Analysis
-
max time kernel
211s -
max time network
246s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 14:23
Static task
static1
Behavioral task
behavioral1
Sample
27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe
Resource
win10v2004-20221111-en
General
-
Target
27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe
-
Size
72KB
-
MD5
00ef91b9925c158267e47d37a386d0f8
-
SHA1
78a07403ee5d4af497e64613d6e6c57c70d78a9f
-
SHA256
27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc
-
SHA512
6c3810cd00310fc19b3dd2504f13174a822bca562b86ac039f0dc71af608d9ca6d1f88846542e9d35135ea77f48a8cfed5ae5ab6e303a75cc31d1ba8b14c704a
-
SSDEEP
384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2s:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP4
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe -
Disables RegEdit via registry modification 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" System Restore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" System Restore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe -
Executes dropped EXE 64 IoCs
pid Process 3076 backup.exe 3492 backup.exe 5116 backup.exe 1160 backup.exe 3332 backup.exe 3456 backup.exe 3704 backup.exe 4424 update.exe 3200 backup.exe 1240 update.exe 2688 update.exe 3084 backup.exe 4588 backup.exe 3404 backup.exe 4704 backup.exe 2312 backup.exe 4068 backup.exe 3608 backup.exe 5044 backup.exe 3720 backup.exe 384 backup.exe 1764 backup.exe 3752 backup.exe 1424 backup.exe 1008 backup.exe 3764 backup.exe 2940 backup.exe 4040 backup.exe 3128 backup.exe 4920 data.exe 1132 backup.exe 4060 backup.exe 2252 backup.exe 4716 backup.exe 4684 update.exe 208 backup.exe 4688 backup.exe 4228 backup.exe 2112 backup.exe 920 data.exe 2848 backup.exe 5076 backup.exe 1700 backup.exe 1216 System Restore.exe 3500 backup.exe 1164 backup.exe 5072 System Restore.exe 1752 System Restore.exe 3488 backup.exe 2700 backup.exe 1628 backup.exe 384 backup.exe 640 backup.exe 4324 backup.exe 1992 backup.exe 4608 backup.exe 4304 backup.exe 1560 backup.exe 5000 backup.exe 748 backup.exe 3284 backup.exe 4416 System Restore.exe 4828 backup.exe 4724 backup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\backup.exe update.exe File opened for modification C:\Program Files\Common Files\System\es-ES\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe backup.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Services\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\update.exe backup.exe File opened for modification C:\Program Files\Java\backup.exe update.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\System Restore.exe update.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\System Restore.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\backup.exe backup.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe System Restore.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\backup.exe System Restore.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Google\backup.exe data.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\System Restore.exe System Restore.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\backup.exe data.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe backup.exe File opened for modification C:\Program Files\Google\Chrome\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\it-IT\update.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\backup.exe backup.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe System Restore.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe update.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\System Restore.exe data.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\backup.exe System Restore.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\update.exe backup.exe File opened for modification C:\Program Files\Common Files\System\en-US\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe backup.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe update.exe File opened for modification C:\Program Files\update.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\backup.exe update.exe File opened for modification C:\Program Files\Internet Explorer\images\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ado\System Restore.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe update.exe File opened for modification C:\Program Files\Microsoft Office\backup.exe update.exe File opened for modification C:\Program Files (x86)\data.exe backup.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\apppatch\backup.exe backup.exe File opened for modification C:\Windows\apppatch\AppPatch64\backup.exe backup.exe File opened for modification C:\Windows\appcompat\Programs\backup.exe backup.exe File opened for modification C:\Windows\apppatch\Custom\backup.exe backup.exe File opened for modification C:\Windows\backup.exe backup.exe File opened for modification C:\Windows\appcompat\appraiser\backup.exe backup.exe File opened for modification C:\Windows\appcompat\appraiser\Telemetry\backup.exe backup.exe File opened for modification C:\Windows\addins\backup.exe backup.exe File opened for modification C:\Windows\appcompat\backup.exe backup.exe File opened for modification C:\Windows\appcompat\encapsulation\backup.exe backup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 3076 backup.exe 3492 backup.exe 1160 backup.exe 3332 backup.exe 5116 backup.exe 3456 backup.exe 3704 backup.exe 4424 update.exe 3200 backup.exe 1240 update.exe 2688 update.exe 3084 backup.exe 4588 backup.exe 3404 backup.exe 4704 backup.exe 2312 backup.exe 4068 backup.exe 3608 backup.exe 5044 backup.exe 3720 backup.exe 384 backup.exe 1764 backup.exe 3752 backup.exe 1424 backup.exe 1008 backup.exe 3764 backup.exe 2940 backup.exe 4040 backup.exe 4920 data.exe 3128 backup.exe 1132 backup.exe 4060 backup.exe 2252 