Analysis
-
max time kernel
181s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 14:10
Static task
static1
Behavioral task
behavioral1
Sample
65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe
Resource
win10v2004-20221111-en
General
-
Target
65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe
-
Size
72KB
-
MD5
0225a421b7aeb8fee4d1f2dcedd5b325
-
SHA1
bb1d7873c3d9472d1a65c634dcc512559d410667
-
SHA256
65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600
-
SHA512
18a847d37cd95c57e12a8dde1acdc2ff343b7f156eee207eb079b116859b0dfb00a602e450bfde960b7fe8acc8e694dc9884d5cc887a530e2b44420a7fc58599
-
SSDEEP
384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2C:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP2
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe -
Disables RegEdit via registry modification 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe -
Executes dropped EXE 64 IoCs
pid Process 1720 backup.exe 628 backup.exe 968 backup.exe 908 backup.exe 1808 backup.exe 1904 backup.exe 340 backup.exe 832 backup.exe 752 backup.exe 688 backup.exe 780 backup.exe 368 backup.exe 1300 backup.exe 1128 backup.exe 1708 backup.exe 1760 backup.exe 1992 backup.exe 1600 backup.exe 1220 backup.exe 1508 backup.exe 1456 update.exe 900 backup.exe 328 backup.exe 1764 backup.exe 1684 data.exe 840 backup.exe 1048 backup.exe 1532 backup.exe 1736 backup.exe 832 backup.exe 1284 backup.exe 584 backup.exe 1928 backup.exe 1848 backup.exe 2016 backup.exe 368 backup.exe 1044 backup.exe 684 backup.exe 1144 backup.exe 1092 backup.exe 1332 System Restore.exe 112 backup.exe 1704 backup.exe 1572 backup.exe 1596 backup.exe 1496 backup.exe 1492 data.exe 1488 backup.exe 1500 backup.exe 1392 backup.exe 628 backup.exe 1164 backup.exe 940 backup.exe 1688 backup.exe 308 backup.exe 340 backup.exe 908 backup.exe 800 backup.exe 836 backup.exe 1356 backup.exe 1612 backup.exe 1512 System Restore.exe 564 backup.exe 588 backup.exe -
Loads dropped DLL 64 IoCs
pid Process 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 968 backup.exe 968 backup.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 908 backup.exe 908 backup.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 968 backup.exe 968 backup.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 752 backup.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 752 backup.exe 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 780 backup.exe 780 backup.exe 752 backup.exe 752 backup.exe 1128 backup.exe 1128 backup.exe 1708 backup.exe 1708 backup.exe 1708 backup.exe 1708 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1456 update.exe 1456 update.exe 1456 update.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1992 backup.exe 1736 backup.exe 1736 backup.exe 1736 backup.exe 1736 backup.exe 1736 backup.exe 1736 backup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\ja-JP\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\data.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe update.exe File opened for modification C:\Program Files\Common Files\System\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\de-DE\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe backup.exe File opened for modification C:\Program Files\Microsoft Games\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe update.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe update.exe File opened for modification C:\Program Files\7-Zip\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe backup.exe File opened for modification C:\Program Files\Google\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe update.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\it-IT\backup.exe backup.exe File opened for modification C:\Program Files (x86)\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\System Restore.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\data.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe update.exe File opened for modification C:\Program Files\DVD Maker\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe update.exe File opened for modification C:\Program Files\Common Files\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Internet Explorer\data.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\System Restore.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe update.exe File opened for modification C:\Program Files (x86)\Common Files\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\update.exe backup.