1204 1980 backup.exe 42 PID 1188 wrote to memory of 1684 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 43 PID 1188 wrote to memory of 1684 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 43 PID 1188 wrote to memory of 1684 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 43 PID 1188 wrote to memory of 1684 1188 aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe 43 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System data.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe"C:\Users\Admin\AppData\Local\Temp\aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\1454186580\backup.exeC:\Users\Admin\AppData\Local\Temp\1454186580\backup.exe C:\Users\Admin\AppData\Local\Temp\1454186580\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1256 -
C:\backup.exe\backup.exe \3⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:788 -
C:\PerfLogs\backup.exeC:\PerfLogs\backup.exe C:\PerfLogs\4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1304 -
C:\PerfLogs\Admin\backup.exeC:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:384
-
-
-
C:\Program Files\backup.exe"C:\Program Files\backup.exe" C:\Program Files\4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1960 -
C:\Program Files\7-Zip\backup.exe"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1516 -
C:\Program Files\7-Zip\Lang\backup.exe"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1076
-
-
-
C:\Program Files\Common Files\backup.exe"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1396 -
C:\Program Files\Common Files\Microsoft Shared\backup.exe"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:848 -
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1464
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1264 -
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1788
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:992
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1580
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:616
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1312
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1116
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:976
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:572
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:528
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:784
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\8⤵PID:1596
-
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:744 -
C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\8⤵
- Suspicious use of SetWindowsHookEx
PID:1864
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\8⤵PID:1708
-
-
-
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\7⤵PID:900
-
-
-
C:\Program Files\Common Files\Services\backup.exe"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788
-
-
C:\Program Files\Common Files\SpeechEngines\backup.exe"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1868
-
-
C:\Program Files\Common Files\System\backup.exe"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\6⤵PID:792
-
-
-
C:\Program Files\DVD Maker\backup.exe"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1816 -
