Analysis
-
max time kernel
195s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 20:16
Static task
static1
Behavioral task
behavioral1
Sample
5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe
Resource
win10v2004-20221111-en
General
-
Target
5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe
-
Size
72KB
-
MD5
0203136bcbdd808b66a939e90d1166cb
-
SHA1
e929833f4b5ebdb258c1a0845e5297a88a323313
-
SHA256
5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce
-
SHA512
bc023e155a494c2990ef6266601deaf13b35dbf5dcec3deb562cf6a1ff557a819198b2405aaaf17af7dacc23cdc8d61a01ed2b59d8b2c98c3e3c7b86260b54a9
-
SSDEEP
384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2e:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPK
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe -
Disables RegEdit via registry modification 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" System Restore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe -
Executes dropped EXE 64 IoCs
pid Process 1776 backup.exe 4412 backup.exe 2648 backup.exe 3200 backup.exe 4224 backup.exe 4644 backup.exe 2676 backup.exe 2888 backup.exe 920 backup.exe 3456 backup.exe 3120 backup.exe 4884 backup.exe 5028 backup.exe 2376 backup.exe 2200 backup.exe 4504 backup.exe 4996 backup.exe 1524 backup.exe 3032 backup.exe 2148 System Restore.exe 4628 backup.exe 4776 backup.exe 1012 backup.exe 3984 backup.exe 2280 backup.exe 1496 data.exe 1472 backup.exe 4408 backup.exe 4496 backup.exe 3420 backup.exe 2172 backup.exe 4624 backup.exe 4012 backup.exe 3940 backup.exe 1828 backup.exe 3008 backup.exe 4032 backup.exe 1456 backup.exe 4304 backup.exe 1544 backup.exe 4424 backup.exe 3124 backup.exe 4808 backup.exe 1484 backup.exe 920 backup.exe 2096 backup.exe 3664 backup.exe 3644 backup.exe 4484 backup.exe 5068 backup.exe 1996 backup.exe 3380 backup.exe 3032 backup.exe 3172 backup.exe 2148 backup.exe 780 backup.exe 2584 backup.exe 2204 backup.exe 2556 backup.exe 4492 data.exe 676 backup.exe 3036 backup.exe 424 backup.exe 4864 backup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Policies\backup.exe backup.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\en-US\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VGX\backup.exe backup.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe backup.exe File opened for modification C:\Program Files\Microsoft Office\root\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe backup.exe File opened for modification C:\Program Files\Microsoft Office\backup.exe backup.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\backup.exe backup.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe data.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe backup.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\System Restore.exe backup.exe File opened for modification C:\Program Files\Common Files\System\msadc\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\data.exe backup.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\data.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe backup.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe System Restore.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe System Restore.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\data.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe backup.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\backup.exe backup.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe backup.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe update.exe File opened for modification C:\Program Files\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe backup.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\backup.exe backup.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ado\de-DE\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\System Restore.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\System Restore.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe backup.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File opened for modification C:\Windows\appcompat\appraiser\backup.exe backup.exe File opened for modification C:\Windows\appcompat\Programs\backup.exe backup.exe File opened for modification C:\Windows\apppatch\Custom\Custom64\backup.exe backup.exe File opened for modification C:\Windows\apppatch\en-US\backup.exe backup.exe File opened for modification C:\Windows\backup.exe backup.exe File opened for modification C:\Windows\AppReadiness\backup.exe backup.exe File opened for modification C:\Windows\appcompat\appraiser\Telemetry\backup.exe backup.exe File opened for modification C:\Windows\apppatch\CustomSDB\backup.exe backup.exe File opened for modification C:\Windows\assembly\GAC\ADODB\backup.exe backup.exe File opened for modification C:\Windows\apppatch\es-ES\backup.exe backup.exe File opened for modification C:\Windows\addins\backup.exe backup.exe File opened for modification C:\Windows\appcompat\backup.exe backup.exe File opened for modification C:\Windows\apppatch\AppPatch64\backup.exe backup.exe File opened for modification C:\Windows\apppatch\Custom\backup.exe backup.exe File opened for modification C:\Windows\apppatch\de-DE\backup.exe backup.exe File opened for modification C:\Windows\assembly\backup.exe backup.exe File opened for modification C:\Windows\assembly\GAC\backup.exe backup.exe File opened for modification C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe backup.exe File opened for modification C:\Windows\appcompat\encapsulation\backup.exe backup.exe File opened for modification C:\Windows\apppatch\backup.exe backup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 1776 backup.exe 4412 backup.exe 2648 backup.exe 3200 backup.exe 4224 backup.exe 4644 backup.exe 2676 backup.exe 2888 backup.exe 920 backup.exe 3456 backup.exe 3120 backup.exe 4884 backup.exe 5028 backup.exe 2376 backup.exe 2200 backup.exe 4504 backup.exe 4996 backup.exe 1524 backup.exe 3032 backup.exe 2148 System Restore.exe 4628 backup.exe 4776 backup.exe 1012 backup.exe 3984 backup.exe 2280 backup.exe 1496 data.exe 1472 backup.exe 4408 backup.exe 4496 backup.exe 3420 backup.exe 2172 backup.exe 4624 backup.exe 4012 