Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

  • max time kernel
    1798s
  • max time network
    1565s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    07-07-2024 14:07

General

  • Target

    RansomwareSamples/MAKOP_27_10_2020_115KB.exe

  • Size

    114KB

  • MD5

    b33e8ce6a7035bee5c5472d5b870b68a

  • SHA1

    783d08fe374f287a4e0412ed8b7f5446c6e65687

  • SHA256

    2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f

  • SHA512

    78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f

  • SSDEEP

    3072:Rf1BDZ0kVB67Duw9AMcUTeQnbZ7pgHzL8O1oc8rEUvZfqv8dOWVIc:R9X0GGZpYzL8VcFUvZyUdb

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (8801) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Loads dropped DLL 55 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 54 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
      2⤵
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
          4⤵
            PID:2524
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:3036
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:396
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2916
        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
          3⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
            4⤵
              PID:1260
          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
            3⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1968
            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
              4⤵
                PID:1004
            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
              3⤵
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1772
              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                4⤵
                  PID:2032
              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                3⤵
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:1704
                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                  4⤵
                    PID:528
                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                  3⤵
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:2700
                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                    4⤵
                      PID:1364
                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                    3⤵
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of WriteProcessMemory
                    PID:1736
                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                      4⤵
                        PID:2848
                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                      3⤵
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of WriteProcessMemory
                      PID:1296
                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                        4⤵
                          PID:3060
                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                        3⤵
                        • Loads dropped DLL
                        • Suspicious use of SetThreadContext
                        • Suspicious behavior: MapViewOfSection
                        • Suspicious use of WriteProcessMemory
                        PID:2768
                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                          4⤵
                            PID:2076
                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                          3⤵
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • Suspicious behavior: MapViewOfSection
                          • Suspicious use of WriteProcessMemory
                          PID:1392
                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                            4⤵
                              PID:2224
                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                            3⤵
                            • Loads dropped DLL
                            • Suspicious use of SetThreadContext
                            • Suspicious behavior: MapViewOfSection
                            PID:3028
                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                              4⤵
                                PID:2988
                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                              3⤵
                              • Loads dropped DLL
                              • Suspicious use of SetThreadContext
                              • Suspicious behavior: MapViewOfSection
                              PID:1504
                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                4⤵
                                  PID:1808
                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                3⤵
                                • Loads dropped DLL
                                • Suspicious use of SetThreadContext
                                • Suspicious behavior: MapViewOfSection
                                PID:1732
                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                  4⤵
                                    PID:2616
                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                  3⤵
                                  • Loads dropped DLL
                                  • Suspicious use of SetThreadContext
                                  • Suspicious behavior: MapViewOfSection
                                  PID:2324
                                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                    4⤵
                                      PID:1960
                                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                    3⤵
                                    • Loads dropped DLL
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: MapViewOfSection
                                    PID:1744
                                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                      4⤵
                                        PID:2200
                                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                      3⤵
                                      • Loads dropped DLL
                                      • Suspicious use of SetThreadContext
                                      • Suspicious behavior: MapViewOfSection
                                      PID:1860
                                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                        4⤵
                                          PID:2188
                                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                        3⤵
                                        • Loads dropped DLL
                                        • Suspicious use of SetThreadContext
                                        • Suspicious behavior: MapViewOfSection
                                        PID:3040
                                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                          4⤵
                                            PID:2532
                                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                          3⤵
                                          • Loads dropped DLL
                                          • Suspicious use of SetThreadContext
                                          • Suspicious behavior: MapViewOfSection
                                          PID:1196
                                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                            4⤵
                                              PID:2368
                                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                            3⤵
                                            • Loads dropped DLL
                                            • Suspicious use of SetThreadContext
                                            • Suspicious behavior: MapViewOfSection
                                            PID:1680
                                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                              4⤵
                                                PID:980
                                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                              3⤵
                                              • Loads dropped DLL
                                              • Suspicious use of SetThreadContext
                                              • Suspicious behavior: MapViewOfSection
                                              PID:1840
                                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                4⤵
                                                  PID:2388
                                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                3⤵
                                                • Loads dropped DLL
                                                • Suspicious use of SetThreadContext
                                                • Suspicious behavior: MapViewOfSection
                                                PID:2040
                                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                  4⤵
                                                    PID:2152
                                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                  3⤵
                                                  • Loads dropped DLL
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious behavior: MapViewOfSection
                                                  PID:1104
                                                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                    4⤵
                                                      PID:2724
                                                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious behavior: MapViewOfSection
                                                    PID:3064
                                                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                      4⤵
                                                        PID:1496
                                                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                      3⤵
                                                      • Loads dropped DLL
                                                      • Suspicious use of SetThreadContext
                                                      • Suspicious behavior: MapViewOfSection
                                                      PID:1052
                                                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                        4⤵
                                                          PID:1632
                                                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                        3⤵
                                                        • Loads dropped DLL
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious behavior: MapViewOfSection
                                                        PID:2604
                                                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                          4⤵
                                                            PID:2488
                                                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                          3⤵
                                                          • Loads dropped DLL
                                                          • Suspicious use of SetThreadContext
                                                          • Suspicious behavior: MapViewOfSection
                                                          PID:2720
                                                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                            4⤵
                                                              PID:1628
                                                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                            3⤵
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetThreadContext
                                                            • Suspicious behavior: MapViewOfSection
                                                            PID:2980
                                                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                              4⤵
                                                                PID:2120
                                                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                              3⤵
                                                              • Loads dropped DLL
                                                              • Suspicious use of SetThreadContext
                                                              • Suspicious behavior: MapViewOfSection
                                                              PID:236
                                                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                4⤵
                                                                  PID:2672
                                                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                3⤵
                                                                • Loads dropped DLL
                                                                • Suspicious use of SetThreadContext
                                                                • Suspicious behavior: MapViewOfSection
                                                                PID:1476
                                                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                  4⤵
                                                                    PID:1616
                                                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                  3⤵
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of SetThreadContext
                                                                  • Suspicious behavior: MapViewOfSection
                                                                  PID:876
                                                                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                    4⤵
                                                                      PID:1620
                                                                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                    3⤵
                                                                    • Loads dropped DLL
                                                                    • Suspicious use of SetThreadContext
                                                                    • Suspicious behavior: MapViewOfSection
                                                                    PID:2256
                                                                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                      4⤵
                                                                        PID:2792
                                                                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                      3⤵
                                                                      • Loads dropped DLL
