makop | c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
06-01-2021 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
Size

262KB
MD5

53e7b9e873404afdd22cdeba41b4e1c9
SHA1

18b1a19f826e9d48d5776f6e3c279547f3ff517d
SHA256

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec
SHA512

ccc0af85ea847c45d11e213030e6b3224503c22fe70519049095b1d84cbf61e50c72ab370a03e456338127b52d462826248a6413706ab900afac16adf1deb9dd

Score

10^/10

makop persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "moloch" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: moloch_helpdesk@tutanota.com or moloch_helpdesk@protonmail.ch .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

moloch_helpdesk@tutanota.com

moloch_helpdesk@protonmail.ch

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1308 wbadmin.exe

pid	process
1308	wbadmin.exe

Loads dropped DLL 4 IoCs

Processes:

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

pid	process
1676	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
1696	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
948	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
1092	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe\""	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 4 IoCs

Processes:

description	pid	process	target process
PID 1676 set thread context of 1692	1676	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1696 set thread context of 220	1696	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 948 set thread context of 1588	948	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1092 set thread context of 1960	1092	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

Drops file in Program Files directory 9680 IoCs

Processes:

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00623_.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\MountRename.pub	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ERROR.GIF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\readme-warning.txt	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0293832.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153518.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00078_.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_K_COL.HXK	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanLetter.Dotx	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01172_.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\readme-warning.txt	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00828_.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_off.gif	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD05119_.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15023_.GIF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.JS	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Edmonton	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00407_.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\CodeFile.zip	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\THMBNAIL.PNG	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237228.WMF	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1A.BDR	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1080 vssadmin.exe

pid	process
1080	vssadmin.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

pid process

1692 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

pid	process
1692	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

pid	process
1676	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
1696	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
948	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
1092	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

vssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1956	vssvc.exe
Token: SeRestorePrivilege	1956	vssvc.exe
Token: SeAuditPrivilege	1956	vssvc.exe
Token: SeBackupPrivilege	1740	wbengine.exe
Token: SeRestorePrivilege	1740	wbengine.exe
Token: SeSecurityPrivilege	1740	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1424	WMIC.exe
Token: SeSecurityPrivilege	1424	WMIC.exe
Token: SeTakeOwnershipPrivilege	1424	WMIC.exe
Token: SeLoadDriverPrivilege	1424	WMIC.exe
Token: SeSystemProfilePrivilege	1424	WMIC.exe
Token: SeSystemtimePrivilege	1424	WMIC.exe
Token: SeProfSingleProcessPrivilege	1424	WMIC.exe
Token: SeIncBasePriorityPrivilege	1424	WMIC.exe
Token: SeCreatePagefilePrivilege	1424	WMIC.exe
Token: SeBackupPrivilege	1424	WMIC.exe
Token: SeRestorePrivilege	1424	WMIC.exe
Token: SeShutdownPrivilege	1424	WMIC.exe
Token: SeDebugPrivilege	1424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1424	WMIC.exe
Token: SeRemoteShutdownPrivilege	1424	WMIC.exe
Token: SeUndockPrivilege	1424	WMIC.exe
Token: SeManageVolumePrivilege	1424	WMIC.exe
Token: 33	1424	WMIC.exe
Token: 34	1424	WMIC.exe
Token: 35	1424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1424	WMIC.exe
Token: SeSecurityPrivilege	1424	WMIC.exe
Token: SeTakeOwnershipPrivilege	1424	WMIC.exe
Token: SeLoadDriverPrivilege	1424	WMIC.exe
Token: SeSystemProfilePrivilege	1424	WMIC.exe
Token: SeSystemtimePrivilege	1424	WMIC.exe
Token: SeProfSingleProcessPrivilege	1424	WMIC.exe
Token: SeIncBasePriorityPrivilege	1424	WMIC.exe
Token: SeCreatePagefilePrivilege	1424	WMIC.exe
Token: SeBackupPrivilege	1424	WMIC.exe
Token: SeRestorePrivilege	1424	WMIC.exe
Token: SeShutdownPrivilege	1424	WMIC.exe
Token: SeDebugPrivilege	1424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1424	WMIC.exe
Token: SeRemoteShutdownPrivilege	1424	WMIC.exe
Token: SeUndockPrivilege	1424	WMIC.exe
Token: SeManageVolumePrivilege	1424	WMIC.exe
Token: 33	1424	WMIC.exe
Token: 34	1424	WMIC.exe
Token: 35	1424	WMIC.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.execmd.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe

C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n1692
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n1692
4⤵
PID:220

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1080

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1308

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n1692
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n1692
4⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n1692
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n1692
4⤵
PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1764

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\827763568
MD5
807ba49982736128dc602cfef746d6a6