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\backup.exe backup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 1720 backup.exe 628 backup.exe 968 backup.exe 908 backup.exe 1808 backup.exe 1904 backup.exe 340 backup.exe 832 backup.exe 752 backup.exe 688 backup.exe 780 backup.exe 368 backup.exe 1300 backup.exe 1128 backup.exe 1708 backup.exe 1760 backup.exe 1992 backup.exe 1600 backup.exe 1220 backup.exe 1508 backup.exe 1456 update.exe 900 backup.exe 328 backup.exe 1764 backup.exe 1684 data.exe 840 backup.exe 1048 backup.exe 1532 backup.exe 1736 backup.exe 832 backup.exe 1284 backup.exe 584 backup.exe 1928 backup.exe 1848 backup.exe 2016 backup.exe 368 backup.exe 1044 backup.exe 684 backup.exe 1144 backup.exe 1092 backup.exe 1332 System Restore.exe 112 backup.exe 1704 backup.exe 1572 backup.exe 1596 backup.exe 1496 backup.exe 1492 data.exe 1488 backup.exe 1500 backup.exe 1392 backup.exe 628 backup.exe 1164 backup.exe 940 backup.exe 1688 backup.exe 308 backup.exe 340 backup.exe 908 backup.exe 800 backup.exe 836 backup.exe 1356 backup.exe 1612 backup.exe 1512 System Restore.exe 564 backup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 1720 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 28 PID 1620 wrote to memory of 1720 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 28 PID 1620 wrote to memory of 1720 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 28 PID 1620 wrote to memory of 1720 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 28 PID 1620 wrote to memory of 628 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 29 PID 1620 wrote to memory of 628 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 29 PID 1620 wrote to memory of 628 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 29 PID 1620 wrote to memory of 628 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 29 PID 1720 wrote to memory of 968 1720 backup.exe 30 PID 1720 wrote to memory of 968 1720 backup.exe 30 PID 1720 wrote to memory of 968 1720 backup.exe 30 PID 1720 wrote to memory of 968 1720 backup.exe 30 PID 968 wrote to memory of 908 968 backup.exe 31 PID 968 wrote to memory of 908 968 backup.exe 31 PID 968 wrote to memory of 908 968 backup.exe 31 PID 968 wrote to memory of 908 968 backup.exe 31 PID 1620 wrote to memory of 1808 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 32 PID 1620 wrote to memory of 1808 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 32 PID 1620 wrote to memory of 1808 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 32 PID 1620 wrote to memory of 1808 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 32 PID 1620 wrote to memory of 1904 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 33 PID 1620 wrote to memory of 1904 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 33 PID 1620 wrote to memory of 1904 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 33 PID 1620 wrote to memory of 1904 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 33 PID 908 wrote to memory of 340 908 backup.exe 34 PID 908 wrote to memory of 340 908 backup.exe 34 PID 908 wrote to memory of 340 908 backup.exe 34 PID 908 wrote to memory of 340 908 backup.exe 34 PID 1620 wrote to memory of 832 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 35 PID 1620 wrote to memory of 832 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 35 PID 1620 wrote to memory of 832 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 35 PID 1620 wrote to memory of 832 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 35 PID 968 wrote to memory of 752 968 backup.exe 36 PID 968 wrote to memory of 752 968 backup.exe 36 PID 968 wrote to memory of 752 968 backup.exe 36 PID 968 wrote to memory of 752 968 backup.exe 36 PID 1620 wrote to memory of 688 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 37 PID 1620 wrote to memory of 688 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 37 PID 1620 wrote to memory of 688 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 37 PID 1620 wrote to memory of 688 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 37 PID 752 wrote to memory of 780 752 backup.exe 38 PID 752 wrote to memory of 780 752 backup.exe 38 PID 752 wrote to memory of 780 752 backup.exe 38 PID 752 wrote to memory of 780 752 backup.exe 38 PID 1620 wrote to memory of 368 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 39 PID 1620 wrote to memory of 368 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 39 PID 1620 wrote to memory of 368 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 39 PID 1620 wrote to memory of 368 1620 65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe 39 PID 780 wrote to memory of 1300 780 backup.exe 40 PID 780 wrote to memory of 1300 780 backup.exe 40 PID 780 wrote to memory of 1300 780 backup.exe 40 PID 780 wrote to memory of 1300 780 backup.exe 40 PID 752 wrote to memory of 1128 752 backup.exe 41 PID 752 wrote to memory of 1128 752 backup.exe 41 PID 752 wrote to memory of 1128 752 backup.exe 41 PID 752 wrote to memory of 1128 752 backup.exe 41 PID 1128 wrote to memory of 1708 1128 backup.exe 42 PID 1128 wrote to memory of 1708 1128 backup.exe 42 PID 1128 wrote to memory of 1708 1128 backup.exe 42 PID 1128 wrote to memory of 1708 1128 backup.exe 42 PID 1708 wrote to memory of 1760 1708 backup.exe 43 PID 1708 wrote to memory of 1760 1708 backup.exe 43 PID 1708 wrote to memory of 1760 1708 backup.exe 43 PID 1708 wrote to memory of 1760 1708 backup.exe 43 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System data.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer data.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe"C:\Users\Admin\AppData\Local\Temp\65fa058786e633f5cdc8616525b3eb2358503d98dc5b8c310a6f38108d45f600.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\3429557899\backup.exeC:\Users\Admin\AppData\Local\Temp\3429557899\backup.exe C:\Users\Admin\AppData\Local\Temp\3429557899\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\backup.exe\backup.exe \3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968 -