C:\Program Files\DVD Maker\de-DE\backup.exe"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1312
-
-
C:\Program Files\DVD Maker\en-US\backup.exe"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2000
-
-
C:\Program Files\DVD Maker\es-ES\backup.exe"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\6⤵PID:2024
-
-
-
C:\Program Files\Google\backup.exe"C:\Program Files\Google\backup.exe" C:\Program Files\Google\5⤵PID:1592
-
-
C:\Program Files\Internet Explorer\backup.exe"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\5⤵PID:1992
-
-
-
C:\Program Files (x86)\backup.exe"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1536 -
C:\Program Files (x86)\Adobe\backup.exe"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1204 -
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1744
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1216 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:556
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:752
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1672
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1724 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1888
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:292
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1864 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:784
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1156
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1664 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1832 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\10⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2004 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\10⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2024 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\11⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\10⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1196 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\10⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:384
-
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1780 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\9⤵
- Executes dropped EXE
PID:672
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\8⤵PID:1632
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:396 -
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\8⤵PID:1688
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\8⤵PID:1820
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\7⤵PID:2012
-
-
-
-
C:\Program Files (x86)\Common Files\backup.exe"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1508 -
C:\Program Files (x86)\Common Files\Adobe\backup.exe"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:560
-
-
C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\6⤵PID:1600
-
-
-
C:\Program Files (x86)\Google\backup.exe"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\5⤵PID:1580
-
-
-
C:\Users\backup.exeC:\Users\backup.exe C:\Users\4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:316 -
C:\Users\Admin\backup.exeC:\Users\Admin\backup.exe C:\Users\Admin\5⤵
- Executes dropped EXE
PID:1116
-
-
C:\Users\Public\backup.exeC:\Users\Public\backup.exe C:\Users\Public\5⤵PID:1368
-
-
-
