54e0d5432537529d082865d7b1d2b3f3db14f80124414a672fb72a4569cf0ce8

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CleanupTool.exe
Size

6.6MB
MD5

01055d7b175ece6a0c846b7aeb3afb1c
SHA1

d2876eb4aaac6cf4cc90aa4194d12187a627c850
SHA256

54e0d5432537529d082865d7b1d2b3f3db14f80124414a672fb72a4569cf0ce8
SHA512

3caa6365447f45275ca1a07167e0d29f5302b28e100b62eb9460a1abb96605fa356898e73d2460c6be835e798d23adfa6e240172f2d38adf5a8083607c47ea51
SSDEEP

196608:D9kdARgI+eX1ItAW7pDTAJi195DEguI7iVjoN:D9kcV+eX01wi1/ZmUN

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DRIVERS\file_tracker.sys	setupapp.exe
File opened for modification	C:\Windows\SysWOW64\DRIVERS\afcdp.sys	setupapp.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
668	icacls.exe
1136	icacls.exe
3020	icacls.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelTimounter = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\timntr.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelVolumeTracker = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\volume_tracker.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelAcronisAppDataAll = "CMD /C RMDIR /S /Q \"%ALLUSERSPROFILE%\\Acronis\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelFileTracker = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\file_tracker.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelNgelamBackup = "CMD /C DEL /F /Q \"C:\\Windows\\ELAMBKUP\\ngelam.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelFltsrv = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\fltsrv.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelFileProtector = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\file_protector.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelAcronisReg2 = "REG DELETE \"HKLM\\Software\\WOW6432Node\\Acronis\" /F"	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelAcronisProgramFiles = "CMD /C RMDIR /S /Q \"%ProgramFiles%\\Acronis\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelTibmounter = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\tib_mounter.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelVirtualFile = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\virtual_file.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelTnd = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\tnd.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelNgelam = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\ngelam.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelShellExtApproved1 = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved\" /v \"{C539A15A-3AF9-4c92-B771-50CB78F5C751}\" /f"	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelTib = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\tib.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelAcronisReg1 = "REG DELETE \"HKLM\\Software\\Acronis\" /F"	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelAcronisCommonFiles = "CMD /C RMDIR /S /Q \"%CommonProgramFiles%\\Acronis\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelAcronisAppDataUser = "CMD /C RMDIR /S /Q \"%APPDATA%\\Acronis\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelBddci = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\bddci.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelNgscan = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\ngscan.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelShellExtApproved2 = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved\" /v \"{C539A15B-3AF9-4c92-B771-50CB78F5C751}\" /f"	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelAcronisCommonFilesX86 = "CMD /C RMDIR /S /Q \"%CommonProgramFiles(x86)%\\Acronis\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelAcronisMobileAppDataAll = "CMD /C RMDIR /S /Q \"%ALLUSERSPROFILE%\\Acronis Mobile Backup Data\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelSnapman = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\snapman.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelTnD = "CMD /C DEL /F /Q \"C:\\Windows\\system32\\drivers\\tdrpm*.sys\""	cleanup_tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DelAcronisProgramFilesX86 = "CMD /C RMDIR /S /Q \"%ProgramFiles(x86)%\\Acronis\""	cleanup_tool.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini	solitaire.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cleanup_tool.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe	setupapp.exe
File opened for modification	C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe	setupapp.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupapp.exe

Executes dropped EXE 19 IoCs

pid	Process
1532	driver_cleanup_tool.exe
1300	cleanup_tool.exe
1840	schedmgr.exe
2372	cleanup_tool.exe
2432	setupapp.exe
952	setupapp.exe
1092	setupapp.exe
1316	setupapp.exe
1680	setupapp.exe
2428	setupapp.exe
1900	setupapp.exe
308	setupapp.exe
2684	setupapp.exe
1216	setupapp.exe
1520	setupapp.exe
2500	setupapp.exe
2744	setupapp.exe
808	cleanup_tool.exe
3044	cleanup_tool.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1556	sc.exe
1236	sc.exe
1944	sc.exe
2504	sc.exe
668	sc.exe
1136	sc.exe
784	sc.exe
1564	sc.exe
1848	sc.exe
2420	sc.exe
1288	sc.exe
2964	sc.exe

Loads dropped DLL 33 IoCs

pid	Process
2740	cmd.exe
2740	cmd.exe
2740	cmd.exe
2740	cmd.exe
2372	cleanup_tool.exe
2432	setupapp.exe
2372	cleanup_tool.exe
952	setupapp.exe
2372	cleanup_tool.exe
1092	setupapp.exe
2372	cleanup_tool.exe
1316	setupapp.exe
2372	cleanup_tool.exe
1680	setupapp.exe
2372	cleanup_tool.exe
2428	setupapp.exe
2372	cleanup_tool.exe
1900	setupapp.exe
2372	cleanup_tool.exe
308	setupapp.exe
2372	cleanup_tool.exe
2684	setupapp.exe
2372	cleanup_tool.exe
1216	setupapp.exe
2372	cleanup_tool.exe
1520	setupapp.exe
2372	cleanup_tool.exe
2500	setupapp.exe
2372	cleanup_tool.exe
2744	setupapp.exe
2372	cleanup_tool.exe
2740	cmd.exe
2740	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2588	powershell.exe
2488	powershell.exe
2292	powershell.exe
3032	powershell.exe
2240	powershell.exe
1936	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 35 IoCs