backup.exe 3940 backup.exe 1828 backup.exe 3008 backup.exe 4032 backup.exe 1456 backup.exe 4304 backup.exe 1544 backup.exe 4424 backup.exe 4808 backup.exe 3124 backup.exe 1484 backup.exe 920 backup.exe 2096 backup.exe 3644 backup.exe 3664 backup.exe 4484 backup.exe 3032 backup.exe 1996 backup.exe 3380 backup.exe 5068 backup.exe 3172 backup.exe 2148 backup.exe 2204 backup.exe 780 backup.exe 2556 backup.exe 2584 backup.exe 4492 data.exe 1364 backup.exe 5072 backup.exe 3036 backup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 220 wrote to memory of 1776 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 82 PID 220 wrote to memory of 1776 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 82 PID 220 wrote to memory of 1776 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 82 PID 220 wrote to memory of 4412 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 83 PID 220 wrote to memory of 4412 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 83 PID 220 wrote to memory of 4412 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 83 PID 220 wrote to memory of 2648 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 84 PID 220 wrote to memory of 2648 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 84 PID 220 wrote to memory of 2648 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 84 PID 220 wrote to memory of 3200 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 85 PID 220 wrote to memory of 3200 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 85 PID 220 wrote to memory of 3200 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 85 PID 220 wrote to memory of 4224 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 86 PID 220 wrote to memory of 4224 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 86 PID 220 wrote to memory of 4224 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 86 PID 220 wrote to memory of 4644 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 87 PID 220 wrote to memory of 4644 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 87 PID 220 wrote to memory of 4644 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 87 PID 220 wrote to memory of 2676 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 88 PID 220 wrote to memory of 2676 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 88 PID 220 wrote to memory of 2676 220 5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe 88 PID 1776 wrote to memory of 2888 1776 backup.exe 89 PID 1776 wrote to memory of 2888 1776 backup.exe 89 PID 1776 wrote to memory of 2888 1776 backup.exe 89 PID 2888 wrote to memory of 920 2888 backup.exe 90 PID 2888 wrote to memory of 920 2888 backup.exe 90 PID 2888 wrote to memory of 920 2888 backup.exe 90 PID 2888 wrote to memory of 3456 2888 backup.exe 91 PID 2888 wrote to memory of 3456 2888 backup.exe 91 PID 2888 wrote to memory of 3456 2888 backup.exe 91 PID 2888 wrote to memory of 3120 2888 backup.exe 92 PID 2888 wrote to memory of 3120 2888 backup.exe 92 PID 2888 wrote to memory of 3120 2888 backup.exe 92 PID 3120 wrote to memory of 4884 3120 backup.exe 93 PID 3120 wrote to memory of 4884 3120 backup.exe 93 PID 3120 wrote to memory of 4884 3120 backup.exe 93 PID 4884 wrote to memory of 5028 4884 backup.exe 94 PID 4884 wrote to memory of 5028 4884 backup.exe 94 PID 4884 wrote to memory of 5028 4884 backup.exe 94 PID 3120 wrote to memory of 2376 3120 backup.exe 95 PID 3120 wrote to memory of 2376 3120 backup.exe 95 PID 3120 wrote to memory of 2376 3120 backup.exe 95 PID 2376 wrote to memory of 2200 2376 backup.exe 96 PID 2376 wrote to memory of 2200 2376 backup.exe 96 PID 2376 wrote to memory of 2200 2376 backup.exe 96 PID 2376 wrote to memory of 4504 2376 backup.exe 97 PID 2376 wrote to memory of 4504 2376 backup.exe 97 PID 2376 wrote to memory of 4504 2376 backup.exe 97 PID 4504 wrote to memory of 4996 4504 backup.exe 98 PID 4504 wrote to memory of 4996 4504 backup.exe 98 PID 4504 wrote to memory of 4996 4504 backup.exe 98 PID 4504 wrote to memory of 1524 4504 backup.exe 99 PID 4504 wrote to memory of 1524 4504 backup.exe 99 PID 4504 wrote to memory of 1524 4504 backup.exe 99 PID 1524 wrote to memory of 3032 1524 backup.exe 100 PID 1524 wrote to memory of 3032 1524 backup.exe 100 PID 1524 wrote to memory of 3032 1524 backup.exe 100 PID 1524 wrote to memory of 2148 1524 backup.exe 101 PID 1524 wrote to memory of 2148 1524 backup.exe 101 PID 1524 wrote to memory of 2148 1524 backup.exe 101 PID 1524 wrote to memory of 4628 1524 backup.exe 102 PID 1524 wrote to memory of 4628 1524 backup.exe 102 PID 1524 wrote to memory of 4628 1524 backup.exe 102 PID 1524 wrote to memory of 4776 1524 backup.exe 103 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System data.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer data.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe"C:\Users\Admin\AppData\Local\Temp\5e1424ba097aadcbda6bbf6c0b8f331a73a21a86a5a5fd1d125c742e176799ce.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\671270421\backup.exeC:\Users\Admin\AppData\Local\Temp\671270421\backup.exe C:\Users\Admin\AppData\Local\Temp\671270421\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\backup.exe\backup.exe \3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\odt\backup.exeC:\odt\backup.exe C:\odt\4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:920
-
-
C:\PerfLogs\backup.exeC:\PerfLogs\backup.exe C:\PerfLogs\4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3456
-
-
C:\Program Files\backup.exe"C:\Program Files\backup.exe" C:\Program Files\4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Program Files\7-Zip\backup.exe"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\5⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Program Files\7-Zip\Lang\backup.exe"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5028
-
-
-
C:\Program Files\Common Files\backup.exe"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Program Files\Common Files\DESIGNER\backup.exe"C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
C:\Program Files\Common Files\microsoft shared\backup.exe"C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe"C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4996