C:\PerfLogs\backup.exeC:\PerfLogs\backup.exe C:\PerfLogs\4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908 -
C:\PerfLogs\Admin\backup.exeC:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:340
-
-
-
C:\Program Files\backup.exe"C:\Program Files\backup.exe" C:\Program Files\4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:752 -
C:\Program Files\7-Zip\backup.exe"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Program Files\7-Zip\Lang\backup.exe"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1300
-
-
-
C:\Program Files\Common Files\backup.exe"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\5⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1128 -
C:\Program Files\Common Files\Microsoft Shared\backup.exe"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1708 -
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1760
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1992 -
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1220
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1456
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:328
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1764
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1684
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:840
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1048
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1532
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1736 -
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\9⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1284
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:584
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1848
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2016
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:368
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1044
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\9⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:684
-
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1144
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1092
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1332
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:112
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1572
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1496
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\data.exe"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1492
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1488
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1500
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1392
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:628
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1164
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:940
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1688
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:308
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:340
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:908
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:800
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:836
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1356
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1612
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1512
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:564
-
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- System policy modification
PID:588 -
C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\8⤵PID:1440
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1396
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\8⤵
- Disables RegEdit via registry modification
PID:1752
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:684
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:896
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:552
-
-
-
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1092 -
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1316
-
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:1948
-
-
C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\7⤵
- Disables RegEdit via registry modification
PID:1588
