makop | 0a6a3fbc9e9c5190e2310e6d147bfc938f867e03ea12368911a625d736b9a68c

Analysis

max time kernel
86s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2023 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asdf.exe
Size

259KB
MD5

9a0a28352da8fb0dcdc8320450a7ebf8
SHA1

36a7c488e2d0d6633feab2ffb33dd714ae4e5612
SHA256

2044f2f407beaed23a1bd832e34a48266e936090fe2b064f65d8b5c34b208dce
SHA512

a75a78bf88281129953032f760d6813b3f261d21893f9c35224a5a4fa32708439a832cf49f70c3a8661aa817e3281dd4f5a60c3b242b7800972474d716285eaf
SSDEEP

3072:IomnzVincQDKgc/7SSCbwFtOLy/ycpZxCB0LYnbfaR00n:ItZHSd4t/aGiMYu

Score

10^/10

makop ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "mammon" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] or [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4416	wbadmin.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\UnpublishTrace.tiff	asdf.exe
File opened for modification	C:\Users\Admin\Pictures\NewUndo.tiff	asdf.exe

Loads dropped DLL 2 IoCs

pid	Process
4188	asdf.exe
4716	asdf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4188 set thread context of 1156	4188	asdf.exe	90
PID 4716 set thread context of 3824	4716	asdf.exe	106

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125_contrast-white.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\resources.pri	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\PhtoMDL2.ttf	asdf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\readme-warning.txt	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-150_contrast-black.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-60.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\index.txt	asdf.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1	asdf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js	asdf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\GlowInTheDark.png	asdf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\ui-strings.js	asdf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-256_altform-unplated.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-125.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	asdf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment.png	asdf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	asdf.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\amd64\jvm.cfg	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSplashLogo.scale-180.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-125.png	asdf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons.png	asdf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\readme-warning.txt	asdf.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeNullOrEmpty.snippets.ps1xml	asdf.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui	asdf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-white.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseHostPage.html	asdf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	asdf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png	asdf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-125_contrast-white.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-125.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-lightunplated.png	asdf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\readme-warning.txt	asdf.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\it.pak	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-unplated.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-lightunplated.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\resources.pri	asdf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	asdf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\readme-warning.txt	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_altform-unplated.png	asdf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\dd_arrow_small.png	asdf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-125.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\23.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.NetworkTroubleshooter.winmd	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-200.png	asdf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png	asdf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	asdf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js	asdf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar	asdf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar	asdf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin	asdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1300	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1156	asdf.exe
1156	asdf.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4188	asdf.exe
4716	asdf.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeBackupPrivilege	3864	vssvc.exe
Token: SeRestorePrivilege	3864	vssvc.exe
Token: SeAuditPrivilege	3864	vssvc.exe
Token: SeBackupPrivilege	1672	wbengine.exe
Token: SeRestorePrivilege	1672	wbengine.exe
Token: SeSecurityPrivilege	1672	wbengine.exe
Token: SeIncreaseQuotaPrivilege	3796	WMIC.exe
Token: SeSecurityPrivilege	3796	WMIC.exe
Token: SeTakeOwnershipPrivilege	3796	WMIC.exe
Token: SeLoadDriverPrivilege	3796	WMIC.exe
Token: SeSystemProfilePrivilege	3796	WMIC.exe
Token: SeSystemtimePrivilege	3796	WMIC.exe
Token: SeProfSingleProcessPrivilege	3796	WMIC.exe
Token: SeIncBasePriorityPrivilege	3796	WMIC.exe
Token: SeCreatePagefilePrivilege	3796	WMIC.exe
Token: SeBackupPrivilege	3796	WMIC.exe
Token: SeRestorePrivilege	3796	WMIC.exe
Token: SeShutdownPrivilege	3796	WMIC.exe
Token: SeDebugPrivilege	3796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3796	WMIC.exe
Token: SeRemoteShutdownPrivilege	3796	WMIC.exe
Token: SeUndockPrivilege	3796	WMIC.exe
Token: SeManageVolumePrivilege	3796	WMIC.exe
Token: 33	3796	WMIC.exe
Token: 34	3796	WMIC.exe
Token: 35	3796	WMIC.exe
Token: 36	3796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3796	WMIC.exe
Token: SeSecurityPrivilege	3796	WMIC.exe
Token: SeTakeOwnershipPrivilege	3796	WMIC.exe
Token: SeLoadDriverPrivilege	3796	WMIC.exe
Token: SeSystemProfilePrivilege	3796	WMIC.exe
Token: SeSystemtimePrivilege	3796	WMIC.exe
Token: SeProfSingleProcessPrivilege	3796	WMIC.exe
Token: SeIncBasePriorityPrivilege	3796	WMIC.exe
Token: SeCreatePagefilePrivilege	3796	WMIC.exe
Token: SeBackupPrivilege	3796	WMIC.exe
Token: SeRestorePrivilege	3796	WMIC.exe
Token: SeShutdownPrivilege	3796	WMIC.exe
Token: SeDebugPrivilege	3796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3796	WMIC.exe
Token: SeRemoteShutdownPrivilege	3796	WMIC.exe
Token: SeUndockPrivilege	3796	WMIC.exe
Token: SeManageVolumePrivilege	3796	WMIC.exe
Token: 33	3796	WMIC.exe
Token: 34	3796	WMIC.exe
Token: 35	3796	WMIC.exe
Token: 36	3796	WMIC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 1156	4188	asdf.exe	90
PID 4188 wrote to memory of 1156	4188	asdf.exe	90
PID 4188 wrote to memory of 1156	4188	asdf.exe	90
PID 4188 wrote to memory of 1156	4188	asdf.exe	90
PID 1156 wrote to memory of 4620	1156	asdf.exe	93
PID 1156 wrote to memory of 4620	1156	asdf.exe	93
PID 4620 wrote to memory of 1300	4620	cmd.exe	95
PID 4620 wrote to memory of 1300	4620	cmd.exe	95
PID 4620 wrote to memory of 4416	4620	cmd.exe	98
PID 4620 wrote to memory of 4416	4620	cmd.exe	98
PID 4620 wrote to memory of 3796	4620	cmd.exe	103
PID 4620 wrote to memory of 3796	4620	cmd.exe	103
PID 4716 wrote to memory of 3824	4716	asdf.exe	106
PID 4716 wrote to memory of 3824	4716	asdf.exe	106
PID 4716 wrote to memory of 3824	4716	asdf.exe	106
PID 4716 wrote to memory of 3824	4716	asdf.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\asdf.exe
"C:\Users\Admin\AppData\Local\Temp\asdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\asdf.exe
  "C:\Users\Admin\AppData\Local\Temp\asdf.exe"
  2⤵
  - Modifies extensions of user files
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\asdf.exe
    "C:\Users\Admin\AppData\Local\Temp\asdf.exe" n1156
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\asdf.exe
      "C:\Users\Admin\AppData\Local\Temp\asdf.exe" n1156
      4⤵
      PID:3824
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1300
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4416
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3192