evasion

pid	Process
2728	taskkill.exe
2980	taskkill.exe
1948	taskkill.exe
1840	taskkill.exe
2672	taskkill.exe
2256	taskkill.exe
2352	taskkill.exe
2940	taskkill.exe
2372	taskkill.exe
2132	taskkill.exe
1508	taskkill.exe
1196	taskkill.exe
1412	taskkill.exe
2408	taskkill.exe
2848	taskkill.exe
2632	taskkill.exe
2172	taskkill.exe
2988	taskkill.exe
2436	taskkill.exe
308	taskkill.exe
3012	taskkill.exe
2940	taskkill.exe
1948	taskkill.exe
2780	taskkill.exe
408	taskkill.exe
2716	taskkill.exe
2676	taskkill.exe
2652	taskkill.exe
1196	taskkill.exe
2980	taskkill.exe
2600	taskkill.exe
1580	taskkill.exe
2492	taskkill.exe
2380	taskkill.exe
3024	taskkill.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft	solitaire.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\UserSpecificDataForAllUserGames\{00D8862B-6453-4957-A821-3D98D74C76BE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	solitaire.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\UserSpecificDataForAllUserGames	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats	solitaire.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0"	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\UserSpecificDataForAllUserGames\{00D8862B-6453-4957-A821-3D98D74C76BE}\LastRunTime = "133659297006616000"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1548	reg.exe
2900	reg.exe
2296	reg.exe
1636	reg.exe
1240	reg.exe
2760	reg.exe
2080	reg.exe
3012	reg.exe
1404	reg.exe
1664	reg.exe
2928	reg.exe
3036	reg.exe
660	reg.exe
988	reg.exe
2292	reg.exe
2924	reg.exe
2948	reg.exe
844	reg.exe
1644	reg.exe
1092	reg.exe
2016	reg.exe
2668	reg.exe
356	reg.exe
1316	reg.exe
2684	reg.exe
952	reg.exe
316	reg.exe
2428	reg.exe
2072	reg.exe
1584	reg.exe
2956	reg.exe
3040	reg.exe
2788	reg.exe
2216	reg.exe
2908	reg.exe
2280	reg.exe
2844	reg.exe
2852	reg.exe
2960	reg.exe
1580	reg.exe
2504	reg.exe
1440	reg.exe
2640	reg.exe
2664	reg.exe
1592	reg.exe
1124	reg.exe
1284	reg.exe
1652	reg.exe
2692	reg.exe
2664	reg.exe
1136	reg.exe
328	reg.exe
2980	reg.exe
2136	reg.exe
1844	reg.exe
3008	reg.exe
2616	reg.exe
3024	reg.exe
3020	reg.exe
1000	reg.exe
1616	reg.exe
756	reg.exe
852	reg.exe
1576	reg.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2424	vlc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3032	powershell.exe
2240	powershell.exe
1936	powershell.exe
2588	powershell.exe
2488	powershell.exe
2292	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
952	explorer.exe
2424	vlc.exe
3068	solitaire.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	408	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	308	taskkill.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeTakeOwnershipPrivilege	1840	schedmgr.exe
Token: SeBackupPrivilege	1840	schedmgr.exe
Token: SeRestorePrivilege	1840	schedmgr.exe
Token: SeShutdownPrivilege	1840	schedmgr.exe
Token: SeRemoteShutdownPrivilege	1840	schedmgr.exe
Token: SeSecurityPrivilege	1840	schedmgr.exe
Token: SeSecurityPrivilege	1840	schedmgr.exe
Token: SeSecurityPrivilege	1840	schedmgr.exe
Token: SeSecurityPrivilege	1840	schedmgr.exe
Token: SeRestorePrivilege	952	setupapp.exe
Token: SeRestorePrivilege	952	setupapp.exe
Token: SeRestorePrivilege	952	setupapp.exe
Token: SeRestorePrivilege	952	setupapp.exe
Token: SeRestorePrivilege	952	setupapp.exe
Token: SeRestorePrivilege	952	setupapp.exe
Token: SeRestorePrivilege	952	setupapp.exe
Token: SeRestorePrivilege	1092	setupapp.exe
Token: SeRestorePrivilege	1092	setupapp.exe
Token: SeRestorePrivilege	1092	setupapp.exe
Token: SeRestorePrivilege	1092	setupapp.exe
Token: SeRestorePrivilege	1092	setupapp.exe
Token: SeRestorePrivilege	1092	setupapp.exe
Token: SeRestorePrivilege	1092	setupapp.exe
Token: SeRestorePrivilege	1316	setupapp.exe
Token: SeRestorePrivilege	1316	setupapp.exe
Token: SeRestorePrivilege	1316	setupapp.exe
Token: SeRestorePrivilege	1316	setupapp.exe
Token: SeRestorePrivilege	1316	setupapp.exe
Token: SeRestorePrivilege	1316	setupapp.exe
Token: SeRestorePrivilege	1316	setupapp.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
2424	vlc.exe
952	explorer.exe
952	explorer.exe
2424	vlc.exe
2424	vlc.exe
2424	vlc.exe
952	explorer.exe
952	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
2424	vlc.exe
2424	vlc.exe
2424	vlc.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe
952	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2424	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2860	1620	CleanupTool.exe	30
PID 1620 wrote to memory of 2860	1620	CleanupTool.exe	30
PID 1620 wrote to memory of 2860	1620	CleanupTool.exe	30
PID 1620 wrote to memory of 2860	1620	CleanupTool.exe	30
PID 1620 wrote to memory of 2860	1620	CleanupTool.exe	30
PID 1620 wrote to memory of 2860	1620	CleanupTool.exe	30
PID 1620 wrote to memory of 2860	1620	CleanupTool.exe	30
PID 2860 wrote to memory of 2852	2860	cmd.exe	32
PID 2860 wrote to memory of 2852	2860	cmd.exe	32
PID 2860 wrote to memory of 2852	2860	cmd.exe	32
PID 2860 wrote to memory of 2852	2860	cmd.exe	32
PID 2860 wrote to memory of 2720	2860	cmd.exe	33
PID 2860 wrote to memory of 2720	2860	cmd.exe	33
PID 2860 wrote to memory of 2720	2860	cmd.exe	33
PID 2860 wrote to memory of 2720	2860	cmd.exe	33
PID 2860 wrote to memory of 2880	2860	cmd.exe	34
PID 2860 wrote to memory of 2880	2860	cmd.exe	34
PID 2860 wrote to memory of 2880	2860	cmd.exe	34
PID 2860 wrote to memory of 2880	2860	cmd.exe	34
PID 2860 wrote to memory of 2840	2860	cmd.exe	35
PID 2860 wrote to memory of 2840	2860	cmd.exe	35
PID 2860 wrote to memory of 2840	2860	cmd.exe	35
PID 2860 wrote to memory of 2840	2860	cmd.exe	35
PID 2860 wrote to memory of 2884	2860	cmd.exe	36
PID 2860 wrote to memory of 2884	2860	cmd.exe	36
PID 2860 wrote to memory of 2884	2860	cmd.exe	36
PID 2860 wrote to memory of 2884	2860	cmd.exe	36
PID 2860 wrote to memory of 2848	2860	cmd.exe	37
PID 2860 wrote to memory of 2848	2860	cmd.exe	37
PID 2860 wrote to memory of 2848	2860	cmd.exe	37
PID 2860 wrote to memory of 2848	2860	cmd.exe	37
PID 1620 wrote to memory of 2740	1620	CleanupTool.exe	38
PID 1620 wrote to memory of 2740	1620	CleanupTool.exe	38
PID 1620 wrote to memory of 2740	1620	CleanupTool.exe	38
PID 1620 wrote to memory of 2740	1620	CleanupTool.exe	38
PID 2740 wrote to memory of 2616	2740	cmd.exe	40
PID 2740 wrote to memory of 2616	2740	cmd.exe	40
PID 2740 wrote to memory of 2616	2740	cmd.exe	40
PID 2740 wrote to memory of 2616	2740	cmd.exe	40
PID 2740 wrote to memory of 2624	2740	cmd.exe	41
PID 2740 wrote to memory of 2624	2740	cmd.exe	41
PID 2740 wrote to memory of 2624	2740	cmd.exe	41
PID 2740 wrote to memory of 2624	2740	cmd.exe	41
PID 2624 wrote to memory of 2648	2624	cmd.exe	42
PID 2624 wrote to memory of 2648	2624	cmd.exe	42
PID 2624 wrote to memory of 2648	2624	cmd.exe	42
PID 2624 wrote to memory of 2648	2624	cmd.exe	42
PID 2740 wrote to memory of 2668	2740	cmd.exe	43
PID 2740 wrote to memory of 2668	2740	cmd.exe	43
PID 2740 wrote to memory of 2668	2740	cmd.exe	43
PID 2740 wrote to memory of 2668	2740	cmd.exe	43
PID 2740 wrote to memory of 2680	2740	cmd.exe	44
PID 2740 wrote to memory of 2680	2740	cmd.exe	44
PID 2740 wrote to memory of 2680	2740	cmd.exe	44
PID 2740 wrote to memory of 2680	2740	cmd.exe	44
PID 2740 wrote to memory of 2772	2740	cmd.exe	45
PID 2740 wrote to memory of 2772	2740	cmd.exe	45
PID 2740 wrote to memory of 2772	2740	cmd.exe	45
PID 2740 wrote to memory of 2772	2740	cmd.exe	45
PID 2740 wrote to memory of 2380	2740	cmd.exe	46
PID 2740 wrote to memory of 2380	2740	cmd.exe	46
PID 2740 wrote to memory of 2380	2740	cmd.exe	46
PID 2740 wrote to memory of 2380	2740	cmd.exe	46
PID 2740 wrote to memory of 2336	2740	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2016	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CleanupTool.exe
"C:\Users\Admin\AppData\Local\Temp\CleanupTool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\setup.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /f
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FontFamily /t REG_DWORD /d 54 /f
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FontSize /t REG_DWORD /d 917504 /f
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FontWeight /t REG_DWORD /d 400 /f
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe /v FaceName /t REG_SZ /d "Lucida Console" /f
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\cleanup.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKCU\Console\%SystemRoot%_system32_cmd.exe /f
    3⤵
    - Modifies registry key
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY "HKCU\Control Panel\International" /v sLanguage 2>nul"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY "HKCU\Control Panel\International" /v sLanguage
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\find.exe
    FIND "5.1"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\find.exe
    FIND "5.2"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\find.exe
    FIND "6.0"
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\find.exe
    FIND "6.1"
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\find.exe
    FIND "6.2"
    3⤵
    PID:660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\find.exe
    FIND "6.3"
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER "
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\find.exe