backup.exe 4716 backup.exe 208 backup.exe 4684 update.exe 4228 backup.exe 4688 backup.exe 2112 backup.exe 920 data.exe 2848 backup.exe 5076 backup.exe 3500 backup.exe 1700 backup.exe 1164 backup.exe 5072 System Restore.exe 1216 System Restore.exe 1752 System Restore.exe 3488 backup.exe 384 backup.exe 1628 backup.exe 3284 backup.exe 5000 backup.exe 4416 System Restore.exe 1560 backup.exe 748 backup.exe 640 backup.exe 2700 backup.exe 4304 backup.exe 4324 backup.exe 4608 backup.exe 1992 backup.exe 4828 backup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4796 wrote to memory of 3076 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 82 PID 4796 wrote to memory of 3076 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 82 PID 4796 wrote to memory of 3076 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 82 PID 4796 wrote to memory of 3492 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 83 PID 4796 wrote to memory of 3492 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 83 PID 4796 wrote to memory of 3492 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 83 PID 3076 wrote to memory of 5116 3076 backup.exe 84 PID 3076 wrote to memory of 5116 3076 backup.exe 84 PID 3076 wrote to memory of 5116 3076 backup.exe 84 PID 4796 wrote to memory of 1160 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 85 PID 4796 wrote to memory of 1160 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 85 PID 4796 wrote to memory of 1160 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 85 PID 4796 wrote to memory of 3332 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 86 PID 4796 wrote to memory of 3332 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 86 PID 4796 wrote to memory of 3332 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 86 PID 4796 wrote to memory of 3456 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 87 PID 4796 wrote to memory of 3456 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 87 PID 4796 wrote to memory of 3456 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 87 PID 5116 wrote to memory of 3704 5116 backup.exe 88 PID 5116 wrote to memory of 3704 5116 backup.exe 88 PID 5116 wrote to memory of 3704 5116 backup.exe 88 PID 4796 wrote to memory of 4424 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 89 PID 4796 wrote to memory of 4424 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 89 PID 4796 wrote to memory of 4424 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 89 PID 5116 wrote to memory of 3200 5116 backup.exe 90 PID 5116 wrote to memory of 3200 5116 backup.exe 90 PID 5116 wrote to memory of 3200 5116 backup.exe 90 PID 4796 wrote to memory of 1240 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 91 PID 4796 wrote to memory of 1240 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 91 PID 4796 wrote to memory of 1240 4796 27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe 91 PID 5116 wrote to memory of 2688 5116 backup.exe 92 PID 5116 wrote to memory of 2688 5116 backup.exe 92 PID 5116 wrote to memory of 2688 5116 backup.exe 92 PID 2688 wrote to memory of 3084 2688 update.exe 93 PID 2688 wrote to memory of 3084 2688 update.exe 93 PID 2688 wrote to memory of 3084 2688 update.exe 93 PID 3084 wrote to memory of 4588 3084 backup.exe 95 PID 3084 wrote to memory of 4588 3084 backup.exe 95 PID 3084 wrote to memory of 4588 3084 backup.exe 95 PID 2688 wrote to memory of 3404 2688 update.exe 96 PID 2688 wrote to memory of 3404 2688 update.exe 96 PID 2688 wrote to memory of 3404 2688 update.exe 96 PID 3404 wrote to memory of 4704 3404 backup.exe 97 PID 3404 wrote to memory of 4704 3404 backup.exe 97 PID 3404 wrote to memory of 4704 3404 backup.exe 97 PID 3404 wrote to memory of 2312 3404 backup.exe 98 PID 3404 wrote to memory of 2312 3404 backup.exe 98 PID 3404 wrote to memory of 2312 3404 backup.exe 98 PID 2312 wrote to memory of 4068 2312 backup.exe 99 PID 2312 wrote to memory of 4068 2312 backup.exe 99 PID 2312 wrote to memory of 4068 2312 backup.exe 99 PID 2312 wrote to memory of 3608 2312 backup.exe 100 PID 2312 wrote to memory of 3608 2312 backup.exe 100 PID 2312 wrote to memory of 3608 2312 backup.exe 100 PID 3608 wrote to memory of 5044 3608 backup.exe 101 PID 3608 wrote to memory of 5044 3608 backup.exe 101 PID 3608 wrote to memory of 5044 3608 backup.exe 101 PID 3608 wrote to memory of 3720 3608 backup.exe 102 PID 3608 wrote to memory of 3720 3608 backup.exe 102 PID 3608 wrote to memory of 3720 3608 backup.exe 102 PID 3608 wrote to memory of 384 3608 backup.exe 103 PID 3608 wrote to memory of 384 3608 backup.exe 103 PID 3608 wrote to memory of 384 3608 backup.exe 103 PID 3608 wrote to memory of 1764 3608 backup.exe 105 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" System Restore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer System Restore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe"C:\Users\Admin\AppData\Local\Temp\27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe"1⤵
- Disables RegEdit via registry modification
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\2703042586\backup.exeC:\Users\Admin\AppData\Local\Temp\2703042586\backup.exe C:\Users\Admin\AppData\Local\Temp\2703042586\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\backup.exe\backup.exe \3⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5116 -
C:\odt\backup.exeC:\odt\backup.exe C:\odt\4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3704
-
-
C:\PerfLogs\backup.exeC:\PerfLogs\backup.exe C:\PerfLogs\4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3200
-
-
C:\Program Files\update.exe"C:\Program Files\update.exe" C:\Program Files\4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2688 -
C:\Program Files\7-Zip\backup.exe"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Program Files\7-Zip\Lang\backup.exe"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4588