-
-
C:\Program Files\Common Files\microsoft shared\ink\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1524 -
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3032
-
-
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\System Restore.exe"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4628
-
-
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4776
-
-
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1012
-
-
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3984
-
-
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
C:\Program Files\Common Files\microsoft shared\ink\en-US\data.exe"C:\Program Files\Common Files\microsoft shared\ink\en-US\data.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1472
-
-
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408
-
-
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4496
-
-
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3420
-
-
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2172
-
-
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4624
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4012 -
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\9⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3940
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\9⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1828
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3008
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\9⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4032
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1456
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4304
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4424
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3664
-
-
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1996
-
-
-
C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3124
-
-
C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4484
-
-
C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3172
-
-
C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\data.exe"C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\data.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\8⤵PID:3540
-
-
C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:796
-
-
C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1324
-
-
C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\data.exe"C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\data.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\8⤵PID:4084
-
-
C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\8⤵
- System policy modification
PID:3000
-
-
C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\8⤵
- Modifies visibility of file extensions in Explorer
PID:4068
-
-
C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:3528
-
-
C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\8⤵PID:4776
-
-
C:\Program Files\Common Files\microsoft shared\ink\pl-PL\data.exe"C:\Program Files\Common Files\microsoft shared\ink\pl-PL\data.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:4216
-
-
C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\8⤵PID:4704
-
-
C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\8⤵PID:1048
-
-
C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\8⤵PID:3364
-
-
C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\8⤵PID:4808
-
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1484 -
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5068
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:780
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\8⤵
- Executes dropped EXE
- System policy modification
PID:424
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:2024
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\8⤵
- System policy modification
PID:3340
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\8⤵
- Modifies visibility of file extensions in Explorer
PID:3928
-
-
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe"C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2204 -
C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe"C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\8⤵
- Executes dropped EXE
- System policy modification
PID:676
-
-
-
C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe"C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\7⤵
- Executes dropped EXE
PID:4864
-
-
C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe"C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\7⤵PID:4288
-
-
C:\Program Files\Common Files\microsoft shared\Stationery\System Restore.exe"C:\Program Files\Common Files\microsoft shared\Stationery\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Stationery\7⤵PID:4836
-
-
C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe"C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1012 -
C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe"C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\8⤵PID:3292
-
-
-
C:\Program Files\Common Files\microsoft shared\Triedit\data.exe"C:\Program Files\Common Files\microsoft shared\Triedit\data.exe" C:\Program Files\Common Files\microsoft shared\Triedit\7⤵
- System policy modification
PID:1700 -
C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe"C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\8⤵
- Disables RegEdit via registry modification
PID:972
-
-
-
C:\Program Files\Common Files\microsoft shared\VC\backup.exe"C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\7⤵
- Modifies visibility of file extensions in Explorer
PID:5028
-
-
C:\Program Files\Common Files\microsoft shared\VGX\backup.exe"C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\7⤵PID:2656
-
-
C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe"C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\7⤵
- Drops file in Program Files directory
PID:4844 -
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1324 -
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\9⤵
- Modifies visibility of file extensions in Explorer
PID:1172
-
-
-
-
-
C:\Program Files\Common Files\Services\backup.exe"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:920
-
-