C:\Windows\backup.exeC:\Windows\backup.exe C:\Windows\4⤵PID:1120
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exeC:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
C:\Users\Admin\AppData\Local\Temp\Low\backup.exeC:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:892
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:548
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeC:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1224
-
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exeC:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1684
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD51d045950018baca408a1662da64c74ef
SHA1b70f0861faaef0f93105acb8380a14faae545628
SHA2565be2a920097a40f83f70925522a5870978fcc9731958979f2b3f5cd15d28fa0e
SHA512435f92145837852d5ad1ca22ce933dba847e5a47b958c0018184f89590e84c4cbc905bc11cca02e6b310104766d8ca8e1c62c6dcdc435c561802bf0ef396f520
-
Filesize
72KB
MD56e443f3bbc74c28bfe4bb6bdfa7ee6d8
SHA1fb39d8783f9cb03d09baf1f087737538778feebc
SHA256ca1d120c6d1d211d3cec4c45900a696c1cb7895950097ed2e1d4584812e6ebc7
SHA5120ad0eb03b00d7ed5564cc09886ed2ea9914c7ce2d184382a91d139e8d188e70942d3e90aa2293676ee3a936a1ef31014612e679240557bf38af49f4754406816
-
Filesize
72KB
MD56e443f3bbc74c28bfe4bb6bdfa7ee6d8
SHA1fb39d8783f9cb03d09baf1f087737538778feebc
SHA256ca1d120c6d1d211d3cec4c45900a696c1cb7895950097ed2e1d4584812e6ebc7
SHA5120ad0eb03b00d7ed5564cc09886ed2ea9914c7ce2d184382a91d139e8d188e70942d3e90aa2293676ee3a936a1ef31014612e679240557bf38af49f4754406816
-
Filesize
72KB
MD5a03a381cbbacc7457e484288d0e8faa1
SHA15cf7fbf110cf192b6d798a6b32ba6551dc178c25
SHA256001a1450add82faa1d318dca37ec7fde708e772171619a8147d6c90828564286
SHA512461286c7e54c9c556e9dee5fd73da2f4474f9a1a20d9528342f6b0fef300df4f9edf17a964d7ed22e6eae24d249ea2df81f6283d4eeb966ab1f3df83f1cf3777
-
Filesize
72KB
MD58ce1ffbb684df67298a098644ba47ce6
SHA119ccdbf911ba71fdaf6888fb51142e00cbdbd0e6
SHA256dda67fcb0411b1bb80cbfdf018d763023ce6cc75957012c779120b1dcbe76659
SHA5122272b11641da03fc62a6805edbae1976c7be9662275e11c55999180e6aeb78c745a1e1533b3e59481f1fe5991fb87d056f9177d707e27e550c927e64e5525400
-
Filesize
72KB
MD58ce1ffbb684df67298a098644ba47ce6
SHA119ccdbf911ba71fdaf6888fb51142e00cbdbd0e6
SHA256dda67fcb0411b1bb80cbfdf018d763023ce6cc75957012c779120b1dcbe76659
SHA5122272b11641da03fc62a6805edbae1976c7be9662275e11c55999180e6aeb78c745a1e1533b3e59481f1fe5991fb87d056f9177d707e27e550c927e64e5525400
-
Filesize
72KB
MD50e21da3c27b072bbb0e11423e48fe8a3
SHA16ac63cdd5aef4abb69b3f2dd75e581aa676a83b1
SHA256c55c29aafeae85261e0e6f3a9d9809e23daef81b37863981647dcdb8fa64f870
SHA512081319bfc1cfc17f537f9d941b3fff75f23854e8241baa0b4e8f57fec6aaf3a277062ac6afa7e8a5094c5ecc12b794199b6b8f6440b74fd0ebfdd53367f44b0e
-
Filesize
72KB
MD50e21da3c27b072bbb0e11423e48fe8a3
SHA16ac63cdd5aef4abb69b3f2dd75e581aa676a83b1
SHA256c55c29aafeae85261e0e6f3a9d9809e23daef81b37863981647dcdb8fa64f870
SHA512081319bfc1cfc17f537f9d941b3fff75f23854e8241baa0b4e8f57fec6aaf3a277062ac6afa7e8a5094c5ecc12b794199b6b8f6440b74fd0ebfdd53367f44b0e
-
Filesize
72KB
MD5372795d4049587681d16dee187cf51cb
SHA1c42d5de6cc29be78dfb8aff37aeb920f3edde65d
SHA256ce53f24bd444c35158dbd4d7eb800c8e2a444100972cef533535f55b97ae8a91