-
-
-
C:\Program Files\Common Files\backup.exe"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\5⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Program Files\Common Files\DESIGNER\backup.exe"C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4704
-
-
C:\Program Files\Common Files\microsoft shared\backup.exe"C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2312 -
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe"C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\7⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4068
-
-
C:\Program Files\Common Files\microsoft shared\ink\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3608 -
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5044
-
-
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3720
-
-
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:384
-
-
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764
-
-
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3752
-
-
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1424
-
-
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3764
-
-
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2940
-
-
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1132
-
-
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\8⤵
- Drops file in Program Files directory
PID:432 -
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:1580
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:4148
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\System Restore.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\9⤵
- System policy modification
PID:1764
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\9⤵
- System policy modification
PID:3644
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\9⤵PID:5028
-
-
-
C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\8⤵
- Disables RegEdit via registry modification
PID:2036
-
-
C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2244
-
-
C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\8⤵PID:4328
-
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4060 -
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\update.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4684
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1700
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3284
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\8⤵
- System policy modification
PID:2832
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1976
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\8⤵
- System policy modification
PID:4660
-
-
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe"C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\7⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4304 -
C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe"C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\8⤵
- Modifies visibility of file extensions in Explorer
PID:1552
-
-
-
C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe"C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\7⤵PID:3912
-
-
C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe"C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\7⤵
- Disables RegEdit via registry modification
PID:1068
-
-
C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe"C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\7⤵
- Modifies visibility of file extensions in Explorer
PID:544
-
-
C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe"C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\7⤵
- Modifies visibility of file extensions in Explorer
PID:2820 -
C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe"C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\8⤵PID:1928
-
-
-
-
C:\Program Files\Common Files\Services\backup.exe"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\6⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3128
-
-
C:\Program Files\Common Files\System\backup.exe"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4688 -
C:\Program Files\Common Files\System\ado\System Restore.exe"C:\Program Files\Common Files\System\ado\System Restore.exe" C:\Program Files\Common Files\System\ado\7⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1752 -
C:\Program Files\Common Files\System\ado\de-DE\backup.exe"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4828
-
-
C:\Program Files\Common Files\System\ado\en-US\backup.exe"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\8⤵PID:4176
-
-
C:\Program Files\Common Files\System\ado\es-ES\data.exe"C:\Program Files\Common Files\System\ado\es-ES\data.exe" C:\Program Files\Common Files\System\ado\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
PID:2440
-
-
C:\Program Files\Common Files\System\ado\fr-FR\backup.exe"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\8⤵PID:316
-
-
C:\Program Files\Common Files\System\ado\it-IT\backup.exe"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:4172
-
-
C:\Program Files\Common Files\System\ado\ja-JP\backup.exe"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\8⤵PID:4304
-
-
-
C:\Program Files\Common Files\System\de-DE\backup.exe"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4608
-
-
C:\Program Files\Common Files\System\en-US\backup.exe"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\7⤵PID:2524
-
-
C:\Program Files\Common Files\System\es-ES\backup.exe"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\7⤵
- Disables RegEdit via registry modification
PID:4784
-
-
C:\Program Files\Common Files\System\fr-FR\backup.exe"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\7⤵
- Disables RegEdit via registry modification
- System policy modification
PID:4336
-
-
C:\Program Files\Common Files\System\it-IT\update.exe"C:\Program Files\Common Files\System\it-IT\update.exe" C:\Program Files\Common Files\System\it-IT\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:2648