C:\Program Files\Common Files\System\backup.exe"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\6⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3032 -
C:\Program Files\Common Files\System\ado\backup.exe"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\7⤵
- Drops file in Program Files directory
PID:2808 -
C:\Program Files\Common Files\System\ado\de-DE\backup.exe"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\8⤵PID:788
-
-
C:\Program Files\Common Files\System\ado\en-US\backup.exe"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\8⤵PID:3988
-
-
C:\Program Files\Common Files\System\ado\es-ES\backup.exe"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\8⤵PID:740
-
-
C:\Program Files\Common Files\System\ado\fr-FR\backup.exe"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:2972
-
-
C:\Program Files\Common Files\System\ado\it-IT\backup.exe"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1204
-
-
C:\Program Files\Common Files\System\ado\ja-JP\backup.exe"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\8⤵PID:4500
-
-
-
C:\Program Files\Common Files\System\de-DE\backup.exe"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1880
-
-
C:\Program Files\Common Files\System\en-US\backup.exe"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\7⤵
- System policy modification
PID:4364
-
-
C:\Program Files\Common Files\System\es-ES\backup.exe"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\7⤵
- Modifies visibility of file extensions in Explorer
PID:1852
-
-
C:\Program Files\Common Files\System\fr-FR\backup.exe"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4568
-
-
C:\Program Files\Common Files\System\it-IT\backup.exe"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:3052
-
-
C:\Program Files\Common Files\System\msadc\backup.exe"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\7⤵PID:4652
-
-
C:\Program Files\Common Files\System\ja-JP\backup.exe"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\7⤵PID:1600
-
-
-
-
C:\Program Files\Google\backup.exe"C:\Program Files\Google\backup.exe" C:\Program Files\Google\5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4808 -
C:\Program Files\Google\Chrome\backup.exe"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\6⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3644 -
C:\Program Files\Google\Chrome\Application\backup.exe"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\7⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3380 -
C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3036 -
C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\9⤵PID:216
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\9⤵PID:4260
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4956
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\9⤵
- Modifies visibility of file extensions in Explorer
PID:2376
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\System Restore.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\9⤵
- Disables RegEdit via registry modification
PID:4660
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\9⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:1484
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\System Restore.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\9⤵PID:4024
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\9⤵PID:4236
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\10⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1628 -
C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\11⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4232
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\8⤵PID:3008
-
-
-
-
-
C:\Program Files\Internet Explorer\backup.exe"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2556 -
C:\Program Files\Internet Explorer\de-DE\backup.exe"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:3940
-
-
C:\Program Files\Internet Explorer\en-US\backup.exe"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\6⤵PID:4552
-
-
C:\Program Files\Internet Explorer\es-ES\backup.exe"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\6⤵
- Modifies visibility of file extensions in Explorer
PID:4336
-
-
C:\Program Files\Internet Explorer\fr-FR\backup.exe"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\6⤵PID:4776
-
-
C:\Program Files\Internet Explorer\images\update.exe"C:\Program Files\Internet Explorer\images\update.exe" C:\Program Files\Internet Explorer\images\6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:452
-
-
C:\Program Files\Internet Explorer\it-IT\backup.exe"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\6⤵
- System policy modification
PID:2204
-
-
C:\Program Files\Internet Explorer\ja-JP\backup.exe"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\6⤵PID:788
-
-
C:\Program Files\Internet Explorer\SIGNUP\backup.exe"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\6⤵PID:3988
-
-
-
C:\Program Files\Java\backup.exe"C:\Program Files\Java\backup.exe" C:\Program Files\Java\5⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1364 -
C:\Program Files\Java\jdk1.8.0_66\backup.exe"C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\6⤵
- Drops file in Program Files directory
PID:1652 -
C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe"C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\7⤵
- Disables RegEdit via registry modification
PID:4060
-
-
C:\Program Files\Java\jdk1.8.0_66\db\backup.exe"C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\7⤵
- Drops file in Program Files directory
PID:4692 -
C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe"C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\8⤵PID:1544
-
-
C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe"C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\8⤵PID:3444
-
-
-
C:\Program Files\Java\jdk1.8.0_66\include\update.exe"C:\Program Files\Java\jdk1.8.0_66\include\update.exe" C:\Program Files\Java\jdk1.8.0_66\include\7⤵
- Drops file in Program Files directory
PID:1316 -
C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe"C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\8⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:2160 -