                                                                      • Suspicious use of SetThreadContext
                                                                      • Suspicious behavior: MapViewOfSection
                                                                      PID:888
                                                                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                        4⤵
                                                                          PID:2164
                                                                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Suspicious use of SetThreadContext
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        PID:1136
                                                                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                          4⤵
                                                                            PID:1688
                                                                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                          3⤵
                                                                          • Loads dropped DLL
                                                                          • Suspicious use of SetThreadContext
                                                                          • Suspicious behavior: MapViewOfSection
                                                                          PID:2088
                                                                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                            4⤵
                                                                              PID:2364
                                                                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                            3⤵
                                                                            • Loads dropped DLL
                                                                            • Suspicious use of SetThreadContext
                                                                            • Suspicious behavior: MapViewOfSection
                                                                            PID:912
                                                                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                              4⤵
                                                                                PID:1696
                                                                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                              3⤵
                                                                              • Loads dropped DLL
                                                                              • Suspicious use of SetThreadContext
                                                                              • Suspicious behavior: MapViewOfSection
                                                                              PID:2576
                                                                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                4⤵
                                                                                  PID:2744
                                                                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                3⤵
                                                                                • Loads dropped DLL
                                                                                • Suspicious use of SetThreadContext
                                                                                • Suspicious behavior: MapViewOfSection
                                                                                PID:280
                                                                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                  4⤵
                                                                                    PID:388
                                                                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                  3⤵
                                                                                  • Loads dropped DLL
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                  PID:588
                                                                                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                    4⤵
                                                                                      PID:1592
                                                                                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                    3⤵
                                                                                    • Loads dropped DLL
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                    PID:536
                                                                                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                      4⤵
                                                                                        PID:2212
                                                                                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                      3⤵
                                                                                      • Loads dropped DLL
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                      PID:2508
                                                                                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                        4⤵
                                                                                          PID:2564
                                                                                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                        3⤵
                                                                                        • Loads dropped DLL
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                        PID:1676
                                                                                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                          4⤵
                                                                                            PID:1768
                                                                                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                          3⤵
                                                                                          • Loads dropped DLL
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                          PID:224
                                                                                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                            4⤵
                                                                                              PID:2068
                                                                                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                            3⤵
                                                                                            • Loads dropped DLL
                                                                                            • Suspicious use of SetThreadContext
                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                            PID:948
                                                                                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                              4⤵
                                                                                                PID:1152
                                                                                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                              3⤵
                                                                                              • Loads dropped DLL
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                              PID:216
                                                                                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                4⤵
                                                                                                  PID:2552
                                                                                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                3⤵
                                                                                                • Loads dropped DLL
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                PID:1644
                                                                                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                  4⤵
                                                                                                    PID:900
                                                                                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                  3⤵
                                                                                                  • Loads dropped DLL
                                                                                                  • Suspicious use of SetThreadContext
                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                  PID:1352
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                    4⤵
                                                                                                      PID:396
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                    3⤵
                                                                                                    • Loads dropped DLL
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                    PID:1812
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                      4⤵
                                                                                                        PID:2284
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                      3⤵
                                                                                                      • Loads dropped DLL
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                      PID:1280
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                        4⤵
                                                                                                          PID:756
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                        3⤵
                                                                                                        • Loads dropped DLL
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                        PID:2876
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                          4⤵
                                                                                                            PID:2640
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                          3⤵
                                                                                                          • Loads dropped DLL
                                                                                                          • Suspicious use of SetThreadContext
                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                          PID:808
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                            4⤵
                                                                                                              PID:2880
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                            3⤵
                                                                                                            • Loads dropped DLL
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                            PID:2296
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                              4⤵
                                                                                                                PID:2132
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                              3⤵
                                                                                                              • Loads dropped DLL
                                                                                                              • Suspicious use of SetThreadContext
                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                              PID:1548
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                                4⤵
                                                                                                                  PID:2412
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                                3⤵
                                                                                                                • Loads dropped DLL
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                PID:2676
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                                  4⤵
                                                                                                                    PID:1964
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
                                                                                                                  3⤵
                                                                                                                  • Loads dropped DLL
                                                                                                                  PID:2124
                                                                                                            • C:\Windows\system32\vssvc.exe
                                                                                                              C:\Windows\system32\vssvc.exe
                                                                                                              1⤵
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2704
                                                                                                            • C:\Windows\system32\wbengine.exe
                                                                                                              "C:\Windows\system32\wbengine.exe"
                                                                                                              1⤵
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:1548
                                                                                                            • C:\Windows\System32\vdsldr.exe
                                                                                                              C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:2092
                                                                                                              • C:\Windows\System32\vds.exe
                                                                                                                C:\Windows\System32\vds.exe
                                                                                                                1⤵
                                                                                                                  PID:2876