-
-
C:\Program Files\Common Files\System\ja-JP\backup.exe"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\7⤵PID:212
-
-
-
-
C:\Program Files\Google\backup.exe"C:\Program Files\Google\backup.exe" C:\Program Files\Google\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4040 -
C:\Program Files\Google\Chrome\backup.exe"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2252 -
C:\Program Files\Google\Chrome\Application\data.exe"C:\Program Files\Google\Chrome\Application\data.exe" C:\Program Files\Google\Chrome\Application\7⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:920 -
C:\Program Files\Google\Chrome\Application\89.0.4389.114\System Restore.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5072 -
C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\System Restore.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4416
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\data.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\9⤵
- Modifies visibility of file extensions in Explorer
PID:1888
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\System Restore.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\9⤵
- System policy modification
PID:4704
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\9⤵
- System policy modification
PID:4348
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\9⤵PID:4396
-
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4324
-
-
-
-
-
C:\Program Files\Internet Explorer\backup.exe"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:208 -
C:\Program Files\Internet Explorer\de-DE\System Restore.exe"C:\Program Files\Internet Explorer\de-DE\System Restore.exe" C:\Program Files\Internet Explorer\de-DE\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1216
-
-
C:\Program Files\Internet Explorer\en-US\backup.exe"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\6⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2700
-
-
C:\Program Files\Internet Explorer\es-ES\backup.exe"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\6⤵
- System policy modification
PID:4792
-
-
C:\Program Files\Internet Explorer\fr-FR\backup.exe"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\6⤵
- System policy modification
PID:4940
-
-
C:\Program Files\Internet Explorer\images\backup.exe"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\6⤵
- Modifies visibility of file extensions in Explorer
PID:3936
-
-
C:\Program Files\Internet Explorer\it-IT\update.exe"C:\Program Files\Internet Explorer\it-IT\update.exe" C:\Program Files\Internet Explorer\it-IT\6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:3336
-
-
C:\Program Files\Internet Explorer\ja-JP\backup.exe"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\6⤵PID:2848
-
-
-
C:\Program Files\Java\backup.exe"C:\Program Files\Java\backup.exe" C:\Program Files\Java\5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5000 -
C:\Program Files\Java\jdk1.8.0_66\backup.exe"C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\6⤵
- Modifies visibility of file extensions in Explorer
PID:2288 -
C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe"C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\7⤵
- Disables RegEdit via registry modification
PID:4020
-
-
C:\Program Files\Java\jdk1.8.0_66\db\backup.exe"C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1680 -
C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe"C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\8⤵
- Disables RegEdit via registry modification
PID:1592
-
-
C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe"C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\8⤵PID:680
-
-
-
-
C:\Program Files\Java\jre1.8.0_66\backup.exe"C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1692 -
C:\Program Files\Java\jre1.8.0_66\bin\backup.exe"C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1208 -
C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe"C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\8⤵PID:4408
-
-
-
-
-
C:\Program Files\Microsoft Office\backup.exe"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:1412 -
C:\Program Files\Microsoft Office\Office16\backup.exe"C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\6⤵
- Modifies visibility of file extensions in Explorer
PID:3496
-
-
C:\Program Files\Microsoft Office\PackageManifests\backup.exe"C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\6⤵PID:1060
-
-
-
-
C:\Program Files (x86)\data.exe"C:\Program Files (x86)\data.exe" C:\Program Files (x86)\4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4920 -
C:\Program Files (x86)\Adobe\backup.exe"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4228 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5076 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\7⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3488
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1992 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\8⤵PID:2564
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:3180
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:3908 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\9⤵
- Disables RegEdit via registry modification
PID:5064
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\8⤵PID:4008
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:4184 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\8⤵
- Drops file in Program Files directory
PID:3376
-
-
-
-
-
C:\Program Files (x86)\Common Files\backup.exe"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:640 -
C:\Program Files (x86)\Common Files\Adobe\backup.exe"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:3384 -
C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:4924
-
-
C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1708 -