C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe"C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\9⤵PID:4984
-
-
-
-
C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe"C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\7⤵
- Modifies visibility of file extensions in Explorer
PID:3864 -
C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe"C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:2572 -
C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\System Restore.exe"C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\9⤵
- Modifies visibility of file extensions in Explorer
PID:4628
-
-
C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe"C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\9⤵PID:1732
-
-
-
-
-
C:\Program Files\Java\jre1.8.0_66\backup.exe"C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:2648 -
C:\Program Files\Java\jre1.8.0_66\bin\backup.exe"C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:3328 -
C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe"C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\8⤵
- System policy modification
PID:1004
-
-
C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe"C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\8⤵PID:3124
-
-
-
-
-
C:\Program Files\Microsoft Office\backup.exe"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\5⤵
- Drops file in Program Files directory
PID:736 -
C:\Program Files\Microsoft Office\Office16\backup.exe"C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1676
-
-
C:\Program Files\Microsoft Office\PackageManifests\backup.exe"C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\6⤵PID:4124
-
-
C:\Program Files\Microsoft Office\root\backup.exe"C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\6⤵PID:3680
-
-
-
-
C:\Program Files (x86)\backup.exe"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2096 -
C:\Program Files (x86)\Adobe\backup.exe"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1308 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\7⤵PID:4404
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\System Restore.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\7⤵
- Drops file in Program Files directory
PID:2304 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\8⤵PID:4704
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\9⤵
- Modifies visibility of file extensions in Explorer
PID:3420
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\8⤵
- System policy modification
PID:1480 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\9⤵PID:4348
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\8⤵
- System policy modification
PID:740
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\8⤵
- Disables RegEdit via registry modification
PID:4628
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\8⤵
- Modifies visibility of file extensions in Explorer
PID:4404 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\9⤵
- Modifies visibility of file extensions in Explorer
PID:4084
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\8⤵
- Disables RegEdit via registry modification
PID:3820 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\9⤵PID:3136
-
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\7⤵PID:2080
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\8⤵
- Modifies visibility of file extensions in Explorer
PID:2196 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\9⤵
- System policy modification
PID:3912
-
-
-
-
-
-
C:\Program Files (x86)\Common Files\backup.exe"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\5⤵
- Drops file in Program Files directory
PID:3356 -
C:\Program Files (x86)\Common Files\Adobe\backup.exe"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\6⤵
- Drops file in Program Files directory
PID:2748 -
C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\7⤵
- System policy modification
PID:1532
-
-
C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\7⤵PID:2160
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\System Restore.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\8⤵PID:1432
-
-
-
C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\7⤵
- Drops file in Program Files directory
PID:4860 -
C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:3352
-
-
-
C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:3672 -
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:4344 -
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\data.exe"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\9⤵
- Drops file in Program Files directory
- System policy modification
PID:2364 -
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\10⤵
- Disables RegEdit via registry modification
PID:4328
-
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\10⤵
- System policy modification
PID:2748 -
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\11⤵PID:1700
-
-
-
-
-
-
-
C:\Program Files (x86)\Common Files\Java\backup.exe"C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\6⤵
- Drops file in Program Files directory
PID:4240 -
C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe"C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\7⤵
- Disables RegEdit via registry modification
PID:1468
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\6⤵PID:3500
-
C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\7⤵PID:4396
-
-
-
-
C:\Program Files (x86)\Google\backup.exe"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:3352 -
C:\Program Files (x86)\Google\CrashReports\backup.exe"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\6⤵
- Modifies visibility of file extensions in Explorer
PID:4000
-
-
C:\Program Files (x86)\Google\Policies\backup.exe"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1260
-
-
C:\Program Files (x86)\Google\Temp\backup.exe"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\6⤵PID:4212
-
-
-
-
C:\Users\backup.exeC:\Users\backup.exe C:\Users\4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2584 -
C:\Users\Admin\backup.exeC:\Users\Admin\backup.exe C:\Users\Admin\5⤵
- System policy modification
PID:1968 -
C:\Users\Admin\3D Objects\System Restore.exe"C:\Users\Admin\3D Objects\System Restore.exe" C:\Users\Admin\3D Objects\6⤵PID:3352