SHA1
e084136ab87bd1663f6a30c55508336a21db58d6

SHA256
8ac5afa9b069b96cd38b83acf893acc5cd6639d2a76c2f7bae45ae6859c40895

SHA512
4ca14b355e047dd7dcaeeb6579fcf1f6a38f35739069fb9af47b2fa8de0725815ca10e1c2aba27d7bea2d5f7ac765bd49210fb5ec1af10e9e775d42aa5668116

Download Submit
C:\Users\Admin\AppData\Roaming\827763568
MD5
bc251d6a9f3408d4a2ff3add1d27ad3d

SHA1
99091c8e7a4ce7df879e157ddfba12d60095b1a9

SHA256
6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

SHA512
23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

Download Submit
C:\Users\Admin\AppData\Roaming\827763568
MD5
47be810a8daee4d2db2731c4822b4f8c

SHA1
34e6da2951af2203610013a580d10467d1ec135f

SHA256
1ea6731de8dcf467a848e25acb785a27a5cb27988aff016413f09a7039d1a602

SHA512
69047eca5e69d3d4d03f2eeeed94bcfb8cf3adc522216c2854afc8a65004c6f303e18b0ba97ed3d1851d83d99290e7b52d574cfdfaefa3a5fb85c14e21afedfe

Download Submit
C:\Users\Admin\AppData\Roaming\827763568
MD5
7ba6d1fd4f3d61539d62e71bb591d486

SHA1
57f76c7a639559ac60e49bb1e0f4036c8b2213d7

SHA256
264f5288b4c1efbc677dea6cb64b8b163a29f384111686de1691d26796a2825d

SHA512
e93f018f2c8867e2d3904e414043c1ea5c4039c45aa9dd5930c137667a7ace1c379bd6d0016dc1b77d842b7e85d17a12e30c6dbc02954306d4e8f29c12b7db2c

Download Submit
C:\Users\Admin\AppData\Roaming\827763568
MD5
bc251d6a9f3408d4a2ff3add1d27ad3d

SHA1
99091c8e7a4ce7df879e157ddfba12d60095b1a9

SHA256
6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

SHA512
23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

Download Submit
\Users\Admin\AppData\Local\Temp\nsc37D3.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsn1508.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy7975.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF3F1.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/216-16-0x000007FEF6340000-0x000007FEF65BA000-memory.dmp

Filesize
2.5MB

Download
memory/220-13-0x0000000000405A20-mapping.dmp

Download
memory/1080-7-0x0000000000000000-mapping.dmp

Download
memory/1308-10-0x0000000000000000-mapping.dmp

Download
memory/1424-11-0x0000000000000000-mapping.dmp

Download
memory/1588-20-0x0000000000405A20-mapping.dmp

Download
memory/1652-6-0x0000000000000000-mapping.dmp

Download
memory/1692-4-0x0000000000405A20-mapping.dmp

Download
memory/1692-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1692-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1960-26-0x0000000000405A20-mapping.dmp

Download

description	pid	process	target process
PID 1676 wrote to memory of 1692	1676	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1676 wrote to memory of 1692	1676	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1676 wrote to memory of 1692	1676	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1676 wrote to memory of 1692	1676	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1676 wrote to memory of 1692	1676	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1692 wrote to memory of 1652	1692	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	cmd.exe
PID 1692 wrote to memory of 1652	1692	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	cmd.exe
PID 1692 wrote to memory of 1652	1692	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	cmd.exe
PID 1692 wrote to memory of 1652	1692	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	cmd.exe
PID 1652 wrote to memory of 1080	1652	cmd.exe	vssadmin.exe
PID 1652 wrote to memory of 1080	1652	cmd.exe	vssadmin.exe
PID 1652 wrote to memory of 1080	1652	cmd.exe	vssadmin.exe
PID 1652 wrote to memory of 1308	1652	cmd.exe	wbadmin.exe
PID 1652 wrote to memory of 1308	1652	cmd.exe	wbadmin.exe
PID 1652 wrote to memory of 1308	1652	cmd.exe	wbadmin.exe
PID 1652 wrote to memory of 1424	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1424	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1424	1652	cmd.exe	WMIC.exe
PID 1696 wrote to memory of 220	1696	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1696 wrote to memory of 220	1696	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1696 wrote to memory of 220	1696	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1696 wrote to memory of 220	1696	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1696 wrote to memory of 220	1696	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 948 wrote to memory of 1588	948	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 948 wrote to memory of 1588	948	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 948 wrote to memory of 1588	948	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 948 wrote to memory of 1588	948	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 948 wrote to memory of 1588	948	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1092 wrote to memory of 1960	1092	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1092 wrote to memory of 1960	1092	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1092 wrote to memory of 1960	1092	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1092 wrote to memory of 1960	1092	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
PID 1092 wrote to memory of 1960	1092	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe	c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe