Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1798s -
max time network
1565s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
07-07-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240704-en
General
-
Target
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
-
Size
114KB
-
MD5
b33e8ce6a7035bee5c5472d5b870b68a
-
SHA1
783d08fe374f287a4e0412ed8b7f5446c6e65687
-
SHA256
2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
-
SHA512
78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f
-
SSDEEP
3072:Rf1BDZ0kVB67Duw9AMcUTeQnbZ7pgHzL8O1oc8rEUvZfqv8dOWVIc:R9X0GGZpYzL8VcFUvZyUdb
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8801) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 396 wbadmin.exe -
Loads dropped DLL 55 IoCs
Processes:
MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exepid process 2080 MAKOP_27_10_2020_115KB.exe 1800 MAKOP_27_10_2020_115KB.exe 2756 MAKOP_27_10_2020_115KB.exe 1968 MAKOP_27_10_2020_115KB.exe 1772 MAKOP_27_10_2020_115KB.exe 1704 MAKOP_27_10_2020_115KB.exe 2700 MAKOP_27_10_2020_115KB.exe 1736 MAKOP_27_10_2020_115KB.exe 1296 MAKOP_27_10_2020_115KB.exe 2768 MAKOP_27_10_2020_115KB.exe 1392 MAKOP_27_10_2020_115KB.exe 3028 MAKOP_27_10_2020_115KB.exe 1504 MAKOP_27_10_2020_115KB.exe 1732 MAKOP_27_10_2020_115KB.exe 2324 MAKOP_27_10_2020_115KB.exe 1744 MAKOP_27_10_2020_115KB.exe 1860 MAKOP_27_10_2020_115KB.exe 3040 MAKOP_27_10_2020_115KB.exe 1196 MAKOP_27_10_2020_115KB.exe 1680 MAKOP_27_10_2020_115KB.exe 1840 MAKOP_27_10_2020_115KB.exe 2040 MAKOP_27_10_2020_115KB.exe 1104 MAKOP_27_10_2020_115KB.exe 3064 MAKOP_27_10_2020_115KB.exe 1052 MAKOP_27_10_2020_115KB.exe 2604 MAKOP_27_10_2020_115KB.exe 2720 MAKOP_27_10_2020_115KB.exe 2980 MAKOP_27_10_2020_115KB.exe 236 MAKOP_27_10_2020_115KB.exe 1476 MAKOP_27_10_2020_115KB.exe 876 MAKOP_27_10_2020_115KB.exe 2256 MAKOP_27_10_2020_115KB.exe 888 MAKOP_27_10_2020_115KB.exe 1136 MAKOP_27_10_2020_115KB.exe 2088 MAKOP_27_10_2020_115KB.exe 912 MAKOP_27_10_2020_115KB.exe 2576 MAKOP_27_10_2020_115KB.exe 280 MAKOP_27_10_2020_115KB.exe 588 MAKOP_27_10_2020_115KB.exe 536 MAKOP_27_10_2020_115KB.exe 2508 MAKOP_27_10_2020_115KB.exe 1676 MAKOP_27_10_2020_115KB.exe 224 MAKOP_27_10_2020_115KB.exe 948 MAKOP_27_10_2020_115KB.exe 216 MAKOP_27_10_2020_115KB.exe 1644 MAKOP_27_10_2020_115KB.exe 1352 MAKOP_27_10_2020_115KB.exe 1812 MAKOP_27_10_2020_115KB.exe 1280 MAKOP_27_10_2020_115KB.exe 2876 MAKOP_27_10_2020_115KB.exe 808 MAKOP_27_10_2020_115KB.exe 2296 MAKOP_27_10_2020_115KB.exe 1548 MAKOP_27_10_2020_115KB.exe 2676 MAKOP_27_10_2020_115KB.exe 2124 MAKOP_27_10_2020_115KB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MAKOP_27_10_2020_115KB.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\MAKOP_27_10_2020_115KB.exe\"" MAKOP_27_10_2020_115KB.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
MAKOP_27_10_2020_115KB.exedescription ioc process File opened (read-only) \??\F: MAKOP_27_10_2020_115KB.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 54 IoCs
Processes:
MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exedescription pid process target process PID 2080 set thread context of 2812 2080 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1800 set thread context of 2524 1800 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2756 set thread context of 1260 2756 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1968 set thread context of 1004 1968 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1772 set thread context of 2032 1772 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1704 set thread context of 528 1704 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2700 set thread context of 1364 2700 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1736 set thread context of 2848 1736 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1296 set thread context of 3060 1296 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2768 set thread context of 2076 2768 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1392 set thread context of 2224 1392 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 3028 set thread context of 2988 3028 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1504 set thread context of 1808 1504 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1732 set thread context of 2616 1732 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2324 set thread context of 1960 2324 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1744 set thread context of 2200 1744 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1860 set thread context of 2188 1860 