SHA51239ae1825abb1f8fe8bc3dafa789c3b2f04c2baab5e1a2d1ba9549f11d571d881ee023360683ae3252c9b532b70f563baadc8dbe94b6ed033bb637e2eb246b3d7
-
Filesize
72KB
MD5372795d4049587681d16dee187cf51cb
SHA1c42d5de6cc29be78dfb8aff37aeb920f3edde65d
SHA256ce53f24bd444c35158dbd4d7eb800c8e2a444100972cef533535f55b97ae8a91
SHA51239ae1825abb1f8fe8bc3dafa789c3b2f04c2baab5e1a2d1ba9549f11d571d881ee023360683ae3252c9b532b70f563baadc8dbe94b6ed033bb637e2eb246b3d7
-
Filesize
72KB
MD5f19c71775d62219f481dd99ef8249325
SHA190985a33df8d6b113cc10509ef8063a63e968fb5
SHA256065e7af86402a90a2069fda3b674703419aaad93617bd37618805b0e72b2beaf
SHA51260951e3aed66bf88e2ea65021b6652fc176ae1d4b7abfcacb6b49f9bdf9d02b6752c32b37ad618de4d736db397b5d6e4d22561990004bc34f0bd62c05a6420b9
-
Filesize
72KB
MD55a78883ec631d05656bd6b6adee86129
SHA12ce18885955fabd482e511e105393d76839722ba
SHA25626810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755
SHA512555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7
-
Filesize
72KB
MD55a78883ec631d05656bd6b6adee86129
SHA12ce18885955fabd482e511e105393d76839722ba
SHA25626810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755
SHA512555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7
-
Filesize
72KB
MD55a78883ec631d05656bd6b6adee86129
SHA12ce18885955fabd482e511e105393d76839722ba
SHA25626810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755
SHA512555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7
-
Filesize
72KB
MD55a78883ec631d05656bd6b6adee86129
SHA12ce18885955fabd482e511e105393d76839722ba
SHA25626810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755
SHA512555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7
-
Filesize
72KB
MD562545e13994aafe839d7f3017aeb45a1
SHA1bdfad2e673030a43af6cdbd756f06e7c21521be6
SHA256f5f085c2a495e520e963771341ab94a7b7736e4e38f6ac135bf7242628174375
SHA5126d1d266d94eddb891337b9ffa06bab91fb3a28533a0e6ed3b8b219db68421f3bac78b0e8abd0aed5a8806097491cc590359b5a9e75b57ee154342b7ad3988bd7
-
Filesize
72KB
MD562545e13994aafe839d7f3017aeb45a1
SHA1bdfad2e673030a43af6cdbd756f06e7c21521be6
SHA256f5f085c2a495e520e963771341ab94a7b7736e4e38f6ac135bf7242628174375
SHA5126d1d266d94eddb891337b9ffa06bab91fb3a28533a0e6ed3b8b219db68421f3bac78b0e8abd0aed5a8806097491cc590359b5a9e75b57ee154342b7ad3988bd7
-
Filesize
72KB
MD5f5dcaa2215bdbb78d5c1c26f3ca90244
SHA1003e694393f858e9e5f8d02c2996b6b8d5be8ba9
SHA256ab13aa495e871f84e067e6320694a505c2f454e3808e29b39ca639b017706d19
SHA5123329879255c5871ebf94c410a00107e29d733048c3b8613fe0370a14873b52ab3452d2e97246e03046e7b03673837895bbf544d2c55fcba2714a9f8c5de6fb7d
-
Filesize
72KB
MD5f5dcaa2215bdbb78d5c1c26f3ca90244
SHA1003e694393f858e9e5f8d02c2996b6b8d5be8ba9
SHA256ab13aa495e871f84e067e6320694a505c2f454e3808e29b39ca639b017706d19
SHA5123329879255c5871ebf94c410a00107e29d733048c3b8613fe0370a14873b52ab3452d2e97246e03046e7b03673837895bbf544d2c55fcba2714a9f8c5de6fb7d
-
Filesize
72KB
MD5e471347ff977e0c34ff7fd3bdc5ee679
SHA1a98dc4857f3a3d2e6664e0b9a1df0fe7671d861a
SHA256e1ac423d0200bae0a84ff3b1be6ab1a58161cae46973d3fcee7c79b5af63eeb6
SHA512bcf4dc085297201907a4a08af80ebabcdcc9fc45d13b9b081608268782fb29f715fe1145e10fe6e8981597c0ba2cae86ccce6e3a0bdd89b27562f21a74350fe6