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\update.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1660 -
C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1712
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1600
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
PID:1952
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\8⤵
- Disables RegEdit via registry modification
PID:960
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\8⤵
- Modifies visibility of file extensions in Explorer
PID:1724
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1800
-
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:2032 -
C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\data.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
PID:628
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\8⤵
- Modifies visibility of file extensions in Explorer
PID:1516
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
PID:1048
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1284
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\data.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:672
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\update.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\8⤵PID:980
-
-
-
C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\7⤵PID:564
-
-
C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\7⤵PID:1644
-
-
C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\7⤵PID:1596
-
-
-
C:\Program Files\Common Files\Services\update.exe"C:\Program Files\Common Files\Services\update.exe" C:\Program Files\Common Files\Services\6⤵PID:308
-
-
C:\Program Files\Common Files\SpeechEngines\backup.exe"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:1216 -
C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\7⤵PID:776
-
-
-
C:\Program Files\Common Files\System\backup.exe"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\6⤵PID:1332
-
-
-
C:\Program Files\DVD Maker\backup.exe"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1580 -
C:\Program Files\DVD Maker\de-DE\backup.exe"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:340
-
-
C:\Program Files\DVD Maker\en-US\System Restore.exe"C:\Program Files\DVD Maker\en-US\System Restore.exe" C:\Program Files\DVD Maker\en-US\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:800
-
-
C:\Program Files\DVD Maker\es-ES\backup.exe"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\6⤵PID:2016
-
-
C:\Program Files\DVD Maker\fr-FR\backup.exe"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\6⤵PID:528
-
-
C:\Program Files\DVD Maker\it-IT\backup.exe"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\6⤵PID:1588
-
-
C:\Program Files\DVD Maker\ja-JP\backup.exe"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\6⤵PID:1380
-
-
-
C:\Program Files\Google\backup.exe"C:\Program Files\Google\backup.exe" C:\Program Files\Google\5⤵PID:1652
-
-
C:\Program Files\Internet Explorer\data.exe"C:\Program Files\Internet Explorer\data.exe" C:\Program Files\Internet Explorer\5⤵PID:608
-
-
C:\Program Files\Java\backup.exe"C:\Program Files\Java\backup.exe" C:\Program Files\Java\5⤵PID:1340
-
-
C:\Program Files\Microsoft Games\backup.exe"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\5⤵PID:1904
-
-
-
C:\Program Files (x86)\backup.exe"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\4⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1160 -
C:\Program Files (x86)\Adobe\backup.exe"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\5⤵
- System policy modification
PID:1304 -
C:\Program Files (x86)\Adobe\Reader 9.0\update.exe"C:\Program Files (x86)\Adobe\Reader 9.0\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1532 -
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\7⤵PID:836
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\7⤵PID:1992
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\7⤵PID:1096
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\7⤵PID:1296
-
-
-
-
C:\Program Files (x86)\Common Files\backup.exe"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\5⤵PID:1928
-
-
C:\Program Files (x86)\Google\System Restore.exe"C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\5⤵PID:1524
-
-
C:\Program Files (x86)\Internet Explorer\data.exe"C:\Program Files (x86)\Internet Explorer\data.exe" C:\Program Files (x86)\Internet Explorer\5⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft Analysis Services\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\5⤵PID:340
-
-
-
C:\Users\backup.exeC:\Users\backup.exe C:\Users\4⤵PID:1816
-
-
C:\Windows\backup.exeC:\Windows\backup.exe C:\Windows\4⤵PID:932
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exeC:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\Low\backup.exeC:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeC:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688
-
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exeC:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:368