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\readme-warning.txt

Filesize
1KB

MD5
0f44a19896202f3a9f8dd0747e54c5eb

SHA1
03f490800892428e0791deeccbe5fa56b0b97226

SHA256
994aaeff999041819c380948d93a44265440d63d5b6e7a9cc9ef82d646fcd1ef

SHA512
f5323173a37308cdaf5c8480c4a4a3536211a41d2c52eb87a0c1a187f0c590e062507cdeca3720ae67a4b3579a0aa65da3da1f57014e101336f275b921e2b5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc81F7.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90AD.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90AD.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
C:\Users\Admin\AppData\Roaming\843795456

Filesize
57KB

MD5
8a9d30b739f21522b79d9c7fb582e56d

SHA1
db2593c6aeda57946dd2540a3af807fd63957fce

SHA256
056bbd47c7b226a83bcf053e3b05e72026828f2f996be88c236e803830b92157

SHA512
f3a301aef0e49b2ef65bef5936483dcbda33b81f8a2dfcf46ab44d9b8f21a409f5b5d05973752376374ba51f018addfd6dc3a1347511f9814f35ee2f64616e66

Download Submit
C:\Users\Admin\AppData\Roaming\843795456

Filesize
57KB

MD5
99792628d18aa0e41870a6e5d685bfb2

SHA1
36765c46d3a7cee7ef5034aaf7692a9e8f893be3

SHA256
54fb8a7da6530096d63df4d55123de5813eae41f5185be74a5ec829aa49ec417

SHA512
b723c307c0220783aac3a59c0cb1bf687701256b35990ecc758a7d7b91c05f5e02c7150d289ae715a756dc7181cc71a48960176347e2777d14eafe180f154183

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk

Filesize
1KB

MD5
ca35ee8667aa4fcee684e8994716e35a

SHA1
99b97a8e7b74b8d3aed2e983b97c117f28c3efdf

SHA256
3eb2b4e12219d2e117d18fac8c6185d1c978f75d3f38b3593fccf4360d7b6a59

SHA512
71aa26c84450c2afe9f753d34f6297bc86490734515ae7074f26be34e7edfff517c809794f68130fa792782ef188bfe99fc7de5caf9a85729bea1570ed5a8d22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk

Filesize
1KB

MD5
49a3f542561d13c94f79de49e708e8e6

SHA1
cac978cfd97e117d26c49ea8f7bf3c927d1e1625

SHA256
5a7a222312aeb17d1735e2a57bb96c9b3be07e6d21b9d7f864a107e96d4220df

SHA512
8785d485aeb9b41a0accd9621a10c62559515d8be0f7c24760eb355b27daeb7796d2dd92b356563dedbf69bb8d49060950c7c26255036c2ed3e917da28b88c75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk

Filesize
1KB

MD5
b76bb554128b1b4a2d414e1a97df5baa

SHA1
d92e788db63fc811d90fd0495b4dd686520c452c

SHA256
80fef590814547c025297f43141602b96a4c79737ede6719698cf88dca7d30a6

SHA512
6f84db9e2e0eb109b93a580321f7ce9ce4d9ea4d25f599359d70e0e8eeb7b287b100dad811254d5c783d788f1dda3337bb1ed060201e58b2722410a6df51a2c9

Download Submit
memory/1156-155-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1156-17175-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1156-211-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1156-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1156-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1156-20396-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3824-1133-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3824-1156-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3824-9279-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download