-
-
C:\Users\Admin\Contacts\backup.exeC:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\6⤵
- Modifies visibility of file extensions in Explorer
PID:3328
-
-
C:\Users\Admin\Desktop\update.exeC:\Users\Admin\Desktop\update.exe C:\Users\Admin\Desktop\6⤵PID:752
-
-
C:\Users\Admin\Documents\backup.exeC:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\6⤵PID:2536
-
-
C:\Users\Admin\Downloads\backup.exeC:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\6⤵
- Disables RegEdit via registry modification
PID:4372
-
-
C:\Users\Admin\Favorites\data.exeC:\Users\Admin\Favorites\data.exe C:\Users\Admin\Favorites\6⤵PID:3692
-
-
C:\Users\Admin\Links\backup.exeC:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\6⤵PID:3392
-
-
C:\Users\Admin\Music\backup.exeC:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\6⤵PID:752
-
-
C:\Users\Admin\OneDrive\backup.exeC:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\6⤵
- Modifies visibility of file extensions in Explorer
PID:1544
-
-
C:\Users\Admin\Pictures\backup.exeC:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\6⤵
- Modifies visibility of file extensions in Explorer
PID:796 -
C:\Users\Admin\Pictures\Camera Roll\backup.exe"C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:2216
-
-
C:\Users\Admin\Pictures\Saved Pictures\backup.exe"C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\7⤵
- Disables RegEdit via registry modification
PID:4516
-
-
-
-
C:\Users\Public\backup.exeC:\Users\Public\backup.exe C:\Users\Public\5⤵PID:2592
-
C:\Users\Public\Documents\backup.exeC:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\6⤵
- Modifies visibility of file extensions in Explorer
PID:2260
-
-
C:\Users\Public\Downloads\data.exeC:\Users\Public\Downloads\data.exe C:\Users\Public\Downloads\6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1012
-
-
C:\Users\Public\Music\backup.exeC:\Users\Public\Music\backup.exe C:\Users\Public\Music\6⤵PID:1276
-
-
C:\Users\Public\Pictures\backup.exeC:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\6⤵PID:3008
-
-
-
-
C:\Windows\backup.exeC:\Windows\backup.exe C:\Windows\4⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5072 -
C:\Windows\addins\backup.exeC:\Windows\addins\backup.exe C:\Windows\addins\5⤵PID:1700
-
-
C:\Windows\appcompat\backup.exeC:\Windows\appcompat\backup.exe C:\Windows\appcompat\5⤵
- Drops file in Windows directory
- System policy modification
PID:4052 -
C:\Windows\appcompat\appraiser\backup.exeC:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\6⤵PID:2272
-
C:\Windows\appcompat\appraiser\Telemetry\backup.exeC:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\7⤵
- Disables RegEdit via registry modification
PID:3768
-
-
-
C:\Windows\appcompat\encapsulation\backup.exeC:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\6⤵
- Modifies visibility of file extensions in Explorer
PID:2592
-
-
C:\Windows\appcompat\Programs\backup.exeC:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\6⤵PID:4680
-
-
-
C:\Windows\apppatch\backup.exeC:\Windows\apppatch\backup.exe C:\Windows\apppatch\5⤵
- Disables RegEdit via registry modification
- Drops file in Windows directory
PID:3244 -
C:\Windows\apppatch\AppPatch64\backup.exeC:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1300
-
-
C:\Windows\apppatch\Custom\backup.exeC:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Windows directory
- System policy modification
PID:2272 -
C:\Windows\apppatch\Custom\Custom64\backup.exeC:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:2812
-
-
-
C:\Windows\apppatch\CustomSDB\backup.exeC:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\6⤵PID:3680
-
-
C:\Windows\apppatch\de-DE\backup.exeC:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\6⤵
- Disables RegEdit via registry modification
PID:4988
-
-
C:\Windows\apppatch\en-US\backup.exeC:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\6⤵
- System policy modification
PID:5080
-
-
C:\Windows\apppatch\es-ES\backup.exeC:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\6⤵PID:4836
-
-
-
C:\Windows\AppReadiness\backup.exeC:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\5⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1964
-
-
C:\Windows\assembly\backup.exeC:\Windows\assembly\backup.exe C:\Windows\assembly\5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Windows directory
- System policy modification
PID:2076 -
C:\Windows\assembly\GAC\backup.exeC:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\6⤵
- Drops file in Windows directory
PID:2656 -
C:\Windows\assembly\GAC\ADODB\backup.exeC:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\7⤵
- Disables RegEdit via registry modification
- Drops file in Windows directory
PID:3872
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exeC:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4412
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exeC:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\Low\backup.exeC:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3200
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4224
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeC:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\1⤵PID:4012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD50486429f6dca34633dd1cc480bb703e6
SHA1a72c8ffc84a747f55cb2feea5ef151d6e7da63dd
SHA2567d512d25d3c9e955df518d9cd03f725fdb580c70130be7ab0bcbe40efe7f45cd
SHA512132ef9b8748a02dfb3f08266b5203d52b647296c716e2e2679340b6bf90a299ad1897f436ec85f9938a33fe070f2825b22dc4da81b065bdd1285fe48520fbabe
-
Filesize
72KB
MD50486429f6dca34633dd1cc480bb703e6
SHA1a72c8ffc84a747f55cb2feea5ef151d6e7da63dd
SHA2567d512d25d3c9e955df518d9cd03f725fdb580c70130be7ab0bcbe40efe7f45cd
SHA512132ef9b8748a02dfb3f08266b5203d52b647296c716e2e2679340b6bf90a299ad1897f436ec85f9938a33fe070f2825b22dc4da81b065bdd1285fe48520fbabe
-
Filesize
72KB
MD556f71f3998478ac18ed2656e32226806
SHA16628544733618177f9b980fd93acffd1d9720b85
SHA2566af6c5462c0f48bf41156f82d5c5a4f758ab0efdaa5819be770ca8c3c1d11da2
SHA5121adb5f0f89c4bf345333fb352af9c47cb438c21a7058cc698e5fc73c33991012b23326d8ce9f631750ef57ca09d3d63dee7193dc4102035a810814457c5e8921