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5de62548e91d74255b5ef1002b83dcef7
SHA1b71e11941eaf63000174f9fed5755bcf02421941
SHA2560a84fbcd376f5aaf9ad292302dd78e7f1fceac3dee36831725eafb5bbd9d7c82
SHA5124ba9c9ffded29f01f41127b6b7223936c30fa019ae239ac57ab945eadd83f003559a811e1570900c813069f83a4dee08d527c85aaeede3818af548e7b1db9e88
-
Filesize
72KB
MD5f1c5b17c90677b9944c541881908eb0c
SHA17cce43b6355f80254cc3c10c8bcfcd082804945e
SHA2562e1369796f953155ebeaa0f458d543969d0e89f9d3296d52c89af70d0c063fca
SHA512bbc93917d08edef768f6770cf2bdbd25f43173231ef33f457a7f3e5f408c973726530d1137770f389a296f8f7fcd818993db8a9ac37d93e60d1cf8a6f7f2276a
-
Filesize
72KB
MD5f1c5b17c90677b9944c541881908eb0c
SHA17cce43b6355f80254cc3c10c8bcfcd082804945e
SHA2562e1369796f953155ebeaa0f458d543969d0e89f9d3296d52c89af70d0c063fca
SHA512bbc93917d08edef768f6770cf2bdbd25f43173231ef33f457a7f3e5f408c973726530d1137770f389a296f8f7fcd818993db8a9ac37d93e60d1cf8a6f7f2276a
-
Filesize
72KB
MD518888654ddeb7b648e96574b05f28806
SHA1c336dd3dd5aeeef8f707e1ce734f1c678fad2dc5
SHA2564d1f14dddc90d94a454bb402d331d0ececde5aeb54797479269067f2f0e520c3
SHA5129805c89b8b39635ee0a6f205ff3a7847164cb04ab56a036218b86a7932dbb0b025ab946a2ca0e16403d6bbaefe2814f4f4b4bb1c2294b5f96990ef3c25a0c640
-
Filesize
72KB
MD553b9c3d047a51f096ed611b8aa903b60
SHA1a3994f8d815093a54a88054f9a12e8ae9db6528d
SHA256ebf67f1473f62b5b447c13e3df1741e059277abb9a63f336defc10063a699e63
SHA5127dcf1620ab789f21c037922f33d0501f94307b6d26995e0632232b7e4b18541403b50eadc0e04d37c83c59dc5a1ea1a22805a9992507970f5475296f5f6e3949
-
Filesize
72KB
MD553b9c3d047a51f096ed611b8aa903b60
SHA1a3994f8d815093a54a88054f9a12e8ae9db6528d
SHA256ebf67f1473f62b5b447c13e3df1741e059277abb9a63f336defc10063a699e63
SHA5127dcf1620ab789f21c037922f33d0501f94307b6d26995e0632232b7e4b18541403b50eadc0e04d37c83c59dc5a1ea1a22805a9992507970f5475296f5f6e3949
-
Filesize
72KB
MD557c062597de1b722bc7797b31c00b6a1
SHA1c9a4ff25c2a85b79e4f1f168fb3980a4a6d46ce0
SHA25685673813555e337f9aa3b7e3c397f9235f3df875bf08eb6c55663dfffe82828a
SHA5120b623e5fb56390d132cbee2b0e6eb37b3e3f1a4db1f3d93c0876442c385b768554c6a4cf8cc7cdb904cb985d8d88c1284378561844b7df39c5223d148fa645e4
-
Filesize
72KB
MD518888654ddeb7b648e96574b05f28806
SHA1c336dd3dd5aeeef8f707e1ce734f1c678fad2dc5
SHA2564d1f14dddc90d94a454bb402d331d0ececde5aeb54797479269067f2f0e520c3
SHA5129805c89b8b39635ee0a6f205ff3a7847164cb04ab56a036218b86a7932dbb0b025ab946a2ca0e16403d6bbaefe2814f4f4b4bb1c2294b5f96990ef3c25a0c640
-
Filesize
72KB
MD518888654ddeb7b648e96574b05f28806
SHA1c336dd3dd5aeeef8f707e1ce734f1c678fad2dc5
SHA2564d1f14dddc90d94a454bb402d331d0ececde5aeb54797479269067f2f0e520c3
SHA5129805c89b8b39635ee0a6f205ff3a7847164cb04ab56a036218b86a7932dbb0b025ab946a2ca0e16403d6bbaefe2814f4f4b4bb1c2294b5f96990ef3c25a0c640
-
Filesize
72KB
MD56923e84223cb1d5f6dbf0293c48157f8
SHA112e3b48f03fc421d052a10a4710ea2ac3c1764eb
SHA2565f9ef45caefa4b812c725395e488eb3da0c6658525b1204d26050d8bb9ffdd35
SHA5127a49ba522c709d563ee55849aad71e8fa70f8c7d977421d2ef3cfa3f8bf934c303a520595dbdf7aba489e76f316f39d0ad311f087a48a69e7e4351a9f54f178a
-
Filesize
72KB
MD5f617079472b6a55377d97d078a6079d9
SHA115dbdf1dd6b522fdafeb9f80b0002fc4e6cacf4b
SHA256a907498cb84f28d9b65ec33bb76d80690fe6a67cb402fa0f969fe59e22194034
SHA5126f86320a7a497150d33d18a2ace69eb80d2fb35e1febd78d3b3ac2f2ffe5b71fcbdaacb0d0c6ec2d13a291c36163e9871da2e5ab3bab4c3a3eedd4d3150f2509
-
Filesize
72KB
MD5f617079472b6a55377d97d078a6079d9
SHA115dbdf1dd6b522fdafeb9f80b0002fc4e6cacf4b
SHA256a907498cb84f28d9b65ec33bb76d80690fe6a67cb402fa0f969fe59e22194034
SHA5126f86320a7a497150d33d18a2ace69eb80d2fb35e1febd78d3b3ac2f2ffe5b71fcbdaacb0d0c6ec2d13a291c36163e9871da2e5ab3bab4c3a3eedd4d3150f2509
-
Filesize
72KB
MD56923e84223cb1d5f6dbf0293c48157f8
SHA112e3b48f03fc421d052a10a4710ea2ac3c1764eb
SHA2565f9ef45caefa4b812c725395e488eb3da0c6658525b1204d26050d8bb9ffdd35
SHA5127a49ba522c709d563ee55849aad71e8fa70f8c7d977421d2ef3cfa3f8bf934c303a520595dbdf7aba489e76f316f39d0ad311f087a48a69e7e4351a9f54f178a
-
Filesize
72KB
MD553b9c3d047a51f096ed611b8aa903b60
SHA1a3994f8d815093a54a88054f9a12e8ae9db6528d
SHA256ebf67f1473f62b5b447c13e3df1741e059277abb9a63f336defc10063a699e63
SHA5127dcf1620ab789f21c037922f33d0501f94307b6d26995e0632232b7e4b18541403b50eadc0e04d37c83c59dc5a1ea1a22805a9992507970f5475296f5f6e3949
-
Filesize
72KB
MD553b9c3d047a51f096ed611b8aa903b60
SHA1a3994f8d815093a54a88054f9a12e8ae9db6528d
SHA256ebf67f1473f62b5b447c13e3df1741e059277abb9a63f336defc10063a699e63
SHA5127dcf1620ab789f21c037922f33d0501f94307b6d26995e0632232b7e4b18541403b50eadc0e04d37c83c59dc5a1ea1a22805a9992507970f5475296f5f6e3949
-
Filesize
72KB
MD5cac6ae8ff8599b62e5f133564782aeb1
SHA1b51b37a36e1cd0a16e0fed3a33c1d177c094d1dc
SHA2566784806cefdee76b1ee14e136337485c53d3278ad8f293c79f61558d8cbfca6c
SHA512443b5e51b8b8f62fa001e6fd3a9d7df04a70f70ac6bfc2898ab39435b1af2f59f874b60ac2fcabeed7a6208623911db2959592ef08f2a56b0e12fcd92a6fa4a8
-
Filesize
72KB