    FIND "10.0"
    3⤵
    PID:356
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\ACRONISDEVICES
    3⤵
    - Modifies registry key
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}
    3⤵
    PID:484
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E5343B27-55DF-40BD-9FCF-A643C1331E8A}
    3⤵
    - Modifies registry key
    PID:2960
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{633A06C3-B709-479a-AAB3-5EE94AD9EE4B}
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{37C8899D-FD70-481F-94AA-1F1B08765E22}
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C2F1F96A-057E-5819-B52E-FEA1D1D2933B}
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{67ED38A3-4882-448B-B44D-3428AB00D7D5}
    3⤵
    PID:572
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{04A3A6B0-8E19-49BB-82FF-65C5A55F917D}
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ED4F8314-104D-4E48-A9AE-9140FFF0913E}
    3⤵
    - Modifies registry key
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4C556B5C-8EF7-47B4-AE05-FE71EEB2C25B}
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F1ED5BD7-4770-4037-9CBD-5DF9A5BEC408}
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{172C31D3-98A7-4CC7-94DF-7E85D483F086}
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9CA72668-86CC-5447-9278-A0378FE45378}
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9A5509EE-5579-46C1-B566-5065545547F9}
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{EAE5EDA9-F70E-4A70-B7BF-F764557E7BA7}
    3⤵
    - Modifies registry key
    PID:2080
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\SOFTWARE\Wow6432Node\Acronis\afcdp /v Build
    3⤵
    - Modifies registry key
    PID:1580
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM TrueImage.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM CyberProtectHomeOffice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM CyberProtectHomeBusiness.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM TrueImageMonitor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM SmallOffice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM DiskDirector.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM ManagementConsole.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM MediaBuilder.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM RecoveryExpert.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM LicenseServerConsole.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM SnapDeployConsole.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM CyberProtectHomeOfficeMonitor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM CyberProtectHomeBusinessMonitor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:408
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM CyberProtectHomeOfficeService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM CyberProtectHomeOfficeNotify.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\SysWOW64\net.exe
    NET START AcronisCyberProtectionService
    3⤵
    PID:1284
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 START AcronisCyberProtectionService
      4⤵
      PID:696
- - C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\driver_cleanup_tool.exe
    C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\\driver_cleanup_tool.exe arsw
    3⤵
    - Executes dropped EXE
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\cleanup_tool.exe
    C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\\cleanup_tool.exe arsw
    3⤵
    - Executes dropped EXE
    PID:1300
- - C:\Windows\SysWOW64\net.exe
    NET STOP AcronisCyberProtectionService
    3⤵
    PID:1452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AcronisCyberProtectionService
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\net.exe
    NET STOP file_protector
    3⤵
    PID:1468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP file_protector
      4⤵
      PID:328
- - C:\Windows\SysWOW64\net.exe
    NET STOP DMS
    3⤵
    PID:2428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP DMS
      4⤵
      PID:764
- - C:\Windows\SysWOW64\net.exe
    NET STOP AcrSch2Svc
    3⤵
    PID:1664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AcrSch2Svc
      4⤵
      PID:1012
- - C:\Windows\SysWOW64\net.exe
    NET STOP TryAndDecideService
    3⤵
    PID:856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP TryAndDecideService
      4⤵
      PID:980
- - C:\Windows\SysWOW64\sc.exe
    SC FAILURE afcdpsrv reset=0 actions=run
    3⤵
    - Launches sc.exe
    PID:1556
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM afcdpsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\SysWOW64\sc.exe
    SC FAILURE syncagentsrv reset=0 actions=run
    3⤵
    - Launches sc.exe
    PID:1236
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM syncagentsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- - C:\Windows\SysWOW64\sc.exe
    SC FAILURE mmsminisrv reset=0 actions=run
    3⤵
    - Launches sc.exe
    PID:1848
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM mms_mini.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\SysWOW64\net.exe
    NET STOP afcdpsrv
    3⤵
    PID:2684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP afcdpsrv
      4⤵
      PID:1800
- - C:\Windows\SysWOW64\net.exe
    NET STOP syncagentsrv
    3⤵
    PID:2288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP syncagentsrv
      4⤵
      PID:2260
- - C:\Windows\SysWOW64\net.exe
    NET STOP AcronisOSSReinstallSvc
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AcronisOSSReinstallSvc
      4⤵
      PID:892
- - C:\Windows\SysWOW64\net.exe
    NET STOP AcronisAgent
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AcronisAgent
      4⤵
      PID:1004
- - C:\Windows\SysWOW64\net.exe
    NET STOP "Acronis VSS Provider"
    3⤵
    PID:2332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP "Acronis VSS Provider"
      4⤵
      PID:344
- - C:\Windows\SysWOW64\net.exe
    NET STOP "OS Selector"
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP "OS Selector"
      4⤵
      PID:1500
- - C:\Windows\SysWOW64\net.exe
    NET STOP AcronisPXE
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AcronisPXE
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\net.exe
    NET STOP AcronisFS
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AcronisFS
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\net.exe
    NET STOP mmsminisrv
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP mmsminisrv
      4⤵
      PID:2344
- - C:\Windows\SysWOW64\net.exe
    NET STOP ngscan
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP ngscan
      4⤵
      PID:2300
- - C:\Windows\SysWOW64\net.exe
    NET STOP ngelam
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP ngelam
      4⤵
      PID:2832
- - C:\Windows\SysWOW64\net.exe
    NET STOP bddci
    3⤵
    PID:2812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP bddci
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\net.exe
    NET STOP aakore
    3⤵
    PID:2120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP aakore
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM aakore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM adp-agent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM adp-rest-util.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM bckp_amgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM grpm-mini.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM monitoring-mini.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM task-manager.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM updater.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\SysWOW64\sc.exe
    SC DELETE AcronisActiveProtectionService
    3⤵
    - Launches sc.exe
    PID:2420
- - C:\Windows\SysWOW64\sc.exe
    SC DELETE AcronisCyberProtectionService
    3⤵
    - Launches sc.exe
    PID:1944
- - C:\Windows\SysWOW64\sc.exe
    SC DELETE file_protector
    3⤵
    - Launches sc.exe
    PID:1288
- - C:\Windows\SysWOW64\sc.exe
    SC DELETE afcdpsrv
    3⤵
    - Launches sc.exe
    PID:2964
- - C:\Windows\SysWOW64\sc.exe
    SC DELETE syncagentsrv
    3⤵
    - Launches sc.exe
    PID:668
- - C:\Windows\SysWOW64\sc.exe
    SC DELETE aakore
    3⤵
    - Launches sc.exe
    PID:1136
- - C:\Windows\SysWOW64\sc.exe
    SC DELETE ngscan
    3⤵
    - Launches sc.exe
    PID:784
- - C:\Windows\SysWOW64\sc.exe
    SC DELETE ngelam
    3⤵
    - Launches sc.exe
    PID:2504
- - C:\Windows\SysWOW64\sc.exe
    SC DELETE bddci
    3⤵
    - Launches sc.exe
    PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM Schedhlp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM TimounterMonitor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM TibMounterMonitor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM tib_mounter_monitor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM TrueImageMonitor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM CyberProtectHomeOfficeMonitor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM CyberProtectHomeBusinessMonitor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM SmallOfficeMonitor.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\schedmgr.exe
