Analysis
-
max time kernel
123s -
max time network
140s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-06-2020 15:25
Static task
static1
Behavioral task
behavioral1
Sample
____(20200609)_____ ______ ________ _____.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
____(20200609)_____ ______ ________ _____.exe
Resource
win10v200430
General
-
Target
____(20200609)_____ ______ ________ _____.exe
-
Size
39KB
-
MD5
990ae2bdad3313e75eee494658b12fd8
-
SHA1
1aba2529844f1a3ceb5569a4ae585536307e5889
-
SHA256
17eba72cf22e7cff0ccac61cb0a521785d9ef8e223147164e2a2b91ea7094b9c
-
SHA512
2d708b0a0b0b7fea0d080b3aaaa5d9a65fe6779a63815fac1c35c66d0be116e6ea929c2e2706653f149822b63052392ab8ea43615cb72f4b99881395e8d3d169
Malware Config
Extracted
C:\readme-warning.txt
makop
akzhq530@protonmail.com
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
____(20200609)_____ ______ ________ _____.exedescription pid process target process PID 804 wrote to memory of 1160 804 ____(20200609)_____ ______ ________ _____.exe cmd.exe PID 804 wrote to memory of 1160 804 ____(20200609)_____ ______ ________ _____.exe cmd.exe PID 804 wrote to memory of 1160 804 ____(20200609)_____ ______ ________ _____.exe cmd.exe PID 804 wrote to memory of 1160 804 ____(20200609)_____ ______ ________ _____.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
____(20200609)_____ ______ ________ _____.exepid process 804 ____(20200609)_____ ______ ________ _____.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1032 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
____(20200609)_____ ______ ________ _____.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 ____(20200609)_____ ______ ________ _____.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 ____(20200609)_____ ______ ________ _____.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 ____(20200609)_____ ______ ________ _____.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1516 vssvc.exe Token: SeRestorePrivilege 1516 vssvc.exe Token: SeAuditPrivilege 1516 vssvc.exe Token: SeBackupPrivilege 1964 wbengine.exe Token: SeRestorePrivilege 1964 wbengine.exe Token: SeSecurityPrivilege 1964 wbengine.exe Token: SeIncreaseQuotaPrivilege 1656 WMIC.exe Token: SeSecurityPrivilege 1656 WMIC.exe Token: SeTakeOwnershipPrivilege 1656 WMIC.exe Token: SeLoadDriverPrivilege 1656 WMIC.exe Token: SeSystemProfilePrivilege 1656 WMIC.exe Token: SeSystemtimePrivilege 1656 WMIC.exe Token: SeProfSingleProcessPrivilege 1656 WMIC.exe Token: SeIncBasePriorityPrivilege 1656 WMIC.exe Token: SeCreatePagefilePrivilege 1656 WMIC.exe Token: SeBackupPrivilege 1656 WMIC.exe Token: SeRestorePrivilege 1656 WMIC.exe Token: SeShutdownPrivilege 1656 WMIC.exe Token: SeDebugPrivilege 1656 WMIC.exe Token: SeSystemEnvironmentPrivilege 1656 WMIC.exe Token: SeRemoteShutdownPrivilege 1656 WMIC.exe Token: SeUndockPrivilege 1656 WMIC.exe Token: SeManageVolumePrivilege 1656 WMIC.exe Token: 33 1656 WMIC.exe Token: 34 1656 WMIC.exe Token: 35 1656 WMIC.exe Token: SeIncreaseQuotaPrivilege 1656 WMIC.exe Token: SeSecurityPrivilege 1656 WMIC.exe Token: SeTakeOwnershipPrivilege 1656 WMIC.exe Token: SeLoadDriverPrivilege 1656 WMIC.exe Token: SeSystemProfilePrivilege 1656 WMIC.exe Token: SeSystemtimePrivilege 1656 WMIC.exe Token: SeProfSingleProcessPrivilege 1656 WMIC.exe Token: SeIncBasePriorityPrivilege 1656 WMIC.exe Token: SeCreatePagefilePrivilege 1656 WMIC.exe Token: SeBackupPrivilege 1656 WMIC.exe Token: SeRestorePrivilege 1656 WMIC.exe Token: SeShutdownPrivilege 1656 WMIC.exe Token: SeDebugPrivilege 1656 WMIC.exe Token: SeSystemEnvironmentPrivilege 1656 WMIC.exe Token: SeRemoteShutdownPrivilege 1656 WMIC.exe Token: SeUndockPrivilege 1656 WMIC.exe Token: SeManageVolumePrivilege 1656 WMIC.exe Token: 33 1656 WMIC.exe Token: 34 1656 WMIC.exe Token: 35 1656 WMIC.exe -
Processes:
wbadmin.exepid process 1916 wbadmin.exe -
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Drops file in Program Files directory 9169 IoCs
Processes:
____(20200609)_____ ______ ________ _____.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BS00440_.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL102.XML ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\icon.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.ELM ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\GMT ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\EquityMergeLetter.Dotx ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\FAX\OrielFax.Dotx ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\PREVIEW.GIF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18217_.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01366_.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0293828.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00177_.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jre7\README.txt ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.INF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME03.CSS ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBBA\MSPUB7.BDR ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO01236_.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\SIGNS.ICO ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BS01638_.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE01172_.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Foundry.eftx ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14692_.GIF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue.css ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0304861.WMF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\Sounds\Things\WHOOSH.WAV ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig ____(20200609)_____ ______ ________ _____.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
____(20200609)_____ ______ ________ _____.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\____(20200609)_____ ______ ________ _____.exe\"" ____(20200609)_____ ______ ________ _____.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe"C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Drops file in Program Files directory
- Adds Run entry to start application
-
C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe"C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe" n8042⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe"C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe" n8042⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt1⤵