MD5cac6ae8ff8599b62e5f133564782aeb1
SHA1b51b37a36e1cd0a16e0fed3a33c1d177c094d1dc
SHA2566784806cefdee76b1ee14e136337485c53d3278ad8f293c79f61558d8cbfca6c
SHA512443b5e51b8b8f62fa001e6fd3a9d7df04a70f70ac6bfc2898ab39435b1af2f59f874b60ac2fcabeed7a6208623911db2959592ef08f2a56b0e12fcd92a6fa4a8
-
Filesize
72KB
MD5a6c7c9da7452a76dbd7022b50e5ffcae
SHA1c8227968e2447551fe51bf4b44ea5e8e6571d261
SHA256c7953a1f631e844196e44a17a2e5ba2a37c983284efcd848f14f775d6d4a5ee2
SHA5126dd1a918fbbd1986645793782875183a549271c8d962724806967784097552c689d13cea81c1f7f1573242a5f7486bae917d0c21873295e3984f2048213af110
-
Filesize
72KB
MD5a6c7c9da7452a76dbd7022b50e5ffcae
SHA1c8227968e2447551fe51bf4b44ea5e8e6571d261
SHA256c7953a1f631e844196e44a17a2e5ba2a37c983284efcd848f14f775d6d4a5ee2
SHA5126dd1a918fbbd1986645793782875183a549271c8d962724806967784097552c689d13cea81c1f7f1573242a5f7486bae917d0c21873295e3984f2048213af110
-
Filesize
72KB
MD5f06b7630bb9e8efbd0e63569c1560883
SHA195579ee18b1c01ad016ac740143a4a8354ffa743
SHA2566e76ef33051b38bca05d5120eb359a6978976f89bd02f2faf361061f3da0cd93
SHA51242f6b8221d0df884f2b1504ac4054411c911010d4f93c94b4bd93c05b5d278a5780e129db01473e12fe0ddac43b05f368ee7e3ff8f202488df936e47f14b2e3f
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5f06b7630bb9e8efbd0e63569c1560883
SHA195579ee18b1c01ad016ac740143a4a8354ffa743
SHA2566e76ef33051b38bca05d5120eb359a6978976f89bd02f2faf361061f3da0cd93
SHA51242f6b8221d0df884f2b1504ac4054411c911010d4f93c94b4bd93c05b5d278a5780e129db01473e12fe0ddac43b05f368ee7e3ff8f202488df936e47f14b2e3f
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5f06b7630bb9e8efbd0e63569c1560883
SHA195579ee18b1c01ad016ac740143a4a8354ffa743
SHA2566e76ef33051b38bca05d5120eb359a6978976f89bd02f2faf361061f3da0cd93
SHA51242f6b8221d0df884f2b1504ac4054411c911010d4f93c94b4bd93c05b5d278a5780e129db01473e12fe0ddac43b05f368ee7e3ff8f202488df936e47f14b2e3f
-
Filesize
72KB
MD5d4df1ab752521c3b59886b578a2e1871
SHA111581b61f7e449eb2d677c1130290a78767142e2
SHA2568a2912adde2cce2cb89eb2922665423e45b13733979134e2ae43b2f229e6e81e
SHA5125e831232972709b6b6706a93955c6fc52bc171314da936a077b080320a8761fe19eb7fa3d0f81068826e3178a35b999da7edc4269dc15d66306cf604e66a5984
-
Filesize
72KB
MD5a2f72a05efecc8b76d28cfd023373d0d
SHA195145929cca787f9daadb93c1a8c928a7c9f70bf
SHA256314998d7b09c8526d88c5a290b7a7f03738486f34636db46a09d871b320f4044
SHA512656c3be7c6d71b9b8376660472b34fbc5923a8ed5ad10d5cc02d5471c656c0e4cc0fa7de98464a2b18a228ad474019299818dbe5bb229839fdef84e4046ec754
-
Filesize
72KB
MD5d4df1ab752521c3b59886b578a2e1871
SHA111581b61f7e449eb2d677c1130290a78767142e2
SHA2568a2912adde2cce2cb89eb2922665423e45b13733979134e2ae43b2f229e6e81e
SHA5125e831232972709b6b6706a93955c6fc52bc171314da936a077b080320a8761fe19eb7fa3d0f81068826e3178a35b999da7edc4269dc15d66306cf604e66a5984
-
Filesize
72KB
MD5e1e21a78b9b470f58d00baf5e550083e
SHA11a93ca604c8deacbdc24929617e86ec7c109453c
SHA256939257d8dcb5619e758be41ca1e2972020a88a584402ef45e700917b6f05ad7b
SHA51203bc7cddd659b368cd32c178e3075f58b144e4c305673def6551afc831eed367528c9b48cd9fe428def0d46586f4f0e146c19d11dbcd7e370100ec28dacc368f
-
Filesize
72KB
MD5e1e21a78b9b470f58d00baf5e550083e
SHA11a93ca604c8deacbdc24929617e86ec7c109453c
SHA256939257d8dcb5619e758be41ca1e2972020a88a584402ef45e700917b6f05ad7b
SHA51203bc7cddd659b368cd32c178e3075f58b144e4c305673def6551afc831eed367528c9b48cd9fe428def0d46586f4f0e146c19d11dbcd7e370100ec28dacc368f
-
Filesize
72KB
MD5de62548e91d74255b5ef1002b83dcef7
SHA1b71e11941eaf63000174f9fed5755bcf02421941
SHA2560a84fbcd376f5aaf9ad292302dd78e7f1fceac3dee36831725eafb5bbd9d7c82
SHA5124ba9c9ffded29f01f41127b6b7223936c30fa019ae239ac57ab945eadd83f003559a811e1570900c813069f83a4dee08d527c85aaeede3818af548e7b1db9e88
-
Filesize
72KB
MD5de62548e91d74255b5ef1002b83dcef7
SHA1b71e11941eaf63000174f9fed5755bcf02421941
SHA2560a84fbcd376f5aaf9ad292302dd78e7f1fceac3dee36831725eafb5bbd9d7c82
SHA5124ba9c9ffded29f01f41127b6b7223936c30fa019ae239ac57ab945eadd83f003559a811e1570900c813069f83a4dee08d527c85aaeede3818af548e7b1db9e88
-
Filesize
72KB
MD5f1c5b17c90677b9944c541881908eb0c
SHA17cce43b6355f80254cc3c10c8bcfcd082804945e
SHA2562e1369796f953155ebeaa0f458d543969d0e89f9d3296d52c89af70d0c063fca
SHA512bbc93917d08edef768f6770cf2bdbd25f43173231ef33f457a7f3e5f408c973726530d1137770f389a296f8f7fcd818993db8a9ac37d93e60d1cf8a6f7f2276a
-
Filesize
72KB
MD5f1c5b17c90677b9944c541881908eb0c
SHA17cce43b6355f80254cc3c10c8bcfcd082804945e
SHA2562e1369796f953155ebeaa0f458d543969d0e89f9d3296d52c89af70d0c063fca
SHA512bbc93917d08edef768f6770cf2bdbd25f43173231ef33f457a7f3e5f408c973726530d1137770f389a296f8f7fcd818993db8a9ac37d93e60d1cf8a6f7f2276a
-
Filesize
72KB
MD518888654ddeb7b648e96574b05f28806
SHA1c336dd3dd5aeeef8f707e1ce734f1c678fad2dc5
SHA2564d1f14dddc90d94a454bb402d331d0ececde5aeb54797479269067f2f0e520c3
SHA5129805c89b8b39635ee0a6f205ff3a7847164cb04ab56a036218b86a7932dbb0b025ab946a2ca0e16403d6bbaefe2814f4f4b4bb1c2294b5f96990ef3c25a0c640
-
Filesize