    C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\\schedmgr.exe service uninstall
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\cleanup_tool.exe
    C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\\cleanup_tool.exe
    3⤵
    - Adds Run key to start application
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\7EB6352C-69A1-4804-82C4-D816D9E89723\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\7EB6352C-69A1-4804-82C4-D816D9E89723\setupapp.exe" /uninstall: /descr:"Acronis Backup Archive Explorer" /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\7EB6352C-69A1-4804-82C4-D816D9E89723\timounter_del.inf"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\830CFD61-7D7C-4298-8B53-B76C8159EC6E\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\830CFD61-7D7C-4298-8B53-B76C8159EC6E\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\830CFD61-7D7C-4298-8B53-B76C8159EC6E\snapman_del.inf"
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:952
  - - C:\Users\Admin\AppData\Local\Temp\B8A84EEB-7B3C-4578-BB55-941FC81BE206\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\B8A84EEB-7B3C-4578-BB55-941FC81BE206\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\B8A84EEB-7B3C-4578-BB55-941FC81BE206\fltsrv_del.inf"
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\71DAA464-9709-454B-9D16-55EF5B62EE38\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\71DAA464-9709-454B-9D16-55EF5B62EE38\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\71DAA464-9709-454B-9D16-55EF5B62EE38\file_tracker_del.inf"
      4⤵
      Drops file in Drivers directory
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\2349F1CD-8958-4BA1-B108-4E15DF16E990\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\2349F1CD-8958-4BA1-B108-4E15DF16E990\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\2349F1CD-8958-4BA1-B108-4E15DF16E990\tdrpman_del.inf.tmp" /log
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\BABBB375-B316-4F65-8F40-6BACD5F909D2\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\BABBB375-B316-4F65-8F40-6BACD5F909D2\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\BABBB375-B316-4F65-8F40-6BACD5F909D2\tnd_uninstall.inf"
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\CCA79882-87AF-458F-B00E-5FBFA429C217\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\CCA79882-87AF-458F-B00E-5FBFA429C217\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\CCA79882-87AF-458F-B00E-5FBFA429C217\virtual_file_uninstall.inf"
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\A75B9D5B-A83D-4F16-8A73-A9D0EC1E0380\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\A75B9D5B-A83D-4F16-8A73-A9D0EC1E0380\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\A75B9D5B-A83D-4F16-8A73-A9D0EC1E0380\afcdpsrv_del.inf"
      4⤵
      Drops file in Program Files directory
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      PID:308
  - - C:\Users\Admin\AppData\Local\Temp\B0B50DDC-9349-4E99-8FB9-FC7AFA06129A\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\B0B50DDC-9349-4E99-8FB9-FC7AFA06129A\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\B0B50DDC-9349-4E99-8FB9-FC7AFA06129A\afcdp_del.inf"
      4⤵
      Drops file in Drivers directory
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\F085678E-A689-4039-BF67-8F4EADD649E6\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\F085678E-A689-4039-BF67-8F4EADD649E6\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\F085678E-A689-4039-BF67-8F4EADD649E6\syncagentsrv_del.inf"
      4⤵
      Drops file in Program Files directory
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\2ACDB8C7-F177-43C8-AEBF-C7E82069CFCD\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\2ACDB8C7-F177-43C8-AEBF-C7E82069CFCD\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\2ACDB8C7-F177-43C8-AEBF-C7E82069CFCD\mmsmini_del.inf"
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\76945272-A0EC-47E7-9DC4-1E093D3868A4\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\76945272-A0EC-47E7-9DC4-1E093D3868A4\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\76945272-A0EC-47E7-9DC4-1E093D3868A4\mobile_backup_server_del.inf"
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\38CD8395-32F9-4F2B-B9B5-9AC000A326A0\setupapp.exe
      "C:\Users\Admin\AppData\Local\Temp\38CD8395-32F9-4F2B-B9B5-9AC000A326A0\setupapp.exe" /uninstall: /instance:0 /inf-name:"C:\Users\Admin\AppData\Local\Temp\38CD8395-32F9-4F2B-B9B5-9AC000A326A0\volume_tracker_del.inf"
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    PID:2652
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\Class\{1860459D-4692-4825-B761-44A725991050} /f
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\AcronisOSSReinstallSvc /f
    3⤵
    - Modifies registry key
    PID:2664
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ACRONISOSSREINSTALLSVC /f
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\*\shellex\ContextMenuHandlers\{C539A15A-3AF9-4c92-B771-50CB78F5C751} /f
    3⤵
    - Modifies registry key
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\acronis_backup_cpl.FrameProvider /f
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\acronis_backup_cpl.FrameProvider.1 /f
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AcronisVSS.COM /f
    3⤵
    - Modifies registry key
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AcronisVSS.COM.1 /f
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AcronisVssProviderEnumerator.COM /f
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AcronisVssProviderEnumerator.COM.1 /f
    3⤵
    - Modifies registry key
    PID:660
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AcronisVssRequestor.COM /f
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AcronisVssRequestor.COM.1 /f
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AcronisVssSnapshotEnumerator.COM /f
    3⤵
    - Modifies registry key
    PID:3020
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AcronisVssSnapshotEnumerator.COM.1 /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{1EF75F33-893B-4E8F-9655-C3D602BA4897} /f
    3⤵
    - Modifies registry key
    PID:356
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{4D0EF64C-71D3-4A05-93B1-8EC58AE8D6D9} /f
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{55EB6BAD-988F-480C-BEA4-20521CBCB050} /f
    3⤵
    - Modifies registry key
    PID:1136
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{920BCA30-E5A6-456D-846B-15FE5FC449C0} /f
    3⤵
    PID:484
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{C4E69DB9-E094-483e-B922-E7ADE65FB497} /f
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{DE722058-96DE-4A3B-B819-F4C9DB2B8B2A} /f
    3⤵
    - Modifies registry key
    PID:2504
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{F282135C-65A6-4A99-80F1-F315BAC76BF4} /f
    3⤵
    - Modifies registry key
    PID:2216
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{f309f683-451e-4b7f-8fe8-cdaa83ee3db3} /f
    3⤵
    - Modifies registry key
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\acronis_backup_cpl.DLL /f
    3⤵
    - Modifies registry key
    PID:2956
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\AszBrowseHelp.EXE /f
    3⤵
    PID:572
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\AszBrowseHelper.EXE /f
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\mapi_proxy.DLL /f
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\ti_managers_proxy.DLL /f
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D} /f
    3⤵
    - Modifies registry key
    PID:3040
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{05716308-1784-4166-942E-0A09F1DE83D1} /f
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{16E3BD7B-52E2-4640-854A-0803826A1D57} /f
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{17DD1750-BB3C-4341-A10C-45936D6228B6} /f
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{269E0295-06A5-42B8-98BB-E032E7399E6A} /f
    3⤵
    - Modifies registry key
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{26A28DD1-D23A-43a0-A495-F1C3F75C49E2} /f
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3038C154-DAE5-4312-914F-077789F243C0} /f
    3⤵
    - Modifies registry key
    PID:2948
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{31C7877D-92BA-4167-B879-375D8C938822} /f
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{32E226FC-F4EB-4588-900E-B46F3223557E} /f
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4C366228-A51F-4ABB-B749-50D35E453E12} /f
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4CE65F71-BDF6-4ECA-9158-1F60118C31C6} /f
    3⤵
    - Modifies registry key
    PID:2900
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{5290FF09-E066-4E27-8663-4F4AB8211397} /f
    3⤵
    - Modifies registry key
    PID:2908
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{5B193D58-3A47-4E68-8671-69F27EDBBCEB} /f
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{5C9ED313-4AE5-4768-9461-3166C5763F1D} /f
    3⤵
    PID:648
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{5D74FD4B-4EFB-4586-8022-8637BBE40970} /f
    3⤵
    PID:848
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{5FEF4C43-88FC-4A4E-B389-20FFE74A2693} /f