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 3040 set thread context of 2532 3040 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1196 set thread context of 2368 1196 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1680 set thread context of 980 1680 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1840 set thread context of 2388 1840 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2040 set thread context of 2152 2040 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1104 set thread context of 2724 1104 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 3064 set thread context of 1496 3064 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1052 set thread context of 1632 1052 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2604 set thread context of 2488 2604 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2720 set thread context of 1628 2720 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2980 set thread context of 2120 2980 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 236 set thread context of 2672 236 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1476 set thread context of 1616 1476 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 876 set thread context of 1620 876 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2256 set thread context of 2792 2256 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 888 set thread context of 2164 888 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1136 set thread context of 1688 1136 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2088 set thread context of 2364 2088 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 912 set thread context of 1696 912 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2576 set thread context of 2744 2576 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 280 set thread context of 388 280 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 588 set thread context of 1592 588 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 536 set thread context of 2212 536 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2508 set thread context of 2564 2508 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1676 set thread context of 1768 1676 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 224 set thread context of 2068 224 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 948 set thread context of 1152 948 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 216 set thread context of 2552 216 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1644 set thread context of 900 1644 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1352 set thread context of 396 1352 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1812 set thread context of 2284 1812 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1280 set thread context of 756 1280 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2876 set thread context of 2640 2876 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 808 set thread context of 2880 808 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2296 set thread context of 2132 2296 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1548 set thread context of 2412 1548 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2676 set thread context of 1964 2676 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MAKOP_27_10_2020_115KB.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286034.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Windows Sidebar\settings.ini MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msaddsr.dll.mui MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar MAKOP_27_10_2020_115KB.exe File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\readme-warning.txt MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01462_.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg MAKOP_27_10_2020_115KB.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\readme-warning.txt MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\THMBNAIL.PNG MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTS.ICO MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO11.POC MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv MAKOP_27_10_2020_115KB.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\readme-warning.txt MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.INF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293234.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer.[76AC78C0].[[email protected]].makop MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sitka MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVHM.POC MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300912.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSO.ACL MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Hermosillo MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Beirut MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\drag.png MAKOP_27_10_2020_115KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3036 vssadmin.exe -