72KB
MD518888654ddeb7b648e96574b05f28806
SHA1c336dd3dd5aeeef8f707e1ce734f1c678fad2dc5
SHA2564d1f14dddc90d94a454bb402d331d0ececde5aeb54797479269067f2f0e520c3
SHA5129805c89b8b39635ee0a6f205ff3a7847164cb04ab56a036218b86a7932dbb0b025ab946a2ca0e16403d6bbaefe2814f4f4b4bb1c2294b5f96990ef3c25a0c640
-
Filesize
72KB
MD553b9c3d047a51f096ed611b8aa903b60
SHA1a3994f8d815093a54a88054f9a12e8ae9db6528d
SHA256ebf67f1473f62b5b447c13e3df1741e059277abb9a63f336defc10063a699e63
SHA5127dcf1620ab789f21c037922f33d0501f94307b6d26995e0632232b7e4b18541403b50eadc0e04d37c83c59dc5a1ea1a22805a9992507970f5475296f5f6e3949
-
Filesize
72KB
MD553b9c3d047a51f096ed611b8aa903b60
SHA1a3994f8d815093a54a88054f9a12e8ae9db6528d
SHA256ebf67f1473f62b5b447c13e3df1741e059277abb9a63f336defc10063a699e63
SHA5127dcf1620ab789f21c037922f33d0501f94307b6d26995e0632232b7e4b18541403b50eadc0e04d37c83c59dc5a1ea1a22805a9992507970f5475296f5f6e3949
-
Filesize
72KB
MD557c062597de1b722bc7797b31c00b6a1
SHA1c9a4ff25c2a85b79e4f1f168fb3980a4a6d46ce0
SHA25685673813555e337f9aa3b7e3c397f9235f3df875bf08eb6c55663dfffe82828a
SHA5120b623e5fb56390d132cbee2b0e6eb37b3e3f1a4db1f3d93c0876442c385b768554c6a4cf8cc7cdb904cb985d8d88c1284378561844b7df39c5223d148fa645e4
-
Filesize
72KB
MD557c062597de1b722bc7797b31c00b6a1
SHA1c9a4ff25c2a85b79e4f1f168fb3980a4a6d46ce0
SHA25685673813555e337f9aa3b7e3c397f9235f3df875bf08eb6c55663dfffe82828a
SHA5120b623e5fb56390d132cbee2b0e6eb37b3e3f1a4db1f3d93c0876442c385b768554c6a4cf8cc7cdb904cb985d8d88c1284378561844b7df39c5223d148fa645e4
-
Filesize
72KB
MD518888654ddeb7b648e96574b05f28806
SHA1c336dd3dd5aeeef8f707e1ce734f1c678fad2dc5
SHA2564d1f14dddc90d94a454bb402d331d0ececde5aeb54797479269067f2f0e520c3
SHA5129805c89b8b39635ee0a6f205ff3a7847164cb04ab56a036218b86a7932dbb0b025ab946a2ca0e16403d6bbaefe2814f4f4b4bb1c2294b5f96990ef3c25a0c640
-
Filesize
72KB
MD518888654ddeb7b648e96574b05f28806
SHA1c336dd3dd5aeeef8f707e1ce734f1c678fad2dc5
SHA2564d1f14dddc90d94a454bb402d331d0ececde5aeb54797479269067f2f0e520c3
SHA5129805c89b8b39635ee0a6f205ff3a7847164cb04ab56a036218b86a7932dbb0b025ab946a2ca0e16403d6bbaefe2814f4f4b4bb1c2294b5f96990ef3c25a0c640
-
Filesize
72KB
MD56923e84223cb1d5f6dbf0293c48157f8
SHA112e3b48f03fc421d052a10a4710ea2ac3c1764eb
SHA2565f9ef45caefa4b812c725395e488eb3da0c6658525b1204d26050d8bb9ffdd35
SHA5127a49ba522c709d563ee55849aad71e8fa70f8c7d977421d2ef3cfa3f8bf934c303a520595dbdf7aba489e76f316f39d0ad311f087a48a69e7e4351a9f54f178a
-
Filesize
72KB
MD56923e84223cb1d5f6dbf0293c48157f8
SHA112e3b48f03fc421d052a10a4710ea2ac3c1764eb
SHA2565f9ef45caefa4b812c725395e488eb3da0c6658525b1204d26050d8bb9ffdd35
SHA5127a49ba522c709d563ee55849aad71e8fa70f8c7d977421d2ef3cfa3f8bf934c303a520595dbdf7aba489e76f316f39d0ad311f087a48a69e7e4351a9f54f178a
-
Filesize
72KB
MD5f617079472b6a55377d97d078a6079d9
SHA115dbdf1dd6b522fdafeb9f80b0002fc4e6cacf4b
SHA256a907498cb84f28d9b65ec33bb76d80690fe6a67cb402fa0f969fe59e22194034
SHA5126f86320a7a497150d33d18a2ace69eb80d2fb35e1febd78d3b3ac2f2ffe5b71fcbdaacb0d0c6ec2d13a291c36163e9871da2e5ab3bab4c3a3eedd4d3150f2509
-
Filesize
72KB
MD5f617079472b6a55377d97d078a6079d9
SHA115dbdf1dd6b522fdafeb9f80b0002fc4e6cacf4b
SHA256a907498cb84f28d9b65ec33bb76d80690fe6a67cb402fa0f969fe59e22194034
SHA5126f86320a7a497150d33d18a2ace69eb80d2fb35e1febd78d3b3ac2f2ffe5b71fcbdaacb0d0c6ec2d13a291c36163e9871da2e5ab3bab4c3a3eedd4d3150f2509
-
Filesize
72KB
MD56923e84223cb1d5f6dbf0293c48157f8
SHA112e3b48f03fc421d052a10a4710ea2ac3c1764eb
SHA2565f9ef45caefa4b812c725395e488eb3da0c6658525b1204d26050d8bb9ffdd35
SHA5127a49ba522c709d563ee55849aad71e8fa70f8c7d977421d2ef3cfa3f8bf934c303a520595dbdf7aba489e76f316f39d0ad311f087a48a69e7e4351a9f54f178a
-
Filesize
72KB
MD56923e84223cb1d5f6dbf0293c48157f8
SHA112e3b48f03fc421d052a10a4710ea2ac3c1764eb
SHA2565f9ef45caefa4b812c725395e488eb3da0c6658525b1204d26050d8bb9ffdd35
SHA5127a49ba522c709d563ee55849aad71e8fa70f8c7d977421d2ef3cfa3f8bf934c303a520595dbdf7aba489e76f316f39d0ad311f087a48a69e7e4351a9f54f178a
-
Filesize
72KB
MD56923e84223cb1d5f6dbf0293c48157f8
SHA112e3b48f03fc421d052a10a4710ea2ac3c1764eb
SHA2565f9ef45caefa4b812c725395e488eb3da0c6658525b1204d26050d8bb9ffdd35
SHA5127a49ba522c709d563ee55849aad71e8fa70f8c7d977421d2ef3cfa3f8bf934c303a520595dbdf7aba489e76f316f39d0ad311f087a48a69e7e4351a9f54f178a
-
Filesize
72KB
MD553b9c3d047a51f096ed611b8aa903b60
SHA1a3994f8d815093a54a88054f9a12e8ae9db6528d
SHA256ebf67f1473f62b5b447c13e3df1741e059277abb9a63f336defc10063a699e63
SHA5127dcf1620ab789f21c037922f33d0501f94307b6d26995e0632232b7e4b18541403b50eadc0e04d37c83c59dc5a1ea1a22805a9992507970f5475296f5f6e3949
-
Filesize
72KB
MD553b9c3d047a51f096ed611b8aa903b60
SHA1a3994f8d815093a54a88054f9a12e8ae9db6528d
SHA256ebf67f1473f62b5b447c13e3df1741e059277abb9a63f336defc10063a699e63
SHA5127dcf1620ab789f21c037922f33d0501f94307b6d26995e0632232b7e4b18541403b50eadc0e04d37c83c59dc5a1ea1a22805a9992507970f5475296f5f6e3949
-
Filesize
72KB
MD5cac6ae8ff8599b62e5f133564782aeb1