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5a71c8196dc09bc6b936faa09fe3afa63
SHA1e087f8c42ed2ad1abad421188817945b2482a0ec
SHA25681784c6440725414c2d6c5985f773c3c5a0563e865a96a6bccdfe07d7cf4c49a
SHA512c5a5ff7db0eedad747dc9c9e0639032f75ed0564f5c767de3a70b9b32619a5ac327078bd25fdda0c58195e29758ba2ef1db38cc840713dcb468ee1cb561cc649
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD55b237497210f8fc66ac6a436aff0d885
SHA1efe5c2b3d097e1211c0837617d9f59976e35c7ae
SHA2567493a459f1fa52c33fcde626fb59b74346e2bf39265d51297ef6b295eed366f2
SHA512ad68803df2fd66b8616765d6236bf92f7cb0e269d9ee330c2c35c4875eeba25aaad34792c3a8785ea821dba0b7e9f20ce17fcb47bcbe609d4fe5da859a188f63
-
Filesize
72KB
MD576c5f8c11de7e8ff54d9eb4682713f1e
SHA158295bf26962fa7907ce7537a2bc28444aa213c1
SHA256b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f
SHA512e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2
-
Filesize
72KB
MD5f5607b6f63e312e623941085a5c06e54
SHA1a0c8ff2f67cd76a39a6c1b9d5295a12cd517f67b
SHA2563a1ad9eebe5970fb7b20bef3b09fe0e65979ecb6c87c0c0639051f7f7b957b36
SHA512b32c3c879f1b437708d6a13dd20b25f6cd7eb631376077e3b700f22c7a80bdf5688c752229296613651e536a027b212beb4e735100beee905b77633fe2e83782
-
Filesize
72KB
MD576c5f8c11de7e8ff54d9eb4682713f1e
SHA158295bf26962fa7907ce7537a2bc28444aa213c1
SHA256b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f
SHA512e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2
-
Filesize
72KB
MD5be4091fbc00ef3b9ed5f1029ef0e0dad
SHA158a1c3faf1f1abe6411e30f86d2c90b8be7cc38b
SHA2568ead7a6f4424817a6954e92b7597c67d34f394435442dc1f8aeb6128106f4271
SHA512362e79b66af56ba8338093a3b6fb77953e2b2691e00d45eafa264f6f1526aa3d25f7cca97e20b3136fb7d9948b0c7f7b084cb3e50d86e51e4b7fda72069f981f
-
Filesize
72KB
MD5be4091fbc00ef3b9ed5f1029ef0e0dad
SHA158a1c3faf1f1abe6411e30f86d2c90b8be7cc38b
SHA2568ead7a6f4424817a6954e92b7597c67d34f394435442dc1f8aeb6128106f4271
SHA512362e79b66af56ba8338093a3b6fb77953e2b2691e00d45eafa264f6f1526aa3d25f7cca97e20b3136fb7d9948b0c7f7b084cb3e50d86e51e4b7fda72069f981f
-
Filesize
72KB
MD51d045950018baca408a1662da64c74ef
SHA1b70f0861faaef0f93105acb8380a14faae545628
SHA2565be2a920097a40f83f70925522a5870978fcc9731958979f2b3f5cd15d28fa0e
SHA512435f92145837852d5ad1ca22ce933dba847e5a47b958c0018184f89590e84c4cbc905bc11cca02e6b310104766d8ca8e1c62c6dcdc435c561802bf0ef396f520
-
Filesize
72KB
MD51d045950018baca408a1662da64c74ef
SHA1b70f0861faaef0f93105acb8380a14faae545628
SHA2565be2a920097a40f83f70925522a5870978fcc9731958979f2b3f5cd15d28fa0e
SHA512435f92145837852d5ad1ca22ce933dba847e5a47b958c0018184f89590e84c4cbc905bc11cca02e6b310104766d8ca8e1c62c6dcdc435c561802bf0ef396f520
-
Filesize
72KB
MD56e443f3bbc74c28bfe4bb6bdfa7ee6d8
SHA1fb39d8783f9cb03d09baf1f087737538778feebc
SHA256ca1d120c6d1d211d3cec4c45900a696c1cb7895950097ed2e1d4584812e6ebc7
SHA5120ad0eb03b00d7ed5564cc09886ed2ea9914c7ce2d184382a91d139e8d188e70942d3e90aa2293676ee3a936a1ef31014612e679240557bf38af49f4754406816
-
Filesize
72KB
MD56e443f3bbc74c28bfe4bb6bdfa7ee6d8
SHA1fb39d8783f9cb03d09baf1f087737538778feebc
SHA256ca1d120c6d1d211d3cec4c45900a696c1cb7895950097ed2e1d4584812e6ebc7
SHA5120ad0eb03b00d7ed5564cc09886ed2ea9914c7ce2d184382a91d139e8d188e70942d3e90aa2293676ee3a936a1ef31014612e679240557bf38af49f4754406816