                                                                                                                Network

                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                Replay Monitor

                                                                                                                Loading Replay Monitor...

                                                                                                                Downloads

                                                                                                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

                                                                                                                  Filesize

                                                                                                                  1KB

                                                                                                                  MD5

                                                                                                                  d171c561e20fc9714f85da3c4331d0b6

                                                                                                                  SHA1

                                                                                                                  8f7e6cd4bda627a0a3d1a0e687c8b998db3b9438

                                                                                                                  SHA256

                                                                                                                  3c829147b1f82f255e4032d2a22d5b83932bc7f74f3540137146530be0353aac

                                                                                                                  SHA512

                                                                                                                  b52823ac0dba9dec6a243d1a3d68718c2a825dae4d6f4f312e92d87ecb87dbb066f259b317628fa588ad1abc4a59e095e5e302e53294bd8b34d414fadc8420c2

                                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                  Filesize

                                                                                                                  342B

                                                                                                                  MD5

                                                                                                                  2b90448ce29f4e674788aeb7ad767303

                                                                                                                  SHA1

                                                                                                                  9b8f30a99850feb5d15a34adf623460628cc8468

                                                                                                                  SHA256

                                                                                                                  38ac14ad85a09c9f1390823699b30156c4f3b5220566afd2ba971270cb2d5c3d

                                                                                                                  SHA512

                                                                                                                  0187c6d45549d7cda4b76634a3e49bb1093d52aa6db97ad57c69049de908927f2af6afbc7dd492dd4f8f85a20dce62b4c90ce06ed342e1ebdba62155cfe76945

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Cab8317.tmp

                                                                                                                  Filesize

                                                                                                                  70KB

                                                                                                                  MD5

                                                                                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                  SHA1

                                                                                                                  1723be06719828dda65ad804298d0431f6aff976

                                                                                                                  SHA256

                                                                                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                  SHA512

                                                                                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Tar83F4.tmp

                                                                                                                  Filesize

                                                                                                                  181KB

                                                                                                                  MD5

                                                                                                                  4ea6026cf93ec6338144661bf1202cd1

                                                                                                                  SHA1

                                                                                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                  SHA256

                                                                                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                  SHA512

                                                                                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  df63728d68a4ac8b176671b22e5b3b76