-
Filesize
72KB
MD556f71f3998478ac18ed2656e32226806
SHA16628544733618177f9b980fd93acffd1d9720b85
SHA2566af6c5462c0f48bf41156f82d5c5a4f758ab0efdaa5819be770ca8c3c1d11da2
SHA5121adb5f0f89c4bf345333fb352af9c47cb438c21a7058cc698e5fc73c33991012b23326d8ce9f631750ef57ca09d3d63dee7193dc4102035a810814457c5e8921
-
Filesize
72KB
MD58fa45b72c461e9d4360e2ee825079bbd
SHA1e65ff09bd4930d866b980bacdfa2be8aa381013b
SHA25676238dffd66b19da91f68bb82123b176a3409cbe539cfd9fca4695df0f38644c
SHA512489fbff824fdd806e2c2f5069577a725da7682eb47a79a18258167e48f63c5e973536d3af1d605bfe34bd17ed934bf14888dc906a3044f1be853f8af9aa50a88
-
Filesize
72KB
MD58fa45b72c461e9d4360e2ee825079bbd
SHA1e65ff09bd4930d866b980bacdfa2be8aa381013b
SHA25676238dffd66b19da91f68bb82123b176a3409cbe539cfd9fca4695df0f38644c
SHA512489fbff824fdd806e2c2f5069577a725da7682eb47a79a18258167e48f63c5e973536d3af1d605bfe34bd17ed934bf14888dc906a3044f1be853f8af9aa50a88
-
Filesize
72KB
MD5601bd9e673a378d6accf2dd0efc4f360
SHA1c0a66446399abbbe030bfa64132cb389853364c1
SHA2560c991f80f9f853d197b66e61eccdc4a95306c3c853f6c9c0e74c53347ffc959a
SHA512bc3f269828e6a2deed58db9e371e4676eb428a8e99b3a600c89c22197b3325d820f0248019d3e5e9604afecb4733e3bdf4c00617676f79260cc6b2f71e971b99
-
Filesize
72KB
MD5601bd9e673a378d6accf2dd0efc4f360
SHA1c0a66446399abbbe030bfa64132cb389853364c1
SHA2560c991f80f9f853d197b66e61eccdc4a95306c3c853f6c9c0e74c53347ffc959a
SHA512bc3f269828e6a2deed58db9e371e4676eb428a8e99b3a600c89c22197b3325d820f0248019d3e5e9604afecb4733e3bdf4c00617676f79260cc6b2f71e971b99
-
Filesize
72KB
MD5b8f5663d52a7978cfeede2c2ac4c14a0
SHA1e030a85ce177cb0dc3f1e9245844397fd83bf65f
SHA256d3262fe827eabebaa091b96aa5b9cb8fda16a06326c67ab51a48615bcc8d19cb
SHA512a18d9fcfd0999a0c9e02050fcac88c2ba5c6989985f58cb15ec32fd443bbc2200beb0b55fbff8b227bfc04ee044b605b63135f56f8b5f040ccdcf2c54473a055
-
Filesize
72KB
MD5b8f5663d52a7978cfeede2c2ac4c14a0
SHA1e030a85ce177cb0dc3f1e9245844397fd83bf65f
SHA256d3262fe827eabebaa091b96aa5b9cb8fda16a06326c67ab51a48615bcc8d19cb
SHA512a18d9fcfd0999a0c9e02050fcac88c2ba5c6989985f58cb15ec32fd443bbc2200beb0b55fbff8b227bfc04ee044b605b63135f56f8b5f040ccdcf2c54473a055
-
Filesize
72KB
MD59db624bd849fab92c875da185d103d74
SHA1f7ac745023b21cc28a3811c4fe72a22d1fa8b9c0
SHA256b9a385535373511ab6033234f46a674dcc9066dfbcfaba6d3adef030f67fcea9
SHA512086d724da10ad15d9ce2e779db02dc09a525c5e9f692e4aabd61ebfb2ad6f149959312c05e0de6ef014b7439f89a1859b4c55887a2b6527f4848dfdcc21481bc
-
Filesize
72KB
MD59db624bd849fab92c875da185d103d74
SHA1f7ac745023b21cc28a3811c4fe72a22d1fa8b9c0
SHA256b9a385535373511ab6033234f46a674dcc9066dfbcfaba6d3adef030f67fcea9
SHA512086d724da10ad15d9ce2e779db02dc09a525c5e9f692e4aabd61ebfb2ad6f149959312c05e0de6ef014b7439f89a1859b4c55887a2b6527f4848dfdcc21481bc
-
Filesize
72KB
MD5601bd9e673a378d6accf2dd0efc4f360
SHA1c0a66446399abbbe030bfa64132cb389853364c1
SHA2560c991f80f9f853d197b66e61eccdc4a95306c3c853f6c9c0e74c53347ffc959a
SHA512bc3f269828e6a2deed58db9e371e4676eb428a8e99b3a600c89c22197b3325d820f0248019d3e5e9604afecb4733e3bdf4c00617676f79260cc6b2f71e971b99
-
Filesize
72KB
MD5601bd9e673a378d6accf2dd0efc4f360
SHA1c0a66446399abbbe030bfa64132cb389853364c1
SHA2560c991f80f9f853d197b66e61eccdc4a95306c3c853f6c9c0e74c53347ffc959a
SHA512bc3f269828e6a2deed58db9e371e4676eb428a8e99b3a600c89c22197b3325d820f0248019d3e5e9604afecb4733e3bdf4c00617676f79260cc6b2f71e971b99
-
Filesize
72KB
MD57d6f7cf360d90214ce7f469364f7f33f
SHA127f66ba48fa649f913baae42a49676d515871893
SHA25618003bbbdac85df43a7c24f72b558843ed8dec18a8ea0056f836f7a99b05dfb5
SHA512c7d1ada413d3f2474121e4a4366be46af6dc40b9d1d4a68a07eaef01a7d5c914655b32beb8d4214eb2fd712b5ea822b1ec7e881c7ded11f048ece1526449ac27
-
Filesize
72KB
MD57d6f7cf360d90214ce7f469364f7f33f
SHA127f66ba48fa649f913baae42a49676d515871893
SHA25618003bbbdac85df43a7c24f72b558843ed8dec18a8ea0056f836f7a99b05dfb5
SHA512c7d1ada413d3f2474121e4a4366be46af6dc40b9d1d4a68a07eaef01a7d5c914655b32beb8d4214eb2fd712b5ea822b1ec7e881c7ded11f048ece1526449ac27
-
Filesize
72KB
MD59db624bd849fab92c875da185d103d74
SHA1f7ac745023b21cc28a3811c4fe72a22d1fa8b9c0
SHA256b9a385535373511ab6033234f46a674dcc9066dfbcfaba6d3adef030f67fcea9
SHA512086d724da10ad15d9ce2e779db02dc09a525c5e9f692e4aabd61ebfb2ad6f149959312c05e0de6ef014b7439f89a1859b4c55887a2b6527f4848dfdcc21481bc
-
Filesize
72KB
MD59db624bd849fab92c875da185d103d74
SHA1f7ac745023b21cc28a3811c4fe72a22d1fa8b9c0
SHA256b9a385535373511ab6033234f46a674dcc9066dfbcfaba6d3adef030f67fcea9
SHA512086d724da10ad15d9ce2e779db02dc09a525c5e9f692e4aabd61ebfb2ad6f149959312c05e0de6ef014b7439f89a1859b4c55887a2b6527f4848dfdcc21481bc
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD547f604c9616cb68e1d3e1cfd94a1799b
SHA125768acc06c7f405997321ab53c1605183d4bc56
SHA25634e8979a2b3cc0f8ceaa1b60b866be857096e92d5efcbbbf618a41933e500142
SHA512ad2562d87b836791fff737d85a47653f5827855c81f115fc72ef40cbfba798d5b905db220c5a4df6f268ed6b8adf80b5b21d3213fbe6423463863149a551f8f7
-
Filesize
72KB
MD550c7057a934d00ebe8bdd30843a069de
SHA1d0ca56d5c17a938ed5e471150625928f4f062930
SHA256da398d393c88f8d2d338508513650fb2663d67e2514cf0e7220af02f900e9fa5
SHA5126db8a8f4e845f56b7050206747b71bcb0176e094ef7dfb3959bf37ba9614d8eff80afc6896e56036cfa255d5a99e66d810940e22a5e773b227f86ae6245d39a5
-
Filesize
72KB
MD550c7057a934d00ebe8bdd30843a069de
SHA1d0ca56d5c17a938ed5e471150625928f4f062930
SHA256da398d393c88f8d2d338508513650fb2663d67e2514cf0e7220af02f900e9fa5
SHA5126db8a8f4e845f56b7050206747b71bcb0176e094ef7dfb3959bf37ba9614d8eff80afc6896e56036cfa255d5a99e66d810940e22a5e773b227f86ae6245d39a5
-
Filesize
72KB
MD550c7057a934d00ebe8bdd30843a069de
SHA1d0ca56d5c17a938ed5e471150625928f4f062930
SHA256da398d393c88f8d2d338508513650fb2663d67e2514cf0e7220af02f900e9fa5
SHA5126db8a8f4e845f56b7050206747b71bcb0176e094ef7dfb3959bf37ba9614d8eff80afc6896e56036cfa255d5a99e66d810940e22a5e773b227f86ae6245d39a5
-
Filesize
72KB
MD550c7057a934d00ebe8bdd30843a069de
SHA1d0ca56d5c17a938ed5e471150625928f4f062930
SHA256da398d393c88f8d2d338508513650fb2663d67e2514cf0e7220af02f900e9fa5
SHA5126db8a8f4e845f56b7050206747b71bcb0176e094ef7dfb3959bf37ba9614d8eff80afc6896e56036cfa255d5a99e66d810940e22a5e773b227f86ae6245d39a5
-
Filesize
72KB
MD550c7057a934d00ebe8bdd30843a069de
