Analysis
-
max time kernel
143s -
max time network
130s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-06-2020 15:25
Static task
static1
Behavioral task
behavioral1
Sample
____(20200609)_____ ______ ________ _____.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
____(20200609)_____ ______ ________ _____.exe
Resource
win10v200430
General
-
Target
____(20200609)_____ ______ ________ _____.exe
-
Size
39KB
-
MD5
990ae2bdad3313e75eee494658b12fd8
-
SHA1
1aba2529844f1a3ceb5569a4ae585536307e5889
-
SHA256
17eba72cf22e7cff0ccac61cb0a521785d9ef8e223147164e2a2b91ea7094b9c
-
SHA512
2d708b0a0b0b7fea0d080b3aaaa5d9a65fe6779a63815fac1c35c66d0be116e6ea929c2e2706653f149822b63052392ab8ea43615cb72f4b99881395e8d3d169
Malware Config
Extracted
C:\readme-warning.txt
makop
akzhq530@protonmail.com
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 2852 svchost.exe Token: SeTcbPrivilege 2852 svchost.exe Token: SeBackupPrivilege 372 vssvc.exe Token: SeRestorePrivilege 372 vssvc.exe Token: SeAuditPrivilege 372 vssvc.exe Token: SeBackupPrivilege 1660 wbengine.exe Token: SeRestorePrivilege 1660 wbengine.exe Token: SeSecurityPrivilege 1660 wbengine.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe Token: SeSecurityPrivilege 2176 WMIC.exe Token: SeTakeOwnershipPrivilege 2176 WMIC.exe Token: SeLoadDriverPrivilege 2176 WMIC.exe Token: SeSystemProfilePrivilege 2176 WMIC.exe Token: SeSystemtimePrivilege 2176 WMIC.exe Token: SeProfSingleProcessPrivilege 2176 WMIC.exe Token: SeIncBasePriorityPrivilege 2176 WMIC.exe Token: SeCreatePagefilePrivilege 2176 WMIC.exe Token: SeBackupPrivilege 2176 WMIC.exe Token: SeRestorePrivilege 2176 WMIC.exe Token: SeShutdownPrivilege 2176 WMIC.exe Token: SeDebugPrivilege 2176 WMIC.exe Token: SeSystemEnvironmentPrivilege 2176 WMIC.exe Token: SeRemoteShutdownPrivilege 2176 WMIC.exe Token: SeUndockPrivilege 2176 WMIC.exe Token: SeManageVolumePrivilege 2176 WMIC.exe Token: 33 2176 WMIC.exe Token: 34 2176 WMIC.exe Token: 35 2176 WMIC.exe Token: 36 2176 WMIC.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe Token: SeSecurityPrivilege 2176 WMIC.exe Token: SeTakeOwnershipPrivilege 2176 WMIC.exe Token: SeLoadDriverPrivilege 2176 WMIC.exe Token: SeSystemProfilePrivilege 2176 WMIC.exe Token: SeSystemtimePrivilege 2176 WMIC.exe Token: SeProfSingleProcessPrivilege 2176 WMIC.exe Token: SeIncBasePriorityPrivilege 2176 WMIC.exe Token: SeCreatePagefilePrivilege 2176 WMIC.exe Token: SeBackupPrivilege 2176 WMIC.exe Token: SeRestorePrivilege 2176 WMIC.exe Token: SeShutdownPrivilege 2176 WMIC.exe Token: SeDebugPrivilege 2176 WMIC.exe Token: SeSystemEnvironmentPrivilege 2176 WMIC.exe Token: SeRemoteShutdownPrivilege 2176 WMIC.exe Token: SeUndockPrivilege 2176 WMIC.exe Token: SeManageVolumePrivilege 2176 WMIC.exe Token: 33 2176 WMIC.exe Token: 34 2176 WMIC.exe Token: 35 2176 WMIC.exe Token: 36 2176 WMIC.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 2852 created 3824 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 created 3824 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
svchost.exe____(20200609)_____ ______ ________ _____.exedescription pid process target process PID 2852 wrote to memory of 512 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 512 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 512 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 512 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 512 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 512 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 512 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 3824 wrote to memory of 656 3824 ____(20200609)_____ ______ ________ _____.exe cmd.exe PID 3824 wrote to memory of 656 3824 ____(20200609)_____ ______ ________ _____.exe cmd.exe PID 2852 wrote to memory of 3544 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 3544 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 3544 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 3544 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 3544 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 3544 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe PID 2852 wrote to memory of 3544 2852 svchost.exe ____(20200609)_____ ______ ________ _____.exe -
Processes:
wbadmin.exepid process 1416 wbadmin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1000 vssadmin.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
____(20200609)_____ ______ ________ _____.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\____(20200609)_____ ______ ________ _____.exe\"" ____(20200609)_____ ______ ________ _____.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
____(20200609)_____ ______ ________ _____.exepid process 3824 ____(20200609)_____ ______ ________ _____.exe 3824 ____(20200609)_____ ______ ________ _____.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe -
Drops file in Program Files directory 16029 IoCs
Processes:
____(20200609)_____ ______ ________ _____.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-GB\doc_offline_getconnected.xml ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-125.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\DiamondBadgeEarned.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestsRunningInCleanRunspace.Tests.ps1 ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\ui-strings.js ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ReviewRouting_Review.xsn ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\OfflineMaps.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-24_contrast-black.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\XboxControl\Xbox-up.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-125.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\27.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\xaml\onenote\ShareMainPage.xaml ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\MedTile.scale-200.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_opencarat_18.svg ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-unplated.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-100.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\CortanaPlaces.winmd ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cn_16x11.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner_process.svg ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\om_60x42.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\1.jpg ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-colorize.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\star-rotating-57x54.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-100.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\EmbossText.scale-140.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10290_20x20x32.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\selector.js ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-200.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons_retina.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-96_altform-unplated.png ____(20200609)_____ ______ ________ _____.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png ____(20200609)_____ ______ ________ _____.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe"C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe"1⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe"C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe" n38242⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe"C:\Users\Admin\AppData\Local\Temp\____(20200609)_____ ______ ________ _____.exe" n38242⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt1⤵