                                                                                                                  SHA1

                                                                                                                  839728f505861e48749e9ee81210cca4125d3537

                                                                                                                  SHA256

                                                                                                                  bd1aa34af510bdbe455df7e883e3ab3d2a220a703fffe872e13d2167519f311e

                                                                                                                  SHA512

                                                                                                                  6e6878f30d7dfa2aae6eb6a874852df9c440c9a3257d4dba97176706c4b68cfceec1dc3eabf8d02329b2fbca7a4f7995ebd944f1926e19b689bf5d3ff850fb50

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  8e7e18c8210e7d646ba907dc2cfa4a6b

                                                                                                                  SHA1

                                                                                                                  4255763de5f28bf6fd0d8fedecdcfd2404640c2d

                                                                                                                  SHA256

                                                                                                                  8ffe6a6cebda792b30d97a1a63c83022eb68e40cbe707e6d17dd02dce7af63a1

                                                                                                                  SHA512

                                                                                                                  a8f977c603ea40b17afbad99f734e3bf3a0b51d0c2e4680508d3b23c555794c8b7031a4c8df39b65ba9f29ee84f154c37475b0b30bc70bc897871d15043ec996

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  4a3b09bfb912f280a4aa4b8dc4b58862

                                                                                                                  SHA1

                                                                                                                  bd37c1b38e009f035e16ca6f4c73d730508f8e5e

                                                                                                                  SHA256

                                                                                                                  f640cf30c960268b2b2e27ee202a5d7474b5da127b3c9374724166858c24a8a7

                                                                                                                  SHA512

                                                                                                                  76ad7cf9f6f14d7d51e22b231e60fd6f42f3683ec921d19ff886e8e54ba7518ebdc88942b0d546200983949c56d8dc9067833f84803737e66d56891a4e2efeb2

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  9b0399133aed66f49a14ff6a227f88d4

                                                                                                                  SHA1

                                                                                                                  ab030c6437390e573b9dc2e7a60a8db193264422

                                                                                                                  SHA256

                                                                                                                  8dae63d671d34974468b6d9f39b75ad69fc20fb513606f93f82ddcd4b61a3f3c

                                                                                                                  SHA512

                                                                                                                  176f1d0358fe911bb1a23e33e66cd5021453a91f5a33b399930c2338ba46e3719326aefbdaab4ba198408c6a4aa889d4b6809d115b37309fc4271b922666a546

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  c5da74a39363bc6170af60df8b32c49f

                                                                                                                  SHA1

                                                                                                                  2c129125a373564ce77d4ac4475c8a887566ae8c

                                                                                                                  SHA256

                                                                                                                  544e5401fc63101ff7383fb4b696ab1d5b4a55071c7ea463237633c574621384

                                                                                                                  SHA512

                                                                                                                  76e26c133adc776df9063c0c852fd3b57d98aa97f764dff880440594ba1d32318e3ebe3989b927eb78b0564674d86f313836ae1e47c459a9a881d26789760bb7

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  fe292e7917d830e18d27a3998fca1ec3

                                                                                                                  SHA1

                                                                                                                  bac8235e38cb0568b13f26d945bee18257b38a46

                                                                                                                  SHA256

                                                                                                                  62cd2f8be0163a0cf04bfd27b24b23149574d8c1226389dfa1bff638f8394651

                                                                                                                  SHA512

                                                                                                                  148e60e57982d79695fe3cb8361a3580e321b8872bd2f232262a0aa46aa28d1bf51be3cf32bcc5c80a2093b6f2a7cf68f80e5705b46bb2eb71d0212844e2d82b

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  0f33a9748ef0bb30d30b783bdc83a99c

                                                                                                                  SHA1

                                                                                                                  1a7fbc4b6e0cde24f7ee58eb45627c1641c989fa

                                                                                                                  SHA256

                                                                                                                  aa93019b5bcc01adf7726d6f15aee83ea62cbc14f327e59f02a9a2342eb58e30

                                                                                                                  SHA512

                                                                                                                  0f17a23dbf1251ec90291d54e4c8bacbd231c4809368fa0aa7d733c523174de43ad319eb098a7120ae9b60400894cf83b7eecb401744c36ec0e1fd5e4d6f2ca1

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  a524ebe0dfab9ea297286050d66ba1ed