-
Filesize
72KB
MD5a03a381cbbacc7457e484288d0e8faa1
SHA15cf7fbf110cf192b6d798a6b32ba6551dc178c25
SHA256001a1450add82faa1d318dca37ec7fde708e772171619a8147d6c90828564286
SHA512461286c7e54c9c556e9dee5fd73da2f4474f9a1a20d9528342f6b0fef300df4f9edf17a964d7ed22e6eae24d249ea2df81f6283d4eeb966ab1f3df83f1cf3777
-
Filesize
72KB
MD5a03a381cbbacc7457e484288d0e8faa1
SHA15cf7fbf110cf192b6d798a6b32ba6551dc178c25
SHA256001a1450add82faa1d318dca37ec7fde708e772171619a8147d6c90828564286
SHA512461286c7e54c9c556e9dee5fd73da2f4474f9a1a20d9528342f6b0fef300df4f9edf17a964d7ed22e6eae24d249ea2df81f6283d4eeb966ab1f3df83f1cf3777
-
Filesize
72KB
MD5a03a381cbbacc7457e484288d0e8faa1
SHA15cf7fbf110cf192b6d798a6b32ba6551dc178c25
SHA256001a1450add82faa1d318dca37ec7fde708e772171619a8147d6c90828564286
SHA512461286c7e54c9c556e9dee5fd73da2f4474f9a1a20d9528342f6b0fef300df4f9edf17a964d7ed22e6eae24d249ea2df81f6283d4eeb966ab1f3df83f1cf3777
-
Filesize
72KB
MD5a03a381cbbacc7457e484288d0e8faa1
SHA15cf7fbf110cf192b6d798a6b32ba6551dc178c25
SHA256001a1450add82faa1d318dca37ec7fde708e772171619a8147d6c90828564286
SHA512461286c7e54c9c556e9dee5fd73da2f4474f9a1a20d9528342f6b0fef300df4f9edf17a964d7ed22e6eae24d249ea2df81f6283d4eeb966ab1f3df83f1cf3777
-
Filesize
72KB
MD58ce1ffbb684df67298a098644ba47ce6
SHA119ccdbf911ba71fdaf6888fb51142e00cbdbd0e6
SHA256dda67fcb0411b1bb80cbfdf018d763023ce6cc75957012c779120b1dcbe76659
SHA5122272b11641da03fc62a6805edbae1976c7be9662275e11c55999180e6aeb78c745a1e1533b3e59481f1fe5991fb87d056f9177d707e27e550c927e64e5525400
-
Filesize
72KB
MD58ce1ffbb684df67298a098644ba47ce6
SHA119ccdbf911ba71fdaf6888fb51142e00cbdbd0e6
SHA256dda67fcb0411b1bb80cbfdf018d763023ce6cc75957012c779120b1dcbe76659
SHA5122272b11641da03fc62a6805edbae1976c7be9662275e11c55999180e6aeb78c745a1e1533b3e59481f1fe5991fb87d056f9177d707e27e550c927e64e5525400
-
Filesize
72KB
MD50e21da3c27b072bbb0e11423e48fe8a3
SHA16ac63cdd5aef4abb69b3f2dd75e581aa676a83b1
SHA256c55c29aafeae85261e0e6f3a9d9809e23daef81b37863981647dcdb8fa64f870
SHA512081319bfc1cfc17f537f9d941b3fff75f23854e8241baa0b4e8f57fec6aaf3a277062ac6afa7e8a5094c5ecc12b794199b6b8f6440b74fd0ebfdd53367f44b0e
-
Filesize
72KB
MD50e21da3c27b072bbb0e11423e48fe8a3
SHA16ac63cdd5aef4abb69b3f2dd75e581aa676a83b1
SHA256c55c29aafeae85261e0e6f3a9d9809e23daef81b37863981647dcdb8fa64f870
SHA512081319bfc1cfc17f537f9d941b3fff75f23854e8241baa0b4e8f57fec6aaf3a277062ac6afa7e8a5094c5ecc12b794199b6b8f6440b74fd0ebfdd53367f44b0e
-
Filesize
72KB
MD5372795d4049587681d16dee187cf51cb
SHA1c42d5de6cc29be78dfb8aff37aeb920f3edde65d
SHA256ce53f24bd444c35158dbd4d7eb800c8e2a444100972cef533535f55b97ae8a91
SHA51239ae1825abb1f8fe8bc3dafa789c3b2f04c2baab5e1a2d1ba9549f11d571d881ee023360683ae3252c9b532b70f563baadc8dbe94b6ed033bb637e2eb246b3d7
-
Filesize
72KB
MD5372795d4049587681d16dee187cf51cb
SHA1c42d5de6cc29be78dfb8aff37aeb920f3edde65d
SHA256ce53f24bd444c35158dbd4d7eb800c8e2a444100972cef533535f55b97ae8a91
SHA51239ae1825abb1f8fe8bc3dafa789c3b2f04c2baab5e1a2d1ba9549f11d571d881ee023360683ae3252c9b532b70f563baadc8dbe94b6ed033bb637e2eb246b3d7
-
Filesize
72KB
MD5f19c71775d62219f481dd99ef8249325
SHA190985a33df8d6b113cc10509ef8063a63e968fb5