    3⤵
    - Modifies registry key
    PID:1000
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{60D519E9-E1A3-45f9-9E31-75EF449F6A82} /f
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{66C05F2E-7C4D-4EF9-82AB-EFE6640BACF3} /f
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{67234054-B3E7-46BF-A32D-1B703DAFBDBE} /f
    3⤵
    PID:912
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7} /f
    3⤵
    - Modifies registry key
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{72F28482-EFE4-4482-93F1-2AA164D3FD88} /f
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7BFF24D0-B222-4369-9DBF-E456A4D72FFA} /f
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7FF7C8BD-6376-48A6-9699-3CC952646C5A} /f
    3⤵
    - Modifies registry key
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{88B29F60-EF27-422F-AA1F-732713A45F20} /f
    3⤵
    PID:928
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{8989A1DC-DA44-4fc5-A3A2-8025BC9CFA14} /f
    3⤵
    - Modifies registry key
    PID:1404
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{8A663B79-182C-4E39-99F8-EFCDF682F016} /f
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{8CF98D0C-E3FE-4DF5-A754-EDDAD64C10CF} /f
    3⤵
    - Modifies registry key
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} /f
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{975D1154-4003-40F9-850C-F92A99BFEE59} /f
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{97FD3422-D9C7-4B90-BFBD-002DD017D523} /f
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9E42900A-85F9-4E67-9778-575FBBA0A81C} /f
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9E591D5D-FF7F-4B5B-935B-937CEF31C6F9} /f
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A4A4C197-3486-446F-A51A-4CD28EA6B752} /f
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A7BF901B-31F0-4653-90B0-533D1E05772E} /f
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{C539A15A-3AF9-4c92-B771-50CB78F5C751} /f
    3⤵
    - Modifies registry key
    PID:988
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{C539A15B-3AF9-4c92-B771-50CB78F5C751} /f
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{C539A15C-3AF9-4c92-B771-50CB78F5C751} /f
    3⤵
    - Modifies registry key
    PID:2292
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{C539A15D-3AF9-4c92-B771-50CB78F5C751} /f
    3⤵
    - Modifies registry key
    PID:2280
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CE3A0671-EC24-467A-B52F-724C63AFFAFA} /f
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D3FFD5AA-9E39-4B6E-82C0-5BCDC992C237} /f
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D43F6A14-9CD2-4FEA-8960-8B3B2AE6464E} /f
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF16845C-92CD-4AAB-A982-EB9840E74669} /f
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E43CCBD6-22F4-49E0-BE9B-0A8B5DD04E5C} /f
    3⤵
    - Modifies registry key
    PID:844
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E88C5231-3F2E-46E9-8D50-757006C40488} /f
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F2C38563-EB84-455D-ADD0-A98266BE0D1A} /f
    3⤵
    - Modifies registry key
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F3193899-4048-41B3-967F-B2C9CF89D7B4} /f
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F6799A1F-9D90-4158-B27E-C2DF9F2D74B9} /f
    3⤵
    - Modifies registry key
    PID:1124
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FF44E122-BC16-49FC-A246-B62B8132978D} /f
    3⤵
    PID:448
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Drive\shellex\ContextMenuHandlers\{C539A15A-3AF9-4c92-B771-50CB78F5C751} /f
    3⤵
    - Modifies registry key
    PID:1616
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Folder\shellex\ContextMenuHandlers\{C539A15A-3AF9-4c92-B771-50CB78F5C751} /f
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{0CC0F0AD-1D28-4CC8-8E9E-BC9D36E33235} /f
    3⤵
    - Modifies registry key
    PID:1644
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{163FE38C-4467-4775-9DD7-8C64A2FAA13B} /f
    3⤵
    - Modifies registry key
    PID:1092
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{215A541D-448C-4A16-9E98-C538E92BAAF5} /f
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{21FF8A8A-CE89-404B-9BE8-AB1A61E8F170} /f
    3⤵
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{2409CC7C-F87A-4650-87CA-CFB82EC6BDB5} /f
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{3FEC49DE-B159-4F54-B80A-315909E51DBA} /f
    3⤵
    PID:984
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{420CE5E7-47BE-4279-86A8-71BA7AE78F5C} /f
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4245636A-05EA-4DDF-A307-9243EC402458} /f
    3⤵
    - Modifies registry key
    PID:1284
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{436DB473-7661-4C6D-844C-8C4880499497} /f
    3⤵
    - Modifies registry key
    PID:1316
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4C366228-A51F-4ABB-B749-50D35E453E12} /f
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{510CA3F7-7CC7-416E-B0ED-E4AFB80A978A} /f
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5290FF09-E066-4E27-8663-4F4AB8211397} /f
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5B193D58-3A47-4E68-8671-69F27EDBBCEB} /f
    3⤵
    - Modifies registry key
    PID:1240
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5FEF4C43-88FC-4A4E-B389-20FFE74A2693} /f
    3⤵
    - Modifies registry key
    PID:2844
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{616F620B-91C5-4410-A74E-6B81C76FFFE0} /f
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{62D30A90-29C2-4768-92AD-D803C9FBEEC5} /f
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{65665FBD-E59E-4388-97E1-7417A2881928} /f
    3⤵
    - Modifies registry key
    PID:328
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{70397146-0375-430E-989D-8943E838102E} /f
    3⤵
    - Modifies registry key
    PID:1652
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{787574C1-24D1-4AB6-A538-EDB1C302C409} /f
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{794727D6-5761-4C84-BAA5-DF3990D8FC06} /f
    3⤵
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{7D565925-17E9-4BF0-83AE-2F02B80ED670} /f
    3⤵
    - Modifies registry key
    PID:316
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{83F0A891-76DC-4E7B-84B0-3CD1B0740517} /f
    3⤵
    - Modifies registry key
    PID:1664
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{8527709B-DD8D-4E47-B3EB-731DFD742F21} /f
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{88B29F60-EF27-422F-AA1F-732713A45F20} /f
    3⤵
    - Modifies registry key
    PID:756
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{8AE92DA0-EABE-40D5-8604-F3F2E58BB3BA} /f
    3⤵
    PID:856
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{905ADC5B-1BCD-4B5D-BCCD-4F42C0CB1FA3} /f
    3⤵
    - Modifies registry key
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{975D1154-4003-40F9-850C-F92A99BFEE59} /f
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9B08CEBB-9E85-4FD0-9A45-F9F2E7B8A32C} /f
    3⤵
    - Modifies registry key
    PID:852
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C2332F75-0634-4557-9966-E32AA2D39163} /f
    3⤵
    - Modifies registry key
    PID:2136
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{DE19F34F-EFAB-4E73-8ED4-93EE0E82D74F} /f
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EF27E9B6-B11E-4F69-BC11-58100137137D} /f
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{FD5377E2-EE21-4145-876F-48ED37850109} /f
    3⤵
    - Modifies registry key
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{FF8F7627-E5EE-485D-B94C-70A48AF85306} /f
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{15B90F1B-4081-40D2-A715-8463129AD876} /f
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{17DD1750-BB3C-4341-A10C-45936D6228B6} /f
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{1AB5D872-613D-48EC-BEC8-D1B8A9DBE125} /f
    3⤵
    - Modifies registry key
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{1EF71BB3-AAD1-4C52-9215-6A573BA6FF19} /f
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{2A163BE3-E053-4703-A1FB-3619520C39B4} /f
    3⤵
    - Modifies registry key
    PID:1636
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{31C7877D-92BA-4167-B879-375D8C938822} /f
    3⤵
    - Modifies registry key
    PID:1440
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{3BA76745-0341-4587-9DFD-0301E267BC05} /f
    3⤵
    PID:308
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{98DE28B6-6CD3-4E08-B9FA-3D1DB43F1D2F} /f
    3⤵
    PID:300
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{9F823F8C-D773-41FA-B4D9-3A53C33DA24C} /f
    3⤵
    PID:564
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\.tia /f
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\.tib /f
    3⤵
    - Modifies registry key
    PID:2072
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\.tibx /f
    3⤵
    PID:892
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\.tis /f
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\tia /f
    3⤵
    - Modifies registry key
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\tib /f