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\8⤵
- Disables RegEdit via registry modification
PID:1020
-
-
-
C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\7⤵PID:1248
-
C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4016
-
-
-
C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\7⤵PID:4824
-
-
-
C:\Program Files (x86)\Common Files\Java\backup.exe"C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:4828 -
C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe"C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\7⤵PID:3700
-
-
-
-
C:\Program Files (x86)\Google\backup.exe"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\5⤵
- Modifies visibility of file extensions in Explorer
PID:5032 -
C:\Program Files (x86)\Google\CrashReports\backup.exe"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\6⤵PID:3552
-
-
-
-
C:\Users\backup.exeC:\Users\backup.exe C:\Users\4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4716 -
C:\Users\Admin\backup.exeC:\Users\Admin\backup.exe C:\Users\Admin\5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3500 -
C:\Users\Admin\3D Objects\backup.exe"C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:748
-
-
C:\Users\Admin\Contacts\backup.exeC:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\6⤵
- Modifies visibility of file extensions in Explorer
PID:4900
-
-
C:\Users\Admin\Desktop\backup.exeC:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:3464
-
-
C:\Users\Admin\Documents\backup.exeC:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:400
-
-
C:\Users\Admin\Downloads\backup.exeC:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\6⤵PID:1260
-
-
C:\Users\Admin\Favorites\backup.exeC:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\6⤵PID:3464
-
-
C:\Users\Admin\Links\backup.exeC:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\6⤵PID:5112
-
-
-
C:\Users\Public\backup.exeC:\Users\Public\backup.exe C:\Users\Public\5⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1560 -
C:\Users\Public\Documents\backup.exeC:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1148
-
-
C:\Users\Public\Downloads\data.exeC:\Users\Public\Downloads\data.exe C:\Users\Public\Downloads\6⤵
- Modifies visibility of file extensions in Explorer
PID:3576
-
-
C:\Users\Public\Music\backup.exeC:\Users\Public\Music\backup.exe C:\Users\Public\Music\6⤵PID:3252
-
-
C:\Users\Public\Pictures\backup.exeC:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\6⤵
- Disables RegEdit via registry modification
PID:2168
-
-
-
-
C:\Windows\backup.exeC:\Windows\backup.exe C:\Windows\4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:384 -
C:\Windows\addins\backup.exeC:\Windows\addins\backup.exe C:\Windows\addins\5⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- System policy modification
PID:4724
-
-
C:\Windows\appcompat\backup.exeC:\Windows\appcompat\backup.exe C:\Windows\appcompat\5⤵
- Drops file in Windows directory
PID:3060 -
C:\Windows\appcompat\appraiser\backup.exeC:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\6⤵
- Drops file in Windows directory
- System policy modification
PID:5024 -
C:\Windows\appcompat\appraiser\Telemetry\backup.exeC:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\7⤵
- Modifies visibility of file extensions in Explorer
PID:1240
-
-
-
C:\Windows\appcompat\encapsulation\backup.exeC:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:3812
-
-
C:\Windows\appcompat\Programs\backup.exeC:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\6⤵PID:1580
-
-
-
C:\Windows\apppatch\backup.exeC:\Windows\apppatch\backup.exe C:\Windows\apppatch\5⤵
- Disables RegEdit via registry modification
- Drops file in Windows directory
PID:2580 -
C:\Windows\apppatch\AppPatch64\backup.exeC:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:2620
-
-
C:\Windows\apppatch\Custom\backup.exeC:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\6⤵PID:4488
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exeC:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3492
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exeC:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1160
-
-
C:\Users\Admin\AppData\Local\Temp\Low\backup.exeC:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3332
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exeC:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1240
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5ccc0eb8a6475600cc50a7ba286fbae27
SHA11136239311df875de99a7e53a15083cb59f117a0
SHA25652aeb0a3f646ac9e5dbe1c1017c990aa2227ce24ae1617c510460e500047d18a
SHA512b9f034565787428ef8e1327cdaccfa2927df844c14419046379e20c400a01cc6a596d45f52cbd154784563017298c94b64de5c50d15b7300d3f41f1e06fd0160
-
Filesize
72KB
MD5ccc0eb8a6475600cc50a7ba286fbae27
SHA11136239311df875de99a7e53a15083cb59f117a0
SHA25652aeb0a3f646ac9e5dbe1c1017c990aa2227ce24ae1617c510460e500047d18a
SHA512b9f034565787428ef8e1327cdaccfa2927df844c14419046379e20c400a01cc6a596d45f52cbd154784563017298c94b64de5c50d15b7300d3f41f1e06fd0160
-
Filesize
72KB
MD546c1055b4afb6659b4fd9a5b7c40ce43
SHA1d93aaab3b7347a49a9571595be444e8eb187c659
SHA256bb51fc63ba2926fdac2bdef54d814bc80ec96b60e72153415b8d02eeda40bb53
SHA512aea590f5fcad12cdf6f43c8544c6e2bbdfefd24cf84cbea7ae61e099801008900ceae83e04f2821a8ba3207b84fee8f9464353408797adcb1d6ab0fc3a19f89f
-
Filesize
72KB
MD546c1055b4afb6659b4fd9a5b7c40ce43
SHA1d93aaab3b7347a49a9571595be444e8eb187c659
SHA256bb51fc63ba2926fdac2bdef54d814bc80ec96b60e72153415b8d02eeda40bb53
SHA512aea590f5fcad12cdf6f43c8544c6e2bbdfefd24cf84cbea7ae61e099801008900ceae83e04f2821a8ba3207b84fee8f9464353408797adcb1d6ab0fc3a19f89f
-
Filesize
72KB
MD59e20d3a8d6757a781f6c34e667c13243
SHA16a3426f9bd752409e1142c7ac9b3801836f4aef4
SHA256e694682f6ee23b098a4fdae45690cd614fbfd4e4fe6b7f03c825fe98eff26a31
