makop | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Analysis

max time kernel
1800s
max time network
1791s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Size

114KB
MD5

b33e8ce6a7035bee5c5472d5b870b68a
SHA1

783d08fe374f287a4e0412ed8b7f5446c6e65687
SHA256

2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
SHA512

78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f
SSDEEP

3072:Rf1BDZ0kVB67Duw9AMcUTeQnbZ7pgHzL8O1oc8rEUvZfqv8dOWVIc:R9X0GGZpYzL8VcFUvZyUdb

Score

10^/10

makop persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: akzhq1010@tutanota.com or akzhq1010@cock.li .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

akzhq1010@tutanota.com

akzhq1010@cock.li

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop

Suspicious use of NtCreateUserProcessOtherParentProcess 46 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 created 4336	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4340 wbadmin.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

MAKOP_27_10_2020_115KB.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\SyncSuspend.tiff MAKOP_27_10_2020_115KB.exe

pid	process
4340	wbadmin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SyncSuspend.tiff	MAKOP_27_10_2020_115KB.exe

Loads dropped DLL 47 IoCs

Processes:

MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exe

pid	process
4244	MAKOP_27_10_2020_115KB.exe
2036	MAKOP_27_10_2020_115KB.exe
1868	MAKOP_27_10_2020_115KB.exe
588	MAKOP_27_10_2020_115KB.exe
4932	MAKOP_27_10_2020_115KB.exe
5056	MAKOP_27_10_2020_115KB.exe
480	MAKOP_27_10_2020_115KB.exe
3240	MAKOP_27_10_2020_115KB.exe
4736	MAKOP_27_10_2020_115KB.exe
4420	MAKOP_27_10_2020_115KB.exe
3116	MAKOP_27_10_2020_115KB.exe
1544	MAKOP_27_10_2020_115KB.exe
2112	MAKOP_27_10_2020_115KB.exe
4576	MAKOP_27_10_2020_115KB.exe
4788	MAKOP_27_10_2020_115KB.exe
292	MAKOP_27_10_2020_115KB.exe
1504	MAKOP_27_10_2020_115KB.exe
1480	MAKOP_27_10_2020_115KB.exe
2288	MAKOP_27_10_2020_115KB.exe
3324	MAKOP_27_10_2020_115KB.exe
3876	MAKOP_27_10_2020_115KB.exe
3992	MAKOP_27_10_2020_115KB.exe
272	MAKOP_27_10_2020_115KB.exe
4524	MAKOP_27_10_2020_115KB.exe
1352	MAKOP_27_10_2020_115KB.exe
1612	MAKOP_27_10_2020_115KB.exe
1192	MAKOP_27_10_2020_115KB.exe
3668	MAKOP_27_10_2020_115KB.exe
4076	MAKOP_27_10_2020_115KB.exe
4416	MAKOP_27_10_2020_115KB.exe
2328	MAKOP_27_10_2020_115KB.exe
4156	MAKOP_27_10_2020_115KB.exe
456	MAKOP_27_10_2020_115KB.exe
2712	MAKOP_27_10_2020_115KB.exe
3548	MAKOP_27_10_2020_115KB.exe
908	MAKOP_27_10_2020_115KB.exe
4596	MAKOP_27_10_2020_115KB.exe
1500	MAKOP_27_10_2020_115KB.exe
4660	MAKOP_27_10_2020_115KB.exe
3232	MAKOP_27_10_2020_115KB.exe
1236	MAKOP_27_10_2020_115KB.exe
3312	MAKOP_27_10_2020_115KB.exe
3372	MAKOP_27_10_2020_115KB.exe
32	MAKOP_27_10_2020_115KB.exe
3856	MAKOP_27_10_2020_115KB.exe
912	MAKOP_27_10_2020_115KB.exe
3408	MAKOP_27_10_2020_115KB.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MAKOP_27_10_2020_115KB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\MAKOP_27_10_2020_115KB.exe\""	MAKOP_27_10_2020_115KB.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 46 IoCs

Processes:

description	pid	process	target process
PID 4244 set thread context of 4336	4244	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2036 set thread context of 4272	2036	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1868 set thread context of 4628	1868	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 588 set thread context of 1960	588	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4932 set thread context of 1540	4932	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 5056 set thread context of 4104	5056	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 480 set thread context of 1664	480	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3240 set thread context of 3620	3240	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4736 set thread context of 3936	4736	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4420 set thread context of 3412	4420	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3116 set thread context of 2068	3116	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1544 set thread context of 4048	1544	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2112 set thread context of 268	2112	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4576 set thread context of 1872	4576	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4788 set thread context of 2388	4788	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 292 set thread context of 676	292	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1504 set thread context of 3904	1504	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1480 set thread context of 4804	1480	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2288 set thread context of 5092	2288	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3324 set thread context of 1596	3324	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3876 set thread context of 3700	3876	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3992 set thread context of 212	3992	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 272 set thread context of 4844	272	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4524 set thread context of 5044	4524	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1352 set thread context of 2468	1352	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1612 set thread context of 2776	1612	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1192 set thread context of 3984	1192	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3668 set thread context of 552	3668	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4076 set thread context of 792	4076	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4416 set thread context of 4236	4416	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2328 set thread context of 2656	2328	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4156 set thread context of 2420	4156	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 456 set thread context of 1780	456	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2712 set thread context of 4328	2712	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3548 set thread context of 704	3548	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 908 set thread context of 3632	908	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4596 set thread context of 4408	4596	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1500 set thread context of 4980	1500	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4660 set thread context of 2604	4660	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3232 set thread context of 2292	3232	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1236 set thread context of 3740	1236	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3312 set thread context of 3660	3312	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3372 set thread context of 2784	3372	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 32 set thread context of 4724	32	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3856 set thread context of 2548	3856	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 912 set thread context of 1428	912	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe

Drops file in Program Files directory 64 IoCs

Processes:

MAKOP_27_10_2020_115KB.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookAccount.scale-100.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.efe979fc.pri	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\ui-strings.js	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldContain.snippets.ps1xml	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MediumTile.scale-200.png	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\MarkAsReadToastQuickAction.scale-80.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-100.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-400.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-125_contrast-black.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-colorize.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-125.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-400.png	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo@2x.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\hero.jpg	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-96.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\View3d\3DViewerProductDescription-universal.xml	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-72_altform-unplated_contrast-black.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-200_contrast-white.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\desktop_acrobat_logo.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_2x.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-white.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\Error.svg	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLargeTile.scale-100.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\MedTile.scale-200.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\ui-strings.js	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ca.pak	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-125.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_altform-unplated_contrast-black.png	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\TransparentAdvertisers	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\ui-strings.js	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-unplated.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-24_contrast-black.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms	MAKOP_27_10_2020_115KB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4888 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MAKOP_27_10_2020_115KB.exe

pid process

4336 MAKOP_27_10_2020_115KB.exe
4336 MAKOP_27_10_2020_115KB.exe

pid	process
4888	vssadmin.exe

pid	process
4336	MAKOP_27_10_2020_115KB.exe
4336	MAKOP_27_10_2020_115KB.exe

Suspicious behavior: MapViewOfSection 46 IoCs

Processes:

pid	process
4244	MAKOP_27_10_2020_115KB.exe
2036	MAKOP_27_10_2020_115KB.exe
1868	MAKOP_27_10_2020_115KB.exe
588	MAKOP_27_10_2020_115KB.exe
4932	MAKOP_27_10_2020_115KB.exe
5056	MAKOP_27_10_2020_115KB.exe
480	MAKOP_27_10_2020_115KB.exe
3240	MAKOP_27_10_2020_115KB.exe
4736	MAKOP_27_10_2020_115KB.exe
4420	MAKOP_27_10_2020_115KB.exe
3116	MAKOP_27_10_2020_115KB.exe
1544	MAKOP_27_10_2020_115KB.exe
2112	MAKOP_27_10_2020_115KB.exe
4576	MAKOP_27_10_2020_115KB.exe
4788	MAKOP_27_10_2020_115KB.exe
292	MAKOP_27_10_2020_115KB.exe
1504	MAKOP_27_10_2020_115KB.exe
1480	MAKOP_27_10_2020_115KB.exe
2288	MAKOP_27_10_2020_115KB.exe
3324	MAKOP_27_10_2020_115KB.exe
3876	MAKOP_27_10_2020_115KB.exe
3992	MAKOP_27_10_2020_115KB.exe
272	MAKOP_27_10_2020_115KB.exe
4524	MAKOP_27_10_2020_115KB.exe
1352	MAKOP_27_10_2020_115KB.exe
1612	MAKOP_27_10_2020_115KB.exe
1192	MAKOP_27_10_2020_115KB.exe
3668	MAKOP_27_10_2020_115KB.exe
4076	MAKOP_27_10_2020_115KB.exe
4416	MAKOP_27_10_2020_115KB.exe
2328	MAKOP_27_10_2020_115KB.exe
4156	MAKOP_27_10_2020_115KB.exe
456	MAKOP_27_10_2020_115KB.exe
2712	MAKOP_27_10_2020_115KB.exe
3548	MAKOP_27_10_2020_115KB.exe
908	MAKOP_27_10_2020_115KB.exe
4596	MAKOP_27_10_2020_115KB.exe
1500	MAKOP_27_10_2020_115KB.exe
4660	MAKOP_27_10_2020_115KB.exe
3232	MAKOP_27_10_2020_115KB.exe
1236	MAKOP_27_10_2020_115KB.exe
3312	MAKOP_27_10_2020_115KB.exe
3372	MAKOP_27_10_2020_115KB.exe
32	MAKOP_27_10_2020_115KB.exe
3856	MAKOP_27_10_2020_115KB.exe
912	MAKOP_27_10_2020_115KB.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

svchost.exevssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeTcbPrivilege	2176	svchost.exe
Token: SeTcbPrivilege	2176	svchost.exe
Token: SeBackupPrivilege	2660	vssvc.exe
Token: SeRestorePrivilege	2660	vssvc.exe
Token: SeAuditPrivilege	2660	vssvc.exe
Token: SeBackupPrivilege	1316	wbengine.exe
Token: SeRestorePrivilege	1316	wbengine.exe
Token: SeSecurityPrivilege	1316	wbengine.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemProfilePrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeProfSingleProcessPrivilege	2756	WMIC.exe
Token: SeIncBasePriorityPrivilege	2756	WMIC.exe
Token: SeCreatePagefilePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeDebugPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeRemoteShutdownPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: 33	2756	WMIC.exe
Token: 34	2756	WMIC.exe
Token: 35	2756	WMIC.exe
Token: 36	2756	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MAKOP_27_10_2020_115KB.exesvchost.exeMAKOP_27_10_2020_115KB.execmd.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exe

description	pid	process	target process
PID 4244 wrote to memory of 4336	4244	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4244 wrote to memory of 4336	4244	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4244 wrote to memory of 4336	4244	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4244 wrote to memory of 4336	4244	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 2036	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 2036	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 2036	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 2036	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 2036	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 2036	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 2036	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 4336 wrote to memory of 4912	4336	MAKOP_27_10_2020_115KB.exe	cmd.exe
PID 4336 wrote to memory of 4912	4336	MAKOP_27_10_2020_115KB.exe	cmd.exe
PID 4912 wrote to memory of 4888	4912	cmd.exe	vssadmin.exe
PID 4912 wrote to memory of 4888	4912	cmd.exe	vssadmin.exe
PID 4912 wrote to memory of 4340	4912	cmd.exe	wbadmin.exe
PID 4912 wrote to memory of 4340	4912	cmd.exe	wbadmin.exe
PID 4912 wrote to memory of 2756	4912	cmd.exe	WMIC.exe
PID 4912 wrote to memory of 2756	4912	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 4272	2036	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2036 wrote to memory of 4272	2036	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2036 wrote to memory of 4272	2036	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2036 wrote to memory of 4272	2036	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 1868	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 1868	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 1868	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 1868	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 1868	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 1868	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 1868	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 1868 wrote to memory of 4628	1868	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1868 wrote to memory of 4628	1868	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1868 wrote to memory of 4628	1868	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1868 wrote to memory of 4628	1868	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 588	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 588	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 588	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 588	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 588	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 588	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 588	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 588 wrote to memory of 1960	588	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 588 wrote to memory of 1960	588	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 588 wrote to memory of 1960	588	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 588 wrote to memory of 1960	588	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 4932	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 4932	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 4932	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 4932	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 4932	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 4932	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 4932	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 4932 wrote to memory of 1540	4932	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4932 wrote to memory of 1540	4932	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4932 wrote to memory of 1540	4932	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 4932 wrote to memory of 1540	4932	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 5056	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 5056	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 5056	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 5056	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 5056	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 5056	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 2176 wrote to memory of 5056	2176	svchost.exe	MAKOP_27_10_2020_115KB.exe
PID 5056 wrote to memory of 4104	5056	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4272

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4888

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:4340

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:480

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3240

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4736

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4420

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3116

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1544

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2112

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4576

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4788

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:292

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1504

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1480

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2288

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3324

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3876

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3992

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:272

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4524

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1352

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1612

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1192

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3668

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4076

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4416

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2328

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4156

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:456

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2712

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3548

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:908

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4596

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1500

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4660

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3232

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1236

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3312

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3372

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:32

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3856

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:912

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
4⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n4336
3⤵
- Loads dropped DLL
PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nscAF35.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseD641.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4504.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfBCC6.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgEA67.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh6D48.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj336E.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjD150.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl61AC.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnB98.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC177.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst952E.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5A6A.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv7D06.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvE3E0.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw88A7.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx121E.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3A62.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
32812731269ab6bb0a544db7e44d2910

SHA1
996172fd4cafdf7248204ae4768140b6b2f8dc13

SHA256
0ce8ba0efe70df193cd2c3c7761ab8f50080fc0eb723f7151256290aad4ff2eb

SHA512
d34f3e81bbef39cd6088d83eb755d490a1b10084d5ee8bd1226abc5998510e19e85633c067608af591350ec84e86fd2ee65b22220954d8ee33778bd954949735

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
68cf7adb1c5d241c31ce75cfc1f17e58

SHA1
41352aedffdb84d4bb455d1cccc3ee0edebd67e3

SHA256
d810f86d53c1fbc8f5054b951caa027b786883ff55bd0a6c8c1e3b2a0c861d06

SHA512
70596dfcd5b48e9eed958fb64f13881e2328f31ca9aadd047af28df3dda1e5d05f63f3d64420a96bf8742984d0ac6f9bad4a0554a5e326459d70146638b6d821

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
7a9c25a0e3c514f31aa12d3e8ee78882

SHA1
fdf9bc70db4d5f5f975bde71084f291123a9ba08

SHA256
f118507be71d97b35fe7a302a398a9e9cc69fdef74fe5614b2401a91ee0352c7

SHA512
703b2d20568a01b6a089a2a7f38facbf79545a1d1da2081714c5846ebca87152183f686d6885e0b919c9f76b940b417a7dc989e2b4f9607fa7462f06282d8577

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
1dea5a85c4e1388b205935bbc267d81f

SHA1
cac33c306a13a57a54a7f4014c6e69cb17e681fe

SHA256
0625a5cb7745ea1bf569f07d6ea90ae648675a41ef209e800a6e3c431b38c8f2

SHA512
8a0dd4503d3bddb090de3e2c0ea860c3a750cf6d23d79116ec5cb82992467e543e61b2326bd9f473e2090ca2dff09fc04fbf2a3731a8fcfee67d49e9a0af198d

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
6a7c92aba1950cc3eb06b0030dfb39ac

SHA1
d6f28c7328ce81366b2ea379e16a6b7a9d725f89

SHA256
a4006a8121360f881647b82b14ec76c996e62a5722eeeaa1f4dc0d7f4afa3f62

SHA512
3c33e1ff61259fe0682d3fa8245d0aafd182be9e263e9e0edc239519dce1bdf64d1880ae5e79fd1e5a8aec56e7431c495cc1d84392061eba8ae25b2b03eb4bbc

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
a27ffed38485aee9370860d32bd98813

SHA1
6e52cd699734e3e30c02512f4d45776b17ff2b33

SHA256
5921223b35b87f18d826cf1814746f7cdb789eaa9441ceaee331be65074fc192

SHA512
6b69e24831f6d7a4dc4fa8ed02873a6284bbf3738e73ddb18df43ae2d7013f85743302ecd064a7ec882b1e0d31a97ccc3cfd9d7b96ef864932a6d84ea90d9513

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
ef4901929b02fb7eff1ec09d4687758c

SHA1
0f074ce6ace4140e86422d2ee12334e791953b30

SHA256
d18b0e46781e66dd534b4c281404093e2e6af217259d4577de377cc34efca5f4

SHA512
4e8b864e5d89d1046830ec5fc47b091b41ea77c1f563d639176b8c94a1fc80a9d956bc654f0af98669ee6263e579eae3d4cdec855c8529d6f54671a7905d30b0

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
5c44a8cb0976ce20f9480b0a2ed1a229

SHA1
7513c806e6b30bcbed96c4c3e35dde2f8e374bee

SHA256
ee8783737218a156424f9c8e42f00e27c3aa59f37f84fc09015f8807064f3388

SHA512
8ee6415cef5724c4c8f1e4722e71ba9320df61d8200d525d1d91da10c5b10c700a1ef9ef2711aedacadacea923c70c834b631b3d3736110ce887ab2655696e0e

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
ca9a95f8082da9130890add6a60787ef