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\tibx /f
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\tis /f
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\tiafile /f
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\tibfile /f
    3⤵
    - Modifies registry key
    PID:1844
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\tibxfile /f
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\tisfile /f
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TibMounterLib.TibMounterService /f
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Classes\TibMounterLib.TibMounterService.1 /f
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\AcronisSyncError /f
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\AcronisSyncInProgress /f
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\AcronisSyncOk /f
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\AcronisDrive /f
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AcronisSyncError" /f
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AcronisSyncInProgress" /f
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AcronisSyncOk" /f
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AcronisDrive" /f
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\AMSI\Providers\{16E3BD7B-52E2-4640-854A-0803826A1D57} /f
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ED4F8314-104D-4E48-A9AE-9140FFF0913E}Visible /f
    3⤵
    - Modifies registry key
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFCDP /f
    3⤵
    - Modifies registry key
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SNAPMAN /f
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TIB /f
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TIB_MOUNTER /f
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VIRTUAL_FILE /f
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\services\AcrSch2Svc /f
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\services\afcdp /f
    3⤵
    - Modifies registry key
    PID:2640
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\services\fltsrv /f
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\services\snapman /f
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\services\syncagentsrv /f
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\services\tdrpman /f
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\services\timounter /f
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\services\tib /f
    3⤵
    - Modifies registry key
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\services\tib_mounter /f
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\services\Tib Mounter Service" /f
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\services\VSS\Diag\BITS Writer" /f
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\Acronis Backup and Recovery" /f
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKCU\Software\Classes\tisfile /f
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKCU\Software\Classes\.tis /f
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" /v "{C539A15A-3AF9-4c92-B771-50CB78F5C751}" /f
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" /v "{C539A15B-3AF9-4c92-B771-50CB78F5C751}" /f
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v TrueImageMonitor.exe /f
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v CyberProtectHomeOfficeMonitor.exe /f
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v CyberProtectHomeBusinessMonitor.exe /f
    3⤵
    - Modifies registry key
    PID:1584
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v SmallOfficeMonitor.exe /f
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v AcronisTimounterMonitor /f
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v AcronisTibMounterMonitor /f
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v "SAOB Monitor" /f
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\{E7F904D5-83DE-43F6-8EF5-9443DF243CFA} /v {D7B16B26-C5FE-452a-9D95-6C919E03E84F} /f
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Acronis Scheduler2 Service" /f
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /v OSSelectorReinstall /f
    3⤵
    - Modifies registry key
    PID:2664
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v TrueImageMonitor.exe /f
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CyberProtectHomeOfficeMonitor.exe /f
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CyberProtectHomeBusinessMonitor.exe /f
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SmallOfficeMonitor.exe /f
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v AcronisTimounterMonitor /f
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v AcronisTibMounterMonitor /f
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Acronis Scheduler2 Service" /f
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SAOB Monitor" /f
    3⤵
    PID:660
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" /v "{C539A15A-3AF9-4c92-B771-50CB78F5C751}" /f
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" /v "{C539A15B-3AF9-4c92-B771-50CB78F5C751}" /f
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\System Volume Information" /grant Admin:F /T
    3⤵
    - Modifies file permissions
    PID:3020
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\System Volume Information\FileProtector" /grant Admin:F /T
    3⤵
    - Modifies file permissions
    PID:668
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB /S /D -r -a -h -s "C:\System Volume Information\FileProtector"
    3⤵
    - Views/modifies file attributes
    PID:2016
- - C:\Windows\SysWOW64\icacls.exe
    ICACLS "C:\System Volume Information" /deny Admin:F /T
    3⤵
    - Modifies file permissions
    PID:1136
- - C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\cleanup_tool.exe
    C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\\cleanup_tool.exe file
    3⤵
    - Adds Run key to start application
    - Executes dropped EXE
    PID:808
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Acronis\Snapman /f
    3⤵
    - Modifies registry key
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Acronis\Snapman /f
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Acronis /f
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Wow6432Node\Acronis /f
    3⤵
    - Modifies registry key
    PID:3008
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKCU\SOFTWARE\Acronis /f
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKCU\SOFTWARE\Wow6432Node\Acronis /f
    3⤵
    - Modifies registry key
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\cleanup_tool.exe
    C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\\cleanup_tool.exe registry
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -NoLogo -NonInteractive -InputFormat None -NoProfile -Command "Remove-MpPreference -ExclusionProcess 'C:\Program Files (x86)\Common Files\Acronis\TrueImageHome\TrueImageHomeService.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -NoLogo -NonInteractive -InputFormat None -NoProfile -Command "Remove-MpPreference -ExclusionProcess 'C:\Program Files (x86)\Common Files\Acronis\TrueImageHome\TrueImageHomeService.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -NoLogo -NonInteractive -InputFormat None -NoProfile -Command "Remove-MpPreference -ExclusionProcess 'C:\Program Files (x86)\Common Files\Acronis\CyberProtectHomeOffice\CyberProtectHomeOfficeService.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -NoLogo -NonInteractive -InputFormat None -NoProfile -Command "Remove-MpPreference -ExclusionProcess 'C:\Program Files (x86)\Common Files\Acronis\CyberProtectHomeOffice\CyberProtectHomeOfficeService.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -NoLogo -NonInteractive -InputFormat None -NoProfile -Command "Remove-MpPreference -ExclusionProcess 'C:\Program Files (x86)\Common Files\Acronis\CyberProtectHomeBusiness\CyberProtectHomeBusinessService.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL -NoLogo -NonInteractive -InputFormat None -NoProfile -Command "Remove-MpPreference -ExclusionProcess 'C:\Program Files (x86)\Common Files\Acronis\CyberProtectHomeBusiness\CyberProtectHomeBusinessService.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2292
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:952
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2424
  - - C:\Program Files\Microsoft Games\solitaire\solitaire.exe
      "C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
      4⤵
      Drops desktop.ini file(s)
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Programs 2>nul"
    3⤵
    PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Programs
      4⤵
      PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Programs" 2>nul"
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Programs"
      4⤵
      PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop 2>nul"
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
      4⤵
      PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Desktop" 2>nul"
    3⤵
    PID:1884
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Desktop"
      4⤵
      PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2349F1CD-8958-4BA1-B108-4E15DF16E990\tdrpman_del.inf.tmp

Filesize
681B

MD5
644557e7b63b07935b47c4460ac880a7

SHA1
ba55e4839c08911fa39648b57ac944a44087b610

SHA256
b9ed21877ecc9051d2ddf5c9e4216c1ddbdd17e0565e57782fe122524caa04b0

SHA512
37d02059f3dbe61aaca26b23602eecb8265e510de20fc814d809374dc3d56503528dd3830a77f45c2fc6808ba8b77cb1b3db6938acda0cc440ed47624336887b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\cleanup.cmd

Filesize
59KB

MD5
8a23b4d77a07645fe6b78ffceb1f25b0

SHA1
8b7debc7fae92ab9c49a45cbab8c55958d1fa112

SHA256
ba10bdda785e8eda25b24112d7eb8d5e7725c46ec4ff8122f35ec6a5b6d7d8f2

SHA512
7f1d47f52f6bfedafa8997c4dc7549fc45f9480cc5911685eec3696444f6bb6ad1e3485ab049a8b581c42ac3851e291101346bd5fec4eb265f34640891961ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\setup.cmd

Filesize
801B

MD5
8e070269e54fb0de76a8c32229ba39ca

SHA1
aeb39f5d6cfdbd3aff3c3defc28197829e94ce39

SHA256
fead460aa42985af67ba78ef49d27dc354f2734fec7efc29182890184aba58b2

SHA512
0ef8a9796cc3108248901e03d4823a32fc02a25e9e02cf368c0ad434e29076a20af3ab5ca694f0b49557471220f7c660abb42a1e5a2689b144e59eb128da7528

Download Submit
C:\Users\Admin\AppData\Local\Temp\71DAA464-9709-454B-9D16-55EF5B62EE38\file_tracker_del.inf

Filesize
1KB

MD5
d87af11961b90d0514764ceab92400fa

SHA1
c0c53acbce4eb91d661f3d119d8ec47f6d9140dc

SHA256
3c8617785af7240b45deef59223d4571a0d7c6118b486942b22a029aabe16e68

SHA512
32d242117a6848affac3526f4f73615fbebc404b33462f6bf3d332af7ee9059b5d778a886af474132074bcf05d43a4766d4f63537ec462c0e89baadd9ae991c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB6352C-69A1-4804-82C4-D816D9E89723\setupnt.dll

Filesize
486KB

MD5
0e6c9011f2e0fffb1da418efc37e99f8

SHA1
a8f1f5c746443a634d23d1038dd8613ebcd86d92

SHA256
86ecfbd07c5d6d12d7b2f8f6f53af20a17ca7ee2bb88191308a05f9375a087aa

SHA512
99019e809cc9ee1f255e4ca124a344b16b4937c4e36ecb2b4301a26d148e407311b2a28e24ea1f274895060ddbed60b41b00f4bf1e886a308719281abb3a1044

Download Submit
C:\Users\Admin\AppData\Local\Temp\830CFD61-7D7C-4298-8B53-B76C8159EC6E\snapman_del.inf

Filesize
324B

MD5
d52b56393fce19547b3a83f16b140e0e

SHA1
1571a54593e6cf03dd9b070993d67093de371031

SHA256
a9c925a19a005e269292949c2e224f96ae610d43fdd1382d6ba59e2e11e7381e

SHA512
38dccef72d52d47f10d5a5d16ad043dc30173a3526343c09a43b590ee8e3cd736c753a72926cc65c92d17f6b85669d3fddd10f854ebe36d501c824f91dc85cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\A75B9D5B-A83D-4F16-8A73-A9D0EC1E0380\afcdpsrv_del.inf

Filesize
899B

MD5
ad2f7e855c6867452a8367705e8a83d9

SHA1
9003cd3fb841c4e269688fb7e7ea7c0599aa2ac8

SHA256
4079048a5389d5fb21e09fcb662cb5f8cf7fc2e1611c8c2a6eaf714f1147f15a

SHA512
b90ba6607080924dabe4ce95d90eae7ab44d5d8efc37e8005c1ef6ed931ac19e2f638695cba4ab48db26d1f750e764b64d8cc83d9bb8312d02451455817401da