SHA5128bb33af72ec62560fdfe75f95d75dddcf5fa22317724766430a33f4537e2dafbb005038a745219cabce98ae54394b4857bac2b69f099dec3b44723cd19cf41f3
-
Filesize
72KB
MD59e20d3a8d6757a781f6c34e667c13243
SHA16a3426f9bd752409e1142c7ac9b3801836f4aef4
SHA256e694682f6ee23b098a4fdae45690cd614fbfd4e4fe6b7f03c825fe98eff26a31
SHA5128bb33af72ec62560fdfe75f95d75dddcf5fa22317724766430a33f4537e2dafbb005038a745219cabce98ae54394b4857bac2b69f099dec3b44723cd19cf41f3
-
Filesize
72KB
MD5c20fa1e79c15d56cde9481cd6142236b
SHA10df3431fc1fe4036bd84a095a9e89907f5210ddd
SHA25663ddba82e405288c127942f12a004d47d28c9d27390314971964abb4e49e9ae9
SHA51285b4ecaca68bd9d55b7d8ff35828cc3ac4133cc9daac4c02cd70eed7cba3fc8582cf15c419a9b9b514923179cd5f138520f1506ab8e56a5c30b53ab3fe4197f6
-
Filesize
72KB
MD5c20fa1e79c15d56cde9481cd6142236b
SHA10df3431fc1fe4036bd84a095a9e89907f5210ddd
SHA25663ddba82e405288c127942f12a004d47d28c9d27390314971964abb4e49e9ae9
SHA51285b4ecaca68bd9d55b7d8ff35828cc3ac4133cc9daac4c02cd70eed7cba3fc8582cf15c419a9b9b514923179cd5f138520f1506ab8e56a5c30b53ab3fe4197f6
-
Filesize
72KB
MD552f9009ff23e357b46334b33db1ddd59
SHA14195a05d5341a1f6833a08c68189be2572d852e3
SHA2565716f69ea07deca625979708da6bcc740e6179043374a2d0441edc4e720a7f57
SHA512e3cc5e12f34a21c053bb86f0bf7bfd3ed5c285fc11ecc4eef372e68d4b9ed1294fa94cf05b4845722075b25e1e7fbc052729e5351357f59a80de1fddd1403428
-
Filesize
72KB
MD552f9009ff23e357b46334b33db1ddd59
SHA14195a05d5341a1f6833a08c68189be2572d852e3
SHA2565716f69ea07deca625979708da6bcc740e6179043374a2d0441edc4e720a7f57
SHA512e3cc5e12f34a21c053bb86f0bf7bfd3ed5c285fc11ecc4eef372e68d4b9ed1294fa94cf05b4845722075b25e1e7fbc052729e5351357f59a80de1fddd1403428
-
Filesize
72KB
MD5484df5478f483699849e9ab58f7696b8
SHA19127c73b426f13ad47cb53a0aeb4d2b1f279633d
SHA25660491a6d69e742e75f41b031086a21125d15eba637e26430a0105d4445f11277
SHA512a2f6718f81ff9605610bb874188697b7de74ab067933b2a4e9f5172d9b4ace54829a7d9e8858195e6af7c5550677c8bc67f3db37975f94bb562c665dc041f2b5
-
Filesize
72KB
MD5484df5478f483699849e9ab58f7696b8
SHA19127c73b426f13ad47cb53a0aeb4d2b1f279633d
SHA25660491a6d69e742e75f41b031086a21125d15eba637e26430a0105d4445f11277
SHA512a2f6718f81ff9605610bb874188697b7de74ab067933b2a4e9f5172d9b4ace54829a7d9e8858195e6af7c5550677c8bc67f3db37975f94bb562c665dc041f2b5
-
Filesize
72KB
MD5c20fa1e79c15d56cde9481cd6142236b
SHA10df3431fc1fe4036bd84a095a9e89907f5210ddd
SHA25663ddba82e405288c127942f12a004d47d28c9d27390314971964abb4e49e9ae9
SHA51285b4ecaca68bd9d55b7d8ff35828cc3ac4133cc9daac4c02cd70eed7cba3fc8582cf15c419a9b9b514923179cd5f138520f1506ab8e56a5c30b53ab3fe4197f6
-
Filesize
72KB
MD5c20fa1e79c15d56cde9481cd6142236b
SHA10df3431fc1fe4036bd84a095a9e89907f5210ddd
SHA25663ddba82e405288c127942f12a004d47d28c9d27390314971964abb4e49e9ae9
SHA51285b4ecaca68bd9d55b7d8ff35828cc3ac4133cc9daac4c02cd70eed7cba3fc8582cf15c419a9b9b514923179cd5f138520f1506ab8e56a5c30b53ab3fe4197f6
-
Filesize
72KB
MD5aa5ddfd60e4f4fe5ec3772f418298c24
SHA18b801359dca05ebb5204ba02a344302f535b8873
SHA2569e5edbaf092b739e4a3280fa8fc0d6434cbd3bf52e519e041ef499b0f9624f77
SHA5123b49b971757b1709fa70486da5533272088ab933b1e7a556dc4c2c753befdaa61c6f8e1034ec1251ed7fbef6fb55fea569baee30e54c473653a1905f65ab6ecd
-
Filesize
72KB
MD5aa5ddfd60e4f4fe5ec3772f418298c24
SHA18b801359dca05ebb5204ba02a344302f535b8873
SHA2569e5edbaf092b739e4a3280fa8fc0d6434cbd3bf52e519e041ef499b0f9624f77
SHA5123b49b971757b1709fa70486da5533272088ab933b1e7a556dc4c2c753befdaa61c6f8e1034ec1251ed7fbef6fb55fea569baee30e54c473653a1905f65ab6ecd
-
Filesize
72KB
MD50d540cded8a68aba304dc3b490d72487
SHA138ffaedbc90338a6b13697b007399ed42f3d73c3
SHA2563b620129f4c09dd3dfa28e7a7f9c0512c14bbe00bd69d7f35ec80052edb650cb
SHA5123751e2fadb7ec1ef508149d34c75829e31b3f813fb552170d59ddcaa6679dcc4ff650ab1d00a1dac199016b5d016bc6b38c0797cb6a15dd2ba9d3d64545e548a
-
Filesize
72KB
MD50d540cded8a68aba304dc3b490d72487
SHA138ffaedbc90338a6b13697b007399ed42f3d73c3
SHA2563b620129f4c09dd3dfa28e7a7f9c0512c14bbe00bd69d7f35ec80052edb650cb
SHA5123751e2fadb7ec1ef508149d34c75829e31b3f813fb552170d59ddcaa6679dcc4ff650ab1d00a1dac199016b5d016bc6b38c0797cb6a15dd2ba9d3d64545e548a
-
Filesize
72KB
MD552f9009ff23e357b46334b33db1ddd59
SHA14195a05d5341a1f6833a08c68189be2572d852e3
SHA2565716f69ea07deca625979708da6bcc740e6179043374a2d0441edc4e720a7f57
SHA512e3cc5e12f34a21c053bb86f0bf7bfd3ed5c285fc11ecc4eef372e68d4b9ed1294fa94cf05b4845722075b25e1e7fbc052729e5351357f59a80de1fddd1403428
-
Filesize
72KB
MD552f9009ff23e357b46334b33db1ddd59
SHA14195a05d5341a1f6833a08c68189be2572d852e3
SHA2565716f69ea07deca625979708da6bcc740e6179043374a2d0441edc4e720a7f57
SHA512e3cc5e12f34a21c053bb86f0bf7bfd3ed5c285fc11ecc4eef372e68d4b9ed1294fa94cf05b4845722075b25e1e7fbc052729e5351357f59a80de1fddd1403428
-
Filesize
72KB
MD532f3ab6808c80f8f8e928ac166da9447
SHA144749befd79e4ab20f6641478df21dc4710d7f4d
SHA256217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e
SHA51296b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c
-
Filesize
72KB
MD532f3ab6808c80f8f8e928ac166da9447
SHA144749befd79e4ab20f6641478df21dc4710d7f4d
SHA256217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e
SHA51296b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c
-
Filesize
72KB
MD5b8c80d26252a60df64768062a8a2c9db
SHA1f525787e8ec5dbea789b8f1cb34882b99870de91
SHA2567fe1b3e66d650a5940f123a88e79aee8b1da8c568425c01bb34b90ddfed5030d
SHA512d9f3c854565cbf705e462a146f0f70fffa005b6b8555c7ea2179dffdf50265ee664afbcc2e6d59447e7a8a063d28405c41ce6c1b0d2f0d53c5442c901fc0985b
-
Filesize
72KB
MD5b8c80d26252a60df64768062a8a2c9db
SHA1f525787e8ec5dbea789b8f1cb34882b99870de91
SHA2567fe1b3e66d650a5940f123a88e79aee8b1da8c568425c01bb34b90ddfed5030d
SHA512d9f3c854565cbf705e462a146f0f70fffa005b6b8555c7ea2179dffdf50265ee664afbcc2e6d59447e7a8a063d28405c41ce6c1b0d2f0d53c5442c901fc0985b
-
Filesize
72KB
MD532f3ab6808c80f8f8e928ac166da9447
SHA144749befd79e4ab20f6641478df21dc4710d7f4d
SHA256217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e