SHA1
af01e1ff9cbeca127c3f75ac634a1365e88feec2

SHA256
792d20d662a81243625778b27437bdeb0bfcefd55b4b8644d99668967e580525

SHA512
e5ea6a2960bb0602f894ec354ac43215d64ea14ac9e10dddcc7058d11ff79bcaf7d15413ece53425e8ea008ef3a8c9f984c791663ce6d035b40c6cab760aab8e

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
20351b58a23bdbb4ad07ae9529e4ef03

SHA1
965acd5e60e453bf308cbc7ab33a018677cad9ee

SHA256
c05d2c020583d258d5006442f0c9081c30d6f9c9437b8f53f2a6974889695254

SHA512
fff54f21f4a69971d9eb20f1f3d3c712614cd846eec3b53752269fa071e9272dff7ff01612186d1dc332407a43205182bba86a40a58a129125c8f2f709d2d7b0

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
333c36d2313483f13150f36afc8466dd

SHA1
7042e98f243e771d26fc5a3453c4215e59f86160

SHA256
3ac9b76eedf095b4aa9cca0066c1596ddec4b81648e5b486d324805662a5fb3c

SHA512
50c876b0993fab3792f83a619b2acaeaa6d5c18fb1a8a277d2dac1354564db6c3938ecdf466ae11c4890db4e314b71df3885116ffd8c3e718eab8dfff3dd2a43

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
7627a7bcc7b2328ac91ccf0c677229f7

SHA1
4e603d4c52b18b1c5ada1d1a4e0ddbb35203efcd

SHA256
cad774bfc5c21ef5e85c31e98cffaa011cb9c2d28e2a5278e8c9d52d516bafb1

SHA512
16e2dbbb906168fe5f1c2ed58f522a73fd79ed173b14ee4b1249e32ee2273ab267c5ca06e668770ab7fd8491202952dac07bcfaab23424df755195ffbb29a93c

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
252f5889b2449788767726b96fcce493

SHA1
ee50d1ebfb4dae3cc5220f776b3f809bc72f2f22

SHA256
2cf5a06e79f56f9009defb21e1eb86b47f5fe78e8b4d8cf234809b78b463da12

SHA512
8f482b1e3e2a454fba2c80d650a242d7a1cf30427e96eba6691a0521310732bfe8c71cb584efff36076a5cb1cdde31aeb91e28e60375922bf10cd09b8a27271c

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
6f7c90121d5790b88982bf456d14a6a4

SHA1
f06a8d9f18c81dea42468f41f1e4539146932ae6

SHA256
9d01705153b6c62432ad60291adf4311c7f78b32c9ca37391552ee50803a0512

SHA512
fe3f8f54e1b69d72c951ebf6ad3cc101683419a2fbcbefe4cc9be16aeaccd00a0d8efd0a8114d53fa19e940d8b6b3127134ad73b861d72c1414ee45f770ebdda

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
c6853cd2af9bfffdb0a6ff6cb5ee0328

SHA1
593dc524ce3a65736206854a23b5f80ad2005fc9

SHA256
18e958154db5b526fbe4b29fd50e96d837448f46426bc5672d033815c53fa090

SHA512
c2c0ba03fa4c35549128100c6b5f3b5ca95f000e46e21705c219c27cce44029870feb52eaf4f2356d7f7160a90e48a1eb6c0cfcb0a20abf19065d24b30a8634f

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082
Filesize
56KB

MD5
a8b8746f9b54ad3921c4495d51428261

SHA1
921a6916ff03a5c099e48ddb6d65ad2854f71c0e

SHA256
5dfdb78ba5c047aedb9e71f14bf6ad490564e3ddbeffe858e46efe3af7c642c0

SHA512
405309a263b8a95ef483e9293732535ba10757fd771ceb868816ee46c382df0ff380a765f7427bd05d3bebe74cda40390e8aad68e66417690dec60c510e67af4

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/212-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/212-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/212-271-0x0000000000000000-mapping.dmp

Download
memory/268-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/268-219-0x0000000000000000-mapping.dmp

Download
memory/268-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/272-273-0x0000000000000000-mapping.dmp

Download
memory/292-236-0x0000000000000000-mapping.dmp

Download
memory/480-172-0x0000000000000000-mapping.dmp

Download
memory/552-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/552-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/552-295-0x0000000000000000-mapping.dmp

Download
memory/588-151-0x0000000000000000-mapping.dmp

Download
memory/676-241-0x0000000000000000-mapping.dmp

Download
memory/676-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/676-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/792-299-0x0000000000000000-mapping.dmp