                                                                                                                  SHA1

                                                                                                                  665c7d801635dd431f3d97f08baf14b9daf8a6e1

                                                                                                                  SHA256

                                                                                                                  4a095728d509404987228dc20d6e23db732f4a0ec6c66b0cf89699926b5ed3f6

                                                                                                                  SHA512

                                                                                                                  a924e8ba45d96c7193c9a61b2f1753bbaa48beeeb1a9058974534bb1fb58aa213841c6c729b414016d0c00fa7b1eca08da862a9fd045e3e5455aba826ba5c1c4

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  2d17f934f25fa2afe05b03468cb39468

                                                                                                                  SHA1

                                                                                                                  7e1de8cb0b326438aa7a7e3dc2168579615dcd8d

                                                                                                                  SHA256

                                                                                                                  1c07aeddbabbf1775679040612da2e23ece91fc59f04b54bbf8a3c13c4baf8b3

                                                                                                                  SHA512

                                                                                                                  b79fc2195d752e62b1afd6bbccf745facd9f47442a7a843d55892189770914fc201fc75ed12c36cb2e53323396543ac68a405a0bdac973c21b5cee3a8d956bca

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  32e8ec4346f13ce0568de7bf7fefb6fe

                                                                                                                  SHA1

                                                                                                                  ad04279bd0147432c997ebe0d52fd80d662b2f8d

                                                                                                                  SHA256

                                                                                                                  cf0ab6f8beb2f23ee9b75633ed2faaf82f14fa3ed797d8407a6a841b6e94d227

                                                                                                                  SHA512

                                                                                                                  2abbe29c8f7342779da0ada5ce245a76e6c2f3b601615407e8924f847327063b09455233727562bb4367500b73ebe22ff0a2ff3257dd23f07f38b20ad2242199

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  79ecf11a4c0e2c95c2cb132dd124da9d

                                                                                                                  SHA1

                                                                                                                  2d36fc5b1a614127b5699e257c9df7ebc9fd7f0a

                                                                                                                  SHA256

                                                                                                                  8cffbaceb7c043551fef7b20ab7d5ce465c00e656980fc8bff19e1bc7f03b235

                                                                                                                  SHA512

                                                                                                                  92bef0f9e1c521e05b37187c47f69a8fd9ea842c2c964613be798e528fc70eae15e18fcb5489176529c6ab546715a55b47f08dbeb141d998c8a8f993fee36c62

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  ba41580a52e592f902ce53d5bf4eaddc

                                                                                                                  SHA1

                                                                                                                  463acff5a71dd7c580b7ae52091dc5ec3075fb0a

                                                                                                                  SHA256

                                                                                                                  50577e8ae3331aa6d25cfb4a270291ee3503d88febca708d9de04b796ee694df

                                                                                                                  SHA512

                                                                                                                  4697440accd08c20b9807471d6443f827f001ef4bbb733f2323d29cb4613bfc944f0798d5b3a2502931826898a3ff0255f0e62118445118e296bdb2e92b77086

                                                                                                                • C:\Users\Admin\AppData\Roaming\779389082

                                                                                                                  Filesize

                                                                                                                  56KB

                                                                                                                  MD5

                                                                                                                  40b7f298d30296864906d4e175ff9f43

                                                                                                                  SHA1

                                                                                                                  349b60915d0ce78aacc57231ae1e0df151e20087

                                                                                                                  SHA256

                                                                                                                  2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

                                                                                                                  SHA512

                                                                                                                  ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

                                                                                                                • \??\PIPE\wkssvc

                                                                                                                  MD5

                                                                                                                  d41d8cd98f00b204e9800998ecf8427e

                                                                                                                  SHA1

                                                                                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                  SHA256

                                                                                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                  SHA512

                                                                                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                • \Users\Admin\AppData\Local\Temp\nso8B5F.tmp\System.dll

                                                                                                                  Filesize

                                                                                                                  11KB

                                                                                                                  MD5

                                                                                                                  fccff8cb7a1067e23fd2e2b63971a8e1

                                                                                                                  SHA1

                                                                                                                  30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                                                                                                                  SHA256

                                                                                                                  6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                                                                                                                  SHA512

                                                                                                                  f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

                                                                                                                • memory/1260-18905-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/1260-18907-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/1260-18906-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/2524-6795-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/2524-6796-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/2524-6141-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/2812-2181-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/2812-18827-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/2812-26-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/2812-16-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/2812-9-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/2812-10-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB

                                                                                                                • memory/2812-7-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  124KB