SHA51296b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c
-
Filesize
72KB
MD532f3ab6808c80f8f8e928ac166da9447
SHA144749befd79e4ab20f6641478df21dc4710d7f4d
SHA256217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e
SHA51296b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c
-
Filesize
72KB
MD532f3ab6808c80f8f8e928ac166da9447
SHA144749befd79e4ab20f6641478df21dc4710d7f4d
SHA256217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e
SHA51296b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c
-
Filesize
72KB
MD532f3ab6808c80f8f8e928ac166da9447
SHA144749befd79e4ab20f6641478df21dc4710d7f4d
SHA256217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e
SHA51296b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c
-
Filesize
72KB
MD532f3ab6808c80f8f8e928ac166da9447
SHA144749befd79e4ab20f6641478df21dc4710d7f4d
SHA256217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e
SHA51296b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c
-
Filesize
72KB
MD532f3ab6808c80f8f8e928ac166da9447
SHA144749befd79e4ab20f6641478df21dc4710d7f4d
SHA256217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e
SHA51296b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c
-
Filesize
72KB
MD5606ee3a69609e29990a827b5b14b1ce6
SHA18f2fb654af6753454b76aabf5acf6a2068d3fc84
SHA2564d151b8752b29ce43ac2e7477b26e41935e13c472462b8ccb6fc9484d780454b
SHA51298171048cff70d6f9e7cd1873f36a7d55fa9d4df2266aac24b66421888c5ec17329a6843008bebabec0ae7d7db9629b61877924704cee7f8267e71bc8e129aad
-
Filesize
72KB
MD5606ee3a69609e29990a827b5b14b1ce6
SHA18f2fb654af6753454b76aabf5acf6a2068d3fc84
SHA2564d151b8752b29ce43ac2e7477b26e41935e13c472462b8ccb6fc9484d780454b
SHA51298171048cff70d6f9e7cd1873f36a7d55fa9d4df2266aac24b66421888c5ec17329a6843008bebabec0ae7d7db9629b61877924704cee7f8267e71bc8e129aad
-
Filesize
72KB
MD5bb718ac6898162441d7e15273adea0e3
SHA11fb24717435ec7cdf271353d025edd18bc793101
SHA256c24ded322b5b7157c19e6da10b49ee661911800bef0f0b1e92a05f6e40747ecb
SHA512d7252dc2ccf3fab5c9f2d13eae771981b21a9ea301b3fae085a6d34855f99eb71e611f5c196377db8ba7de368952caf6d5f5e0a558ac5ad90b44f61f31fb2c5d
-
Filesize
72KB
MD5bb718ac6898162441d7e15273adea0e3
SHA11fb24717435ec7cdf271353d025edd18bc793101
SHA256c24ded322b5b7157c19e6da10b49ee661911800bef0f0b1e92a05f6e40747ecb
SHA512d7252dc2ccf3fab5c9f2d13eae771981b21a9ea301b3fae085a6d34855f99eb71e611f5c196377db8ba7de368952caf6d5f5e0a558ac5ad90b44f61f31fb2c5d
-
Filesize
72KB
MD587acfc42cd1496548c4c771535ce7a47
SHA1a73698806c9cad2a2f0e174fcf2629a8dc3361c1
SHA25691d1f827dc3b2b55fa419933973b1a3f4ff009fc5bb268fd74c9c26d50b9488b
SHA5129978aa4d8ff86d3b761834f991355d8d0759e5c4f7d5f016a83092d510efd4bc21d5ec51d5ad444d792d36322f0bc58b0318cf8a1441a36745152f0ddb6ebb79
-
Filesize
72KB
MD587acfc42cd1496548c4c771535ce7a47
SHA1a73698806c9cad2a2f0e174fcf2629a8dc3361c1
SHA25691d1f827dc3b2b55fa419933973b1a3f4ff009fc5bb268fd74c9c26d50b9488b
SHA5129978aa4d8ff86d3b761834f991355d8d0759e5c4f7d5f016a83092d510efd4bc21d5ec51d5ad444d792d36322f0bc58b0318cf8a1441a36745152f0ddb6ebb79
-
Filesize
72KB
MD587acfc42cd1496548c4c771535ce7a47
SHA1a73698806c9cad2a2f0e174fcf2629a8dc3361c1
SHA25691d1f827dc3b2b55fa419933973b1a3f4ff009fc5bb268fd74c9c26d50b9488b
SHA5129978aa4d8ff86d3b761834f991355d8d0759e5c4f7d5f016a83092d510efd4bc21d5ec51d5ad444d792d36322f0bc58b0318cf8a1441a36745152f0ddb6ebb79
-
Filesize
72KB
MD587acfc42cd1496548c4c771535ce7a47
SHA1a73698806c9cad2a2f0e174fcf2629a8dc3361c1
SHA25691d1f827dc3b2b55fa419933973b1a3f4ff009fc5bb268fd74c9c26d50b9488b
SHA5129978aa4d8ff86d3b761834f991355d8d0759e5c4f7d5f016a83092d510efd4bc21d5ec51d5ad444d792d36322f0bc58b0318cf8a1441a36745152f0ddb6ebb79
-
Filesize
72KB
MD524bcf3e4760ce581d9e6254344e03cab
SHA12c991746c3dfe9da3707564c09f69193ebf437ba
SHA2560acf393065773903ad23492be216297a438d7738065ed3133f3105c9d3b0cd5c
SHA512ee2e0d9f62231468bb19140d27ac4985ec21e5dc4920e96307a1d4b30da27ea03b8de32dcc46fc2a3a25d8893e2c800d6b615149b5fcf51f9a16ac715f773886
-
Filesize
72KB
MD524bcf3e4760ce581d9e6254344e03cab
SHA12c991746c3dfe9da3707564c09f69193ebf437ba
SHA2560acf393065773903ad23492be216297a438d7738065ed3133f3105c9d3b0cd5c
SHA512ee2e0d9f62231468bb19140d27ac4985ec21e5dc4920e96307a1d4b30da27ea03b8de32dcc46fc2a3a25d8893e2c800d6b615149b5fcf51f9a16ac715f773886
-
Filesize
72KB
MD50e61ad423a852998befaf19b2e6f611c
SHA1d7090ea27fdc6250756c3252a3db77f3ff82fb1e
SHA256292f9c7b111bbb1f1450474778a0ea2adb56042627626675839ea9e1a0d66dce
SHA512a081ed1376639f210ec32081d3d1aa63ec8c9b933b33bbb31236068bee701f216fc9ee90a4e98eede157bc16173d222da3255785a43474f5e1663c20d091037c
-
Filesize
72KB
MD50e61ad423a852998befaf19b2e6f611c
SHA1d7090ea27fdc6250756c3252a3db77f3ff82fb1e
SHA256292f9c7b111bbb1f1450474778a0ea2adb56042627626675839ea9e1a0d66dce
SHA512a081ed1376639f210ec32081d3d1aa63ec8c9b933b33bbb31236068bee701f216fc9ee90a4e98eede157bc16173d222da3255785a43474f5e1663c20d091037c
-
Filesize
72KB
MD5a2d261fd47d2f3ab2186c0a7ecd6258a
SHA175af7f79d2d98633eb8ebaa04a7c7014591a1812
SHA256dce20747d4997034587a96da32fefceca5650553552cc6df8c4a366d3ce2897c
SHA5125f29a2a270d953852af9a04c16905c663693ae9bb2dfac4abfff6c748abe468236a12d3149a69807d6874c7e00e55002636be83f6752d44e5821b687dd32401f
-
Filesize
72KB
MD5a2d261fd47d2f3ab2186c0a7ecd6258a
SHA175af7f79d2d98633eb8ebaa04a7c7014591a1812
SHA256dce20747d4997034587a96da32fefceca5650553552cc6df8c4a366d3ce2897c
SHA5125f29a2a270d953852af9a04c16905c663693ae9bb2dfac4abfff6c748abe468236a12d3149a69807d6874c7e00e55002636be83f6752d44e5821b687dd32401f
-
Filesize
72KB
MD5ca5ae795d0162707e396b62edb7fbd63
SHA1c1cb80b026868f1681088c39cfc95e018abe2826
SHA256d32468173f403627a76858b0cc5eba853cb2a6f7ec2d136738013d468c80addb
SHA51218ebadcdd6e5ecb0eaa7055e33c49430debec40c31a68aa70210b8403f3fc21c7123b883bdf859f98ceb63f0d8032e19705e3844c4ff61258a5954a7770f6d4d
-
Filesize
72KB
MD5ca5ae795d0162707e396b62edb7fbd63
SHA1c1cb80b026868f1681088c39cfc95e018abe2826