Download
memory/792-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/792-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1192-289-0x0000000000000000-mapping.dmp

Download
memory/1352-281-0x0000000000000000-mapping.dmp

Download
memory/1480-250-0x0000000000000000-mapping.dmp

Download
memory/1504-243-0x0000000000000000-mapping.dmp

Download
memory/1540-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1540-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1540-163-0x0000000000000000-mapping.dmp

Download
memory/1544-207-0x0000000000000000-mapping.dmp

Download
memory/1596-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-263-0x0000000000000000-mapping.dmp

Download
memory/1612-285-0x0000000000000000-mapping.dmp

Download
memory/1664-177-0x0000000000000000-mapping.dmp

Download
memory/1664-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1664-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-147-0x0000000000000000-mapping.dmp

Download
memory/1872-226-0x0000000000000000-mapping.dmp

Download
memory/1872-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1872-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-156-0x0000000000000000-mapping.dmp

Download
memory/1960-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-135-0x0000000000000000-mapping.dmp

Download
memory/2068-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2068-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2068-205-0x0000000000000000-mapping.dmp

Download
memory/2112-214-0x0000000000000000-mapping.dmp

Download
memory/2288-257-0x0000000000000000-mapping.dmp

Download
memory/2328-305-0x0000000000000000-mapping.dmp

Download
memory/2388-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2388-233-0x0000000000000000-mapping.dmp

Download
memory/2388-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2468-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2468-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2468-283-0x0000000000000000-mapping.dmp

Download
memory/2656-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2656-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-140-0x0000000000000000-mapping.dmp

Download
memory/2776-287-0x0000000000000000-mapping.dmp

Download
memory/2776-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2776-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3116-200-0x0000000000000000-mapping.dmp

Download
memory/3240-179-0x0000000000000000-mapping.dmp

Download
memory/3324-261-0x0000000000000000-mapping.dmp

Download
memory/3412-198-0x0000000000000000-mapping.dmp

Download
memory/3412-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3412-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3620-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3620-184-0x0000000000000000-mapping.dmp

Download
memory/3620-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3668-293-0x0000000000000000-mapping.dmp

Download
memory/3700-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3700-267-0x0000000000000000-mapping.dmp

Download
memory/3700-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3876-265-0x0000000000000000-mapping.dmp

Download
memory/3904-248-0x0000000000000000-mapping.dmp

Download
memory/3904-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3904-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3936-191-0x0000000000000000-mapping.dmp

Download
memory/3936-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3936-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3984-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3984-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3984-291-0x0000000000000000-mapping.dmp

Download
memory/3992-269-0x0000000000000000-mapping.dmp

Download
memory/4048-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4048-212-0x0000000000000000-mapping.dmp

Download
memory/4048-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4076-297-0x0000000000000000-mapping.dmp

Download
memory/4104-170-0x0000000000000000-mapping.dmp

Download
memory/4104-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4104-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4236-303-0x0000000000000000-mapping.dmp

Download
memory/4236-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4236-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4272-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4272-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4272-143-0x0000000000000000-mapping.dmp

Download
memory/4336-133-0x0000000000000000-mapping.dmp

Download
memory/4336-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4336-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4340-139-0x0000000000000000-mapping.dmp

Download
memory/4416-301-0x0000000000000000-mapping.dmp

Download
memory/4420-193-0x0000000000000000-mapping.dmp

Download
memory/4524-277-0x0000000000000000-mapping.dmp

Download
memory/4576-221-0x0000000000000000-mapping.dmp

Download
memory/4628-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-149-0x0000000000000000-mapping.dmp

Download
memory/4736-186-0x0000000000000000-mapping.dmp

Download
memory/4788-228-0x0000000000000000-mapping.dmp

Download
memory/4804-255-0x0000000000000000-mapping.dmp

Download
memory/4804-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4804-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4844-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4844-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4844-275-0x0000000000000000-mapping.dmp

Download
memory/4888-138-0x0000000000000000-mapping.dmp

Download
memory/4912-136-0x0000000000000000-mapping.dmp

Download
memory/4932-158-0x0000000000000000-mapping.dmp

Download
memory/5044-279-0x0000000000000000-mapping.dmp

Download
memory/5044-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5044-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5056-165-0x0000000000000000-mapping.dmp

Download
memory/5092-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5092-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5092-259-0x0000000000000000-mapping.dmp

Download