Processes:
MAKOP_27_10_2020_115KB.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 MAKOP_27_10_2020_115KB.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 MAKOP_27_10_2020_115KB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 MAKOP_27_10_2020_115KB.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 MAKOP_27_10_2020_115KB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 MAKOP_27_10_2020_115KB.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 MAKOP_27_10_2020_115KB.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MAKOP_27_10_2020_115KB.exepid process 2812 MAKOP_27_10_2020_115KB.exe -
Suspicious behavior: MapViewOfSection 54 IoCs
Processes:
MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exepid process 2080 MAKOP_27_10_2020_115KB.exe 1800 MAKOP_27_10_2020_115KB.exe 2756 MAKOP_27_10_2020_115KB.exe 1968 MAKOP_27_10_2020_115KB.exe 1772 MAKOP_27_10_2020_115KB.exe 1704 MAKOP_27_10_2020_115KB.exe 2700 MAKOP_27_10_2020_115KB.exe 1736 MAKOP_27_10_2020_115KB.exe 1296 MAKOP_27_10_2020_115KB.exe 2768 MAKOP_27_10_2020_115KB.exe 1392 MAKOP_27_10_2020_115KB.exe 3028 MAKOP_27_10_2020_115KB.exe 1504 MAKOP_27_10_2020_115KB.exe 1732 MAKOP_27_10_2020_115KB.exe 2324 MAKOP_27_10_2020_115KB.exe 1744 MAKOP_27_10_2020_115KB.exe 1860 MAKOP_27_10_2020_115KB.exe 3040 MAKOP_27_10_2020_115KB.exe 1196 MAKOP_27_10_2020_115KB.exe 1680 MAKOP_27_10_2020_115KB.exe 1840 MAKOP_27_10_2020_115KB.exe 2040 MAKOP_27_10_2020_115KB.exe 1104 MAKOP_27_10_2020_115KB.exe 3064 MAKOP_27_10_2020_115KB.exe 1052 MAKOP_27_10_2020_115KB.exe 2604 MAKOP_27_10_2020_115KB.exe 2720 MAKOP_27_10_2020_115KB.exe 2980 MAKOP_27_10_2020_115KB.exe 236 MAKOP_27_10_2020_115KB.exe 1476 MAKOP_27_10_2020_115KB.exe 876 MAKOP_27_10_2020_115KB.exe 2256 MAKOP_27_10_2020_115KB.exe 888 MAKOP_27_10_2020_115KB.exe 1136 MAKOP_27_10_2020_115KB.exe 2088 MAKOP_27_10_2020_115KB.exe 912 MAKOP_27_10_2020_115KB.exe 2576 MAKOP_27_10_2020_115KB.exe 280 MAKOP_27_10_2020_115KB.exe 588 MAKOP_27_10_2020_115KB.exe 536 MAKOP_27_10_2020_115KB.exe 2508 MAKOP_27_10_2020_115KB.exe 1676 MAKOP_27_10_2020_115KB.exe 224 MAKOP_27_10_2020_115KB.exe 948 MAKOP_27_10_2020_115KB.exe 216 MAKOP_27_10_2020_115KB.exe 1644 MAKOP_27_10_2020_115KB.exe 1352 MAKOP_27_10_2020_115KB.exe 1812 MAKOP_27_10_2020_115KB.exe 1280 MAKOP_27_10_2020_115KB.exe 2876 MAKOP_27_10_2020_115KB.exe 808 MAKOP_27_10_2020_115KB.exe 2296 MAKOP_27_10_2020_115KB.exe 1548 MAKOP_27_10_2020_115KB.exe 2676 MAKOP_27_10_2020_115KB.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2704 vssvc.exe Token: SeRestorePrivilege 2704 vssvc.exe Token: SeAuditPrivilege 2704 vssvc.exe Token: SeBackupPrivilege 1548 wbengine.exe Token: SeRestorePrivilege 1548 wbengine.exe Token: SeSecurityPrivilege 1548 wbengine.exe Token: SeIncreaseQuotaPrivilege 2916 WMIC.exe Token: SeSecurityPrivilege 2916 WMIC.exe Token: SeTakeOwnershipPrivilege 2916 WMIC.exe Token: SeLoadDriverPrivilege 2916 WMIC.exe Token: SeSystemProfilePrivilege 2916 WMIC.exe Token: SeSystemtimePrivilege 2916 WMIC.exe Token: SeProfSingleProcessPrivilege 2916 WMIC.exe Token: SeIncBasePriorityPrivilege 2916 WMIC.exe Token: SeCreatePagefilePrivilege 2916 WMIC.exe Token: SeBackupPrivilege 2916 WMIC.exe Token: SeRestorePrivilege 2916 WMIC.exe Token: SeShutdownPrivilege 2916 WMIC.exe Token: SeDebugPrivilege 2916 WMIC.exe Token: SeSystemEnvironmentPrivilege 2916 WMIC.exe Token: SeRemoteShutdownPrivilege 2916 WMIC.exe Token: SeUndockPrivilege 2916 WMIC.exe Token: SeManageVolumePrivilege 2916 WMIC.exe Token: 33 2916 WMIC.exe Token: 34 2916 WMIC.exe Token: 35 2916 WMIC.exe Token: SeIncreaseQuotaPrivilege 2916 WMIC.exe Token: SeSecurityPrivilege 2916 WMIC.exe Token: SeTakeOwnershipPrivilege 2916 WMIC.exe Token: SeLoadDriverPrivilege 2916 WMIC.exe Token: SeSystemProfilePrivilege 2916 WMIC.exe Token: SeSystemtimePrivilege 2916 WMIC.exe Token: SeProfSingleProcessPrivilege 2916 WMIC.exe Token: SeIncBasePriorityPrivilege 2916 WMIC.exe Token: SeCreatePagefilePrivilege 2916 WMIC.exe Token: SeBackupPrivilege 2916 WMIC.exe Token: SeRestorePrivilege 2916 WMIC.exe Token: SeShutdownPrivilege 2916 WMIC.exe Token: SeDebugPrivilege 2916 WMIC.