SHA256065e7af86402a90a2069fda3b674703419aaad93617bd37618805b0e72b2beaf
SHA51260951e3aed66bf88e2ea65021b6652fc176ae1d4b7abfcacb6b49f9bdf9d02b6752c32b37ad618de4d736db397b5d6e4d22561990004bc34f0bd62c05a6420b9
-
Filesize
72KB
MD5f19c71775d62219f481dd99ef8249325
SHA190985a33df8d6b113cc10509ef8063a63e968fb5
SHA256065e7af86402a90a2069fda3b674703419aaad93617bd37618805b0e72b2beaf
SHA51260951e3aed66bf88e2ea65021b6652fc176ae1d4b7abfcacb6b49f9bdf9d02b6752c32b37ad618de4d736db397b5d6e4d22561990004bc34f0bd62c05a6420b9
-
Filesize
72KB
MD55a78883ec631d05656bd6b6adee86129
SHA12ce18885955fabd482e511e105393d76839722ba
SHA25626810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755
SHA512555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7
-
Filesize
72KB
MD55a78883ec631d05656bd6b6adee86129
SHA12ce18885955fabd482e511e105393d76839722ba
SHA25626810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755
SHA512555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7
-
Filesize
72KB
MD558df2f3f619d68da42b1c135cd398619
SHA123423a4b0cbb78fc5c67d0c072cf467cf97d93fe
SHA256afedba02eeb2934165fc8d720be5d70e7a87d0a7bdd8113cc63df282d877cf47
SHA5126d8de72965f50711e29031a6660c1fcf52a17bb9701ce5cc735c9b0f1d1649fe697cf0b59192dad8e130a4feeee4966d27532fb15777047503b6690493b7522f
-
Filesize
72KB
MD55a78883ec631d05656bd6b6adee86129
SHA12ce18885955fabd482e511e105393d76839722ba
SHA25626810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755
SHA512555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7
-
Filesize
72KB
MD55a78883ec631d05656bd6b6adee86129
SHA12ce18885955fabd482e511e105393d76839722ba
SHA25626810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755
SHA512555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7
-
Filesize
72KB
MD562545e13994aafe839d7f3017aeb45a1
SHA1bdfad2e673030a43af6cdbd756f06e7c21521be6
SHA256f5f085c2a495e520e963771341ab94a7b7736e4e38f6ac135bf7242628174375
SHA5126d1d266d94eddb891337b9ffa06bab91fb3a28533a0e6ed3b8b219db68421f3bac78b0e8abd0aed5a8806097491cc590359b5a9e75b57ee154342b7ad3988bd7
-
Filesize
72KB
MD562545e13994aafe839d7f3017aeb45a1
SHA1bdfad2e673030a43af6cdbd756f06e7c21521be6
SHA256f5f085c2a495e520e963771341ab94a7b7736e4e38f6ac135bf7242628174375
SHA5126d1d266d94eddb891337b9ffa06bab91fb3a28533a0e6ed3b8b219db68421f3bac78b0e8abd0aed5a8806097491cc590359b5a9e75b57ee154342b7ad3988bd7
-
Filesize
72KB
MD5f5dcaa2215bdbb78d5c1c26f3ca90244
SHA1003e694393f858e9e5f8d02c2996b6b8d5be8ba9
SHA256ab13aa495e871f84e067e6320694a505c2f454e3808e29b39ca639b017706d19
SHA5123329879255c5871ebf94c410a00107e29d733048c3b8613fe0370a14873b52ab3452d2e97246e03046e7b03673837895bbf544d2c55fcba2714a9f8c5de6fb7d
-
Filesize
72KB
MD5f5dcaa2215bdbb78d5c1c26f3ca90244
SHA1003e694393f858e9e5f8d02c2996b6b8d5be8ba9
SHA256ab13aa495e871f84e067e6320694a505c2f454e3808e29b39ca639b017706d19
SHA5123329879255c5871ebf94c410a00107e29d733048c3b8613fe0370a14873b52ab3452d2e97246e03046e7b03673837895bbf544d2c55fcba2714a9f8c5de6fb7d
-
Filesize
72KB
MD5e471347ff977e0c34ff7fd3bdc5ee679
SHA1a98dc4857f3a3d2e6664e0b9a1df0fe7671d861a
SHA256e1ac423d0200bae0a84ff3b1be6ab1a58161cae46973d3fcee7c79b5af63eeb6
SHA512bcf4dc085297201907a4a08af80ebabcdcc9fc45d13b9b081608268782fb29f715fe1145e10fe6e8981597c0ba2cae86ccce6e3a0bdd89b27562f21a74350fe6