SHA1d0ca56d5c17a938ed5e471150625928f4f062930
SHA256da398d393c88f8d2d338508513650fb2663d67e2514cf0e7220af02f900e9fa5
SHA5126db8a8f4e845f56b7050206747b71bcb0176e094ef7dfb3959bf37ba9614d8eff80afc6896e56036cfa255d5a99e66d810940e22a5e773b227f86ae6245d39a5
-
Filesize
72KB
MD550c7057a934d00ebe8bdd30843a069de
SHA1d0ca56d5c17a938ed5e471150625928f4f062930
SHA256da398d393c88f8d2d338508513650fb2663d67e2514cf0e7220af02f900e9fa5
SHA5126db8a8f4e845f56b7050206747b71bcb0176e094ef7dfb3959bf37ba9614d8eff80afc6896e56036cfa255d5a99e66d810940e22a5e773b227f86ae6245d39a5
-
Filesize
72KB
MD550c7057a934d00ebe8bdd30843a069de
SHA1d0ca56d5c17a938ed5e471150625928f4f062930
SHA256da398d393c88f8d2d338508513650fb2663d67e2514cf0e7220af02f900e9fa5
SHA5126db8a8f4e845f56b7050206747b71bcb0176e094ef7dfb3959bf37ba9614d8eff80afc6896e56036cfa255d5a99e66d810940e22a5e773b227f86ae6245d39a5
-
Filesize
72KB
MD550c7057a934d00ebe8bdd30843a069de
SHA1d0ca56d5c17a938ed5e471150625928f4f062930
SHA256da398d393c88f8d2d338508513650fb2663d67e2514cf0e7220af02f900e9fa5
SHA5126db8a8f4e845f56b7050206747b71bcb0176e094ef7dfb3959bf37ba9614d8eff80afc6896e56036cfa255d5a99e66d810940e22a5e773b227f86ae6245d39a5
-
Filesize
72KB
MD5a2b30256e1a65ae35633f66290209f17
SHA13d869cf82f9f8f35ee4860c9f63e2d06d023e53a
SHA256bc4248ba6521adf21b94b4ae38422946e8444ae8294df371d9cceaf416d18396
SHA5127a739712918a1326e6959924289a37dcfa47f50e1c343ccc4b41ef9076b8dc109057f6345cc96426950dbed2e8b28c26f84bff9bad12df7c9ab32de5a57d48a5
-
Filesize
72KB
MD5a2b30256e1a65ae35633f66290209f17
SHA13d869cf82f9f8f35ee4860c9f63e2d06d023e53a
SHA256bc4248ba6521adf21b94b4ae38422946e8444ae8294df371d9cceaf416d18396
SHA5127a739712918a1326e6959924289a37dcfa47f50e1c343ccc4b41ef9076b8dc109057f6345cc96426950dbed2e8b28c26f84bff9bad12df7c9ab32de5a57d48a5
-
Filesize
72KB
MD5a2b30256e1a65ae35633f66290209f17
SHA13d869cf82f9f8f35ee4860c9f63e2d06d023e53a
SHA256bc4248ba6521adf21b94b4ae38422946e8444ae8294df371d9cceaf416d18396
SHA5127a739712918a1326e6959924289a37dcfa47f50e1c343ccc4b41ef9076b8dc109057f6345cc96426950dbed2e8b28c26f84bff9bad12df7c9ab32de5a57d48a5
-
Filesize
72KB
MD5a2b30256e1a65ae35633f66290209f17
SHA13d869cf82f9f8f35ee4860c9f63e2d06d023e53a
SHA256bc4248ba6521adf21b94b4ae38422946e8444ae8294df371d9cceaf416d18396
SHA5127a739712918a1326e6959924289a37dcfa47f50e1c343ccc4b41ef9076b8dc109057f6345cc96426950dbed2e8b28c26f84bff9bad12df7c9ab32de5a57d48a5
-
Filesize
72KB
MD5a2b30256e1a65ae35633f66290209f17
SHA13d869cf82f9f8f35ee4860c9f63e2d06d023e53a
SHA256bc4248ba6521adf21b94b4ae38422946e8444ae8294df371d9cceaf416d18396
SHA5127a739712918a1326e6959924289a37dcfa47f50e1c343ccc4b41ef9076b8dc109057f6345cc96426950dbed2e8b28c26f84bff9bad12df7c9ab32de5a57d48a5
-
Filesize
72KB
MD5a2b30256e1a65ae35633f66290209f17
SHA13d869cf82f9f8f35ee4860c9f63e2d06d023e53a
SHA256bc4248ba6521adf21b94b4ae38422946e8444ae8294df371d9cceaf416d18396
SHA5127a739712918a1326e6959924289a37dcfa47f50e1c343ccc4b41ef9076b8dc109057f6345cc96426950dbed2e8b28c26f84bff9bad12df7c9ab32de5a57d48a5
-
Filesize
72KB
MD50486429f6dca34633dd1cc480bb703e6
SHA1a72c8ffc84a747f55cb2feea5ef151d6e7da63dd
SHA2567d512d25d3c9e955df518d9cd03f725fdb580c70130be7ab0bcbe40efe7f45cd
SHA512132ef9b8748a02dfb3f08266b5203d52b647296c716e2e2679340b6bf90a299ad1897f436ec85f9938a33fe070f2825b22dc4da81b065bdd1285fe48520fbabe
-
Filesize
72KB
MD50486429f6dca34633dd1cc480bb703e6
SHA1a72c8ffc84a747f55cb2feea5ef151d6e7da63dd
SHA2567d512d25d3c9e955df518d9cd03f725fdb580c70130be7ab0bcbe40efe7f45cd
SHA512132ef9b8748a02dfb3f08266b5203d52b647296c716e2e2679340b6bf90a299ad1897f436ec85f9938a33fe070f2825b22dc4da81b065bdd1285fe48520fbabe
-
Filesize
72KB
MD51adf91b675ce0f319a585d25681a1e05
SHA108e66ba5b8a3eed1d6b1875a229531a4117b0789
SHA256f93606238861bf764eb9153745372ea6ffe4e681c8a175182122a9cf694aa567
SHA5126719abb03558e8c23574596b246bfa5ef97437cfa922accb2b4cdfc68d0f2c1002281273319e2fe7e9ca4f7d83dddaf412509649d0ab15fbd4ba15ef9017ea26
-
Filesize
72KB
MD51adf91b675ce0f319a585d25681a1e05
SHA108e66ba5b8a3eed1d6b1875a229531a4117b0789
SHA256f93606238861bf764eb9153745372ea6ffe4e681c8a175182122a9cf694aa567
SHA5126719abb03558e8c23574596b246bfa5ef97437cfa922accb2b4cdfc68d0f2c1002281273319e2fe7e9ca4f7d83dddaf412509649d0ab15fbd4ba15ef9017ea26
-
Filesize
72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
Filesize
72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
Filesize
72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
Filesize
72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
Filesize
72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
Filesize
72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
Filesize
72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
Filesize
72KB
MD5b00fb443da059765d25c2de6447a7690
SHA12e657311321b8dcd5ca6e73432c6980fa9044699
SHA25685946d274529d48962fa1b2500b637fedb3ae84a3f49f6c6505a205091af9feb
SHA512702b243ce492e421fefb29233bce75e15daa3ea02abebd03e8f0183c7a74fe68876371edfa4c77363ae7462ad1c3ff41747076c84ed7fe3590d68b8d86282f1a
-
Filesize
72KB
MD57b18c376f33cb36fe7240d9b791b540f
SHA11641ee710cc429b7d47a17c6367d54eebee2c010
SHA25668b73fd365147473bf176250c4197bb722025631b3c3f7a809792b3b43af936e
SHA5126c49a902fdb8924ba93d99e851e48cbfe0ba3078c2c0445429f7c0aa059b5219cd7b4b67e137a4ae17a1bf7c43e9e36e1d1c0aab5ff4d6e32f8b5616dfbb383a
-
Filesize
72KB
MD57b18c376f33cb36fe7240d9b791b540f
SHA11641ee710cc429b7d47a17c6367d54eebee2c010
SHA25668b73fd365147473bf176250c4197bb722025631b3c3f7a809792b3b43af936e
SHA5126c49a902fdb8924ba93d99e851e48cbfe0ba3078c2c0445429f7c0aa059b5219cd7b4b67e137a4ae17a1bf7c43e9e36e1d1c0aab5ff4d6e32f8b5616dfbb383a
-
Filesize
72KB
MD50486429f6dca34633dd1cc480bb703e6
SHA1a72c8ffc84a747f55cb2feea5ef151d6e7da63dd
SHA2567d512d25d3c9e955df518d9cd03f725fdb580c70130be7ab0bcbe40efe7f45cd
SHA512132ef9b8748a02dfb3f08266b5203d52b647296c716e2e2679340b6bf90a299ad1897f436ec85f9938a33fe070f2825b22dc4da81b065bdd1285fe48520fbabe
-
Filesize
72KB
MD50486429f6dca34633dd1cc480bb703e6
SHA1a72c8ffc84a747f55cb2feea5ef151d6e7da63dd
SHA2567d512d25d3c9e955df518d9cd03f725fdb580c70130be7ab0bcbe40efe7f45cd
SHA512132ef9b8748a02dfb3f08266b5203d52b647296c716e2e2679340b6bf90a299ad1897f436ec85f9938a33fe070f2825b22dc4da81b065bdd1285fe48520fbabe