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0B50DDC-9349-4E99-8FB9-FC7AFA06129A\afcdp_del.inf

Filesize
1KB

MD5
b5945da54c20e05191120845aec1f6e1

SHA1
15742141647dec06cf9bab5e0677ad7b6cb2668f

SHA256
6759ffb835a77eb7d9bdf31c53d3cda7f731a79e5749cc96bce38586a299854f

SHA512
0424a31c15b0a504193c1273f0498795e6b84243699c4a40de0163d99545ea3634000576729c9e1013d0b3e186aa953fc9764e8f894346d8e0f75ab586fdf44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8A84EEB-7B3C-4578-BB55-941FC81BE206\fltsrv_del.inf

Filesize
323B

MD5
70468e3efb4b530f05dd6026afb81e62

SHA1
028b0ab359ead3739c9e0148fa5ad66004568fe6

SHA256
7cda8aa2c0109d91a9034a04fab1955609a693b5b6add2b62341dc36ec2f3db5

SHA512
b4225742b9b8b085a7215f28394923a6a4502de1b2f8d40a320d59cc9d4da920f35167c78124c8f5f8bdda38c567b5954183b0d9699af41ec5e5cb1741dad78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BABBB375-B316-4F65-8F40-6BACD5F909D2\tnd_uninstall.inf

Filesize
362B

MD5
a9f54605587fb149972044e208fed987

SHA1
ab3f8bc9cffb119e91e633165d80be52327bc3b5

SHA256
2c9ac5473f289fe09239206b5f68109140066e5d2c02d823906b5c3d74390a6f

SHA512
bdf426238271897cd2f66f81a95cdb4e16deb7dd2cce61c014ce76ac6e03671ee338f9a73f22ad5cabc35b9786ee1b9be9faff078461de358bd3e8380c9b80f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCA79882-87AF-458F-B00E-5FBFA429C217\virtual_file_uninstall.inf

Filesize
399B

MD5
b6750ac1b1042e5fc0ea0add8d30f617

SHA1
f123d181988a59c10a5d22cc08e52450b8597c2c

SHA256
947073cb3ec5e4f29833cf8a28f3e872a7c26c1b1c53ba3e7c98792959ccfc86

SHA512
f9af9a4a5a1568a34d9a8b74f2b9d04b04439497f2c7308aaa61feea304be0d1663e3d003672416eb10a9c17e5816c2358806c9c45666b4b47aae9b1982d1659

Download Submit
C:\Users\Admin\AppData\Local\Temp\F085678E-A689-4039-BF67-8F4EADD649E6\syncagentsrv_del.inf

Filesize
920B

MD5
9a5e9e4a662115ac30b9f9954eb77839

SHA1
a29416332e26c471c79b942e9375745c66fb6f30

SHA256
4b3d9b08746d7d0b3dc3138718d11af43bba4a35278800c8b2fc88186d2956ba

SHA512
6a7841e255192c2e817cda8e286f8277c876e004c25e147eea8c6fc5c25fec52351ece23b422223da9fe58439229db10d9e8fb77489083d1a52b19cfdaec5c24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HYJWKE9C8JA109M4JK4S.temp

Filesize
7KB

MD5
d1e16eaed6f27771e7a8a696e6c46f33

SHA1
bc9269c83951ac0fd01a630d4eba646edea3e956

SHA256
35917d654a7286a60dae280749ad8ce8484a6af77eeaa575a0dcf50b4dd7eeca

SHA512
181829824b1e007c52b3ee6463347a1b43f53f256f5eea4c4d1183b4a0aeca2e6f8fbc97b85e9d4db17994cbe756b11da21585dce5f4a9c65e770a8edbecd159

Download Submit
\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\cleanup_tool.exe

Filesize
5.3MB

MD5
c30181d18b867380c1dc7bd398c896d8

SHA1
d6142ebcd6337866cbd681a12090ef7a45135c4a

SHA256
cbe53a858476bf4e68a57e6eda0b81d3588d4f94d7f44f265e1817ba83222515

SHA512
cbdf4428a0f97852566b700114b897b0da442ca1ecadc86069ed50af316010356db1f8929f75b03c446d11a44a7e9a9a8c343b8c4f075c5d0cafd4874e260031

Download Submit
\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\driver_cleanup_tool.exe

Filesize
5.1MB

MD5
2d6f90d959abc7f6f53d22657f493bc3

SHA1
c79d8c7e7e36269513e9f8c9a89eff2f7a5a5208

SHA256
4672a01483e1767bd5e4ceb6652f997a9150fe0be4a6d244b98c1d5b2c892450

SHA512
5219b537b92d2e7b49472de88f1277fe4b1b96b8573f3886e57fbbf5a7632e966207b0446c76cc74f406da6797348ef9bc36e56d866e85a638b716d13ac4830d

Download Submit
\Users\Admin\AppData\Local\Temp\5DDDE638-6007-4397-A3AC-D98F6D5268A5\schedmgr.exe

Filesize
2.1MB

MD5
2433024c8c5e30cae41f89bb6e855462

SHA1
9a492865694fe29d7a143e487ff6a037179cfe91

SHA256
afd9b1fc52216a2f5eeb2c9aa47fc1fe129dc56ed7a2997e170b1d4edd07c809

SHA512
bc8a6a6e7ed0919067141db6c10a2120b5dff2c9ce1cbb803219aeb935e9c4ff02b261528a6bb37ec71aa03ac321fa0359caf1252d2a1a74b903ba6220e53dbd

Download Submit
\Users\Admin\AppData\Local\Temp\7EB6352C-69A1-4804-82C4-D816D9E89723\setupapp.exe

Filesize
498KB

MD5
eab954bb4f70bbe1fc85a2b210c49092

SHA1
bac5a9369d0c1a980b6102ad76f8b79dbae64d89

SHA256
001f1e414c738e43e7e8059bec010a51c4442cebcf97d02c54c4b339eec0f781

SHA512
89dec8536720cf9382a593ed20d8daef9feea9b0b7627e17935e0c8b20791a1c3d22d8ee42eef48c68df43a12d5c96c726273707b916ec1a9924abb3fa86599b

Download Submit
memory/952-215-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/2004-192-0x0000000076D60000-0x0000000076E5A000-memory.dmp

Filesize
1000KB

Download
memory/2004-191-0x0000000076E60000-0x0000000076F7F000-memory.dmp

Filesize
1.1MB

Download
memory/2424-228-0x000000013F480000-0x000000013F578000-memory.dmp

Filesize
992KB

Download
memory/2424-229-0x000007FEF7A30000-0x000007FEF7A64000-memory.dmp

Filesize
208KB

Download
memory/2424-230-0x000007FEF4E60000-0x000007FEF5116000-memory.dmp

Filesize
2.7MB

Download
memory/2424-231-0x000007FEF2C50000-0x000007FEF3D00000-memory.dmp

Filesize
16.7MB

Download
memory/3068-237-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-236-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-235-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-234-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-233-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-232-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-240-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/3068-239-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/3068-238-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/3068-265-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-268-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-267-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-266-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-264-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-263-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/3068-270-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/3068-271-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/3068-269-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download