-
Filesize
72KB
MD5e471347ff977e0c34ff7fd3bdc5ee679
SHA1a98dc4857f3a3d2e6664e0b9a1df0fe7671d861a
SHA256e1ac423d0200bae0a84ff3b1be6ab1a58161cae46973d3fcee7c79b5af63eeb6
SHA512bcf4dc085297201907a4a08af80ebabcdcc9fc45d13b9b081608268782fb29f715fe1145e10fe6e8981597c0ba2cae86ccce6e3a0bdd89b27562f21a74350fe6
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5a71c8196dc09bc6b936faa09fe3afa63
SHA1e087f8c42ed2ad1abad421188817945b2482a0ec
SHA25681784c6440725414c2d6c5985f773c3c5a0563e865a96a6bccdfe07d7cf4c49a
SHA512c5a5ff7db0eedad747dc9c9e0639032f75ed0564f5c767de3a70b9b32619a5ac327078bd25fdda0c58195e29758ba2ef1db38cc840713dcb468ee1cb561cc649
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5a71c8196dc09bc6b936faa09fe3afa63
SHA1e087f8c42ed2ad1abad421188817945b2482a0ec
SHA25681784c6440725414c2d6c5985f773c3c5a0563e865a96a6bccdfe07d7cf4c49a
SHA512c5a5ff7db0eedad747dc9c9e0639032f75ed0564f5c767de3a70b9b32619a5ac327078bd25fdda0c58195e29758ba2ef1db38cc840713dcb468ee1cb561cc649
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD55b237497210f8fc66ac6a436aff0d885
SHA1efe5c2b3d097e1211c0837617d9f59976e35c7ae
SHA2567493a459f1fa52c33fcde626fb59b74346e2bf39265d51297ef6b295eed366f2
SHA512ad68803df2fd66b8616765d6236bf92f7cb0e269d9ee330c2c35c4875eeba25aaad34792c3a8785ea821dba0b7e9f20ce17fcb47bcbe609d4fe5da859a188f63
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD55b237497210f8fc66ac6a436aff0d885
SHA1efe5c2b3d097e1211c0837617d9f59976e35c7ae
SHA2567493a459f1fa52c33fcde626fb59b74346e2bf39265d51297ef6b295eed366f2
SHA512ad68803df2fd66b8616765d6236bf92f7cb0e269d9ee330c2c35c4875eeba25aaad34792c3a8785ea821dba0b7e9f20ce17fcb47bcbe609d4fe5da859a188f63
-
Filesize
72KB
MD576c5f8c11de7e8ff54d9eb4682713f1e
SHA158295bf26962fa7907ce7537a2bc28444aa213c1
SHA256b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f
SHA512e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2
-
Filesize
72KB
MD576c5f8c11de7e8ff54d9eb4682713f1e
SHA158295bf26962fa7907ce7537a2bc28444aa213c1
SHA256b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f
SHA512e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2
-
Filesize
72KB
MD5f5607b6f63e312e623941085a5c06e54
SHA1a0c8ff2f67cd76a39a6c1b9d5295a12cd517f67b
SHA2563a1ad9eebe5970fb7b20bef3b09fe0e65979ecb6c87c0c0639051f7f7b957b36
SHA512b32c3c879f1b437708d6a13dd20b25f6cd7eb631376077e3b700f22c7a80bdf5688c752229296613651e536a027b212beb4e735100beee905b77633fe2e83782
-
Filesize
72KB
MD5f5607b6f63e312e623941085a5c06e54
SHA1a0c8ff2f67cd76a39a6c1b9d5295a12cd517f67b
SHA2563a1ad9eebe5970fb7b20bef3b09fe0e65979ecb6c87c0c0639051f7f7b957b36
SHA512b32c3c879f1b437708d6a13dd20b25f6cd7eb631376077e3b700f22c7a80bdf5688c752229296613651e536a027b212beb4e735100beee905b77633fe2e83782
-
Filesize
72KB
MD576c5f8c11de7e8ff54d9eb4682713f1e
SHA158295bf26962fa7907ce7537a2bc28444aa213c1
SHA256b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f
SHA512e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2
-
Filesize
72KB
MD576c5f8c11de7e8ff54d9eb4682713f1e
SHA158295bf26962fa7907ce7537a2bc28444aa213c1
SHA256b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f
SHA512e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2