SHA256d32468173f403627a76858b0cc5eba853cb2a6f7ec2d136738013d468c80addb
SHA51218ebadcdd6e5ecb0eaa7055e33c49430debec40c31a68aa70210b8403f3fc21c7123b883bdf859f98ceb63f0d8032e19705e3844c4ff61258a5954a7770f6d4d
-
Filesize
72KB
MD5480dfbebc92aad2959acfea09196d3ff
SHA1c0ac78961564df5c52980c90e93f6cf32dbb0e4c
SHA256dfb44186ce0a20c4a9e5a3aee57ef965b31eae58aa0e8c0ba1879916fc32450f
SHA51251af4f9c2234a5ab8481c2d99e62c132735adc20521c297fc42dbba81ec2b7d31587864741c3bd01867397de5358767170b55c69cf166881ea3b0a70dbef7aed
-
Filesize
72KB
MD5480dfbebc92aad2959acfea09196d3ff
SHA1c0ac78961564df5c52980c90e93f6cf32dbb0e4c
SHA256dfb44186ce0a20c4a9e5a3aee57ef965b31eae58aa0e8c0ba1879916fc32450f
SHA51251af4f9c2234a5ab8481c2d99e62c132735adc20521c297fc42dbba81ec2b7d31587864741c3bd01867397de5358767170b55c69cf166881ea3b0a70dbef7aed
-
Filesize
72KB
MD525459a08fc690fda510c7c93d7f26c1b
SHA1196a8ac94481e4bcaa6a1996801002ace530e90c
SHA256569c5eba73a0ca9c49f724c8625ff20b78992e08b0b6611989f7d5ea17cafec5
SHA5126896a5c861c69891d39e0fb085227bba99f8d463185e39fd8712df0d1772b2e8fc892820b770fd9c7279199e36ea19d4c0f8eb936fecf045f76d5ba5a04f35f8
-
Filesize
72KB
MD525459a08fc690fda510c7c93d7f26c1b
SHA1196a8ac94481e4bcaa6a1996801002ace530e90c
SHA256569c5eba73a0ca9c49f724c8625ff20b78992e08b0b6611989f7d5ea17cafec5
SHA5126896a5c861c69891d39e0fb085227bba99f8d463185e39fd8712df0d1772b2e8fc892820b770fd9c7279199e36ea19d4c0f8eb936fecf045f76d5ba5a04f35f8
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD58efecde0e3ba321781adf4286c959276
SHA1da865f59f1104482ec31a81f48def125c3510a0d
SHA2563c10d182bdb14ed08349b135edf0b3c64ba9adac88a4ce8acbe6e568b3b6a970
SHA512dd3bef08cf7ff8b2f8052c6c437df40a6005c3899d19f0e368f52398999910841cc043f74b84147f8a6cc562c440bd7554eb42fedff9ace728ae3c6efd493733
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD58efecde0e3ba321781adf4286c959276
SHA1da865f59f1104482ec31a81f48def125c3510a0d
SHA2563c10d182bdb14ed08349b135edf0b3c64ba9adac88a4ce8acbe6e568b3b6a970
SHA512dd3bef08cf7ff8b2f8052c6c437df40a6005c3899d19f0e368f52398999910841cc043f74b84147f8a6cc562c440bd7554eb42fedff9ace728ae3c6efd493733
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe
Filesize72KB
MD5e67803c94ebe0380e0b29bc7faeab656
SHA1550872a00ef6d5c77018883e4ff72d41ac824bf8
SHA2563e02e365b922213d7ee728d935f46d0a2b5f13cd4ee51c0c0f58d688f4b2de52
SHA512c11d261d862301b0d2d2cb6a9bbf9e2864c310199515a8839004c3cad5c439cd1e7344760f64706960b624d2bec886804e2144f103d88f43076f774ee0e37a4f
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe
Filesize72KB
MD5e67803c94ebe0380e0b29bc7faeab656
SHA1550872a00ef6d5c77018883e4ff72d41ac824bf8
SHA2563e02e365b922213d7ee728d935f46d0a2b5f13cd4ee51c0c0f58d688f4b2de52
SHA512c11d261d862301b0d2d2cb6a9bbf9e2864c310199515a8839004c3cad5c439cd1e7344760f64706960b624d2bec886804e2144f103d88f43076f774ee0e37a4f
-
Filesize
72KB
MD5480dfbebc92aad2959acfea09196d3ff
SHA1c0ac78961564df5c52980c90e93f6cf32dbb0e4c
SHA256dfb44186ce0a20c4a9e5a3aee57ef965b31eae58aa0e8c0ba1879916fc32450f
SHA51251af4f9c2234a5ab8481c2d99e62c132735adc20521c297fc42dbba81ec2b7d31587864741c3bd01867397de5358767170b55c69cf166881ea3b0a70dbef7aed
-
Filesize
72KB
MD5480dfbebc92aad2959acfea09196d3ff
SHA1c0ac78961564df5c52980c90e93f6cf32dbb0e4c
SHA256dfb44186ce0a20c4a9e5a3aee57ef965b31eae58aa0e8c0ba1879916fc32450f
SHA51251af4f9c2234a5ab8481c2d99e62c132735adc20521c297fc42dbba81ec2b7d31587864741c3bd01867397de5358767170b55c69cf166881ea3b0a70dbef7aed
-
Filesize
72KB
MD5e16a172f464e3b10a53237d16b827076
SHA1bd9ea1324f344e2f8c2b766a3ecaa3704a5d3fe0
SHA256d4108311c628300bf981d0b5bb3622349438134b5e990ffae9a7e9d194d6da5f
SHA512dc0c806a8150daca1e9c64ca7fecf72ed66135d98c650af71809c597d17d71d31b053bc998b49b7f5405c635d19191ba3f48aae38404eeb39f77fee615387c09
-
Filesize
72KB
MD5e16a172f464e3b10a53237d16b827076
SHA1bd9ea1324f344e2f8c2b766a3ecaa3704a5d3fe0
SHA256d4108311c628300bf981d0b5bb3622349438134b5e990ffae9a7e9d194d6da5f
SHA512dc0c806a8150daca1e9c64ca7fecf72ed66135d98c650af71809c597d17d71d31b053bc998b49b7f5405c635d19191ba3f48aae38404eeb39f77fee615387c09
-
Filesize
72KB
MD59baad756860e911db69f4b2e26cc10bd
SHA1e1b4f33d9028e3311a5105599a1d0b8acd678152
SHA256f154902c9f78ebec38b9aeb95371591e6f398f71191e9abc5084cd68a7238cd0
SHA512afbe604f094b691faf504d7fdb1ee9d0d9b7665e67aced3641fa6df88e7d13bc04d62cbc1700474c3b741840208f558b52f3c1219a70b5a68889a29a5a7b61bc
-
Filesize
72KB
MD59baad756860e911db69f4b2e26cc10bd
SHA1e1b4f33d9028e3311a5105599a1d0b8acd678152
SHA256f154902c9f78ebec38b9aeb95371591e6f398f71191e9abc5084cd68a7238cd0
SHA512afbe604f094b691faf504d7fdb1ee9d0d9b7665e67aced3641fa6df88e7d13bc04d62cbc1700474c3b741840208f558b52f3c1219a70b5a68889a29a5a7b61bc
-
Filesize
72KB
MD534fdf3db941ccd5a4f2380674c9281fa
SHA123d21718bc4322f0ce2043a1e81edc83a26deec3
SHA256935b37af06b0d6bd30e12843b2df1ff9978fb60cceb17e8adfe35dc7a35964e0
SHA5127ae2204a1418227e2f80f95f79bf789c2dbf6f573690cb51766219fcf7e649442d7941f7f856d47f1e91288a153d544dc936d5749a0769dd77e765807a7db1a0
-
Filesize
72KB
MD534fdf3db941ccd5a4f2380674c9281fa
SHA123d21718bc4322f0ce2043a1e81edc83a26deec3
SHA256935b37af06b0d6bd30e12843b2df1ff9978fb60cceb17e8adfe35dc7a35964e0
SHA5127ae2204a1418227e2f80f95f79bf789c2dbf6f573690cb51766219fcf7e649442d7941f7f856d47f1e91288a153d544dc936d5749a0769dd77e765807a7db1a0
-
Filesize
72KB
MD5ea95d5f47bfcb43801febe40419b01b0
SHA15f0408528a8b2df64e206e9be96819777fbfe56e
SHA2569273aa848ada8011526b393ab5ae9ff02a9124535616b0b4b4450be4ec5c4350
SHA5126ef22dcd1372b9fec30fe9937891c920fbaf4254544f41241763fd786dfd3b10f2fd7d862e4461fff7da845c1016db73d48dd5953b539bb9956ef16f88e8c10f
-
Filesize
72KB
MD5ea95d5f47bfcb43801febe40419b01b0
SHA15f0408528a8b2df64e206e9be96819777fbfe56e
SHA2569273aa848ada8011526b393ab5ae9ff02a9124535616b0b4b4450be4ec5c4350
SHA5126ef22dcd1372b9fec30fe9937891c920fbaf4254544f41241763fd786dfd3b10f2fd7d862e4461fff7da845c1016db73d48dd5953b539bb9956ef16f88e8c10f