SHA1b51b37a36e1cd0a16e0fed3a33c1d177c094d1dc
SHA2566784806cefdee76b1ee14e136337485c53d3278ad8f293c79f61558d8cbfca6c
SHA512443b5e51b8b8f62fa001e6fd3a9d7df04a70f70ac6bfc2898ab39435b1af2f59f874b60ac2fcabeed7a6208623911db2959592ef08f2a56b0e12fcd92a6fa4a8
-
Filesize
72KB
MD5cac6ae8ff8599b62e5f133564782aeb1
SHA1b51b37a36e1cd0a16e0fed3a33c1d177c094d1dc
SHA2566784806cefdee76b1ee14e136337485c53d3278ad8f293c79f61558d8cbfca6c
SHA512443b5e51b8b8f62fa001e6fd3a9d7df04a70f70ac6bfc2898ab39435b1af2f59f874b60ac2fcabeed7a6208623911db2959592ef08f2a56b0e12fcd92a6fa4a8
-
Filesize
72KB
MD5a6c7c9da7452a76dbd7022b50e5ffcae
SHA1c8227968e2447551fe51bf4b44ea5e8e6571d261
SHA256c7953a1f631e844196e44a17a2e5ba2a37c983284efcd848f14f775d6d4a5ee2
SHA5126dd1a918fbbd1986645793782875183a549271c8d962724806967784097552c689d13cea81c1f7f1573242a5f7486bae917d0c21873295e3984f2048213af110
-
Filesize
72KB
MD5a6c7c9da7452a76dbd7022b50e5ffcae
SHA1c8227968e2447551fe51bf4b44ea5e8e6571d261
SHA256c7953a1f631e844196e44a17a2e5ba2a37c983284efcd848f14f775d6d4a5ee2
SHA5126dd1a918fbbd1986645793782875183a549271c8d962724806967784097552c689d13cea81c1f7f1573242a5f7486bae917d0c21873295e3984f2048213af110
-
Filesize
72KB
MD5f06b7630bb9e8efbd0e63569c1560883
SHA195579ee18b1c01ad016ac740143a4a8354ffa743
SHA2566e76ef33051b38bca05d5120eb359a6978976f89bd02f2faf361061f3da0cd93
SHA51242f6b8221d0df884f2b1504ac4054411c911010d4f93c94b4bd93c05b5d278a5780e129db01473e12fe0ddac43b05f368ee7e3ff8f202488df936e47f14b2e3f
-
Filesize
72KB
MD5f06b7630bb9e8efbd0e63569c1560883
SHA195579ee18b1c01ad016ac740143a4a8354ffa743
SHA2566e76ef33051b38bca05d5120eb359a6978976f89bd02f2faf361061f3da0cd93
SHA51242f6b8221d0df884f2b1504ac4054411c911010d4f93c94b4bd93c05b5d278a5780e129db01473e12fe0ddac43b05f368ee7e3ff8f202488df936e47f14b2e3f
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5f06b7630bb9e8efbd0e63569c1560883
SHA195579ee18b1c01ad016ac740143a4a8354ffa743
SHA2566e76ef33051b38bca05d5120eb359a6978976f89bd02f2faf361061f3da0cd93
SHA51242f6b8221d0df884f2b1504ac4054411c911010d4f93c94b4bd93c05b5d278a5780e129db01473e12fe0ddac43b05f368ee7e3ff8f202488df936e47f14b2e3f
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5f06b7630bb9e8efbd0e63569c1560883
SHA195579ee18b1c01ad016ac740143a4a8354ffa743
SHA2566e76ef33051b38bca05d5120eb359a6978976f89bd02f2faf361061f3da0cd93
SHA51242f6b8221d0df884f2b1504ac4054411c911010d4f93c94b4bd93c05b5d278a5780e129db01473e12fe0ddac43b05f368ee7e3ff8f202488df936e47f14b2e3f
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5f06b7630bb9e8efbd0e63569c1560883
SHA195579ee18b1c01ad016ac740143a4a8354ffa743
SHA2566e76ef33051b38bca05d5120eb359a6978976f89bd02f2faf361061f3da0cd93
SHA51242f6b8221d0df884f2b1504ac4054411c911010d4f93c94b4bd93c05b5d278a5780e129db01473e12fe0ddac43b05f368ee7e3ff8f202488df936e47f14b2e3f
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5f06b7630bb9e8efbd0e63569c1560883
SHA195579ee18b1c01ad016ac740143a4a8354ffa743
SHA2566e76ef33051b38bca05d5120eb359a6978976f89bd02f2faf361061f3da0cd93
SHA51242f6b8221d0df884f2b1504ac4054411c911010d4f93c94b4bd93c05b5d278a5780e129db01473e12fe0ddac43b05f368ee7e3ff8f202488df936e47f14b2e3f
-
Filesize
72KB
MD5d4df1ab752521c3b59886b578a2e1871
SHA111581b61f7e449eb2d677c1130290a78767142e2
SHA2568a2912adde2cce2cb89eb2922665423e45b13733979134e2ae43b2f229e6e81e
SHA5125e831232972709b6b6706a93955c6fc52bc171314da936a077b080320a8761fe19eb7fa3d0f81068826e3178a35b999da7edc4269dc15d66306cf604e66a5984
-
Filesize
72KB
MD5d4df1ab752521c3b59886b578a2e1871
SHA111581b61f7e449eb2d677c1130290a78767142e2
SHA2568a2912adde2cce2cb89eb2922665423e45b13733979134e2ae43b2f229e6e81e
SHA5125e831232972709b6b6706a93955c6fc52bc171314da936a077b080320a8761fe19eb7fa3d0f81068826e3178a35b999da7edc4269dc15d66306cf604e66a5984
-
Filesize
72KB
MD5a2f72a05efecc8b76d28cfd023373d0d
SHA195145929cca787f9daadb93c1a8c928a7c9f70bf
SHA256314998d7b09c8526d88c5a290b7a7f03738486f34636db46a09d871b320f4044
SHA512656c3be7c6d71b9b8376660472b34fbc5923a8ed5ad10d5cc02d5471c656c0e4cc0fa7de98464a2b18a228ad474019299818dbe5bb229839fdef84e4046ec754
-
Filesize
72KB
MD5a2f72a05efecc8b76d28cfd023373d0d
SHA195145929cca787f9daadb93c1a8c928a7c9f70bf
SHA256314998d7b09c8526d88c5a290b7a7f03738486f34636db46a09d871b320f4044
SHA512656c3be7c6d71b9b8376660472b34fbc5923a8ed5ad10d5cc02d5471c656c0e4cc0fa7de98464a2b18a228ad474019299818dbe5bb229839fdef84e4046ec754
-
Filesize
72KB
MD5d4df1ab752521c3b59886b578a2e1871
SHA111581b61f7e449eb2d677c1130290a78767142e2
SHA2568a2912adde2cce2cb89eb2922665423e45b13733979134e2ae43b2f229e6e81e
SHA5125e831232972709b6b6706a93955c6fc52bc171314da936a077b080320a8761fe19eb7fa3d0f81068826e3178a35b999da7edc4269dc15d66306cf604e66a5984
-
Filesize
72KB
MD5d4df1ab752521c3b59886b578a2e1871
SHA111581b61f7e449eb2d677c1130290a78767142e2
SHA2568a2912adde2cce2cb89eb2922665423e45b13733979134e2ae43b2f229e6e81e
SHA5125e831232972709b6b6706a93955c6fc52bc171314da936a077b080320a8761fe19eb7fa3d0f81068826e3178a35b999da7edc4269dc15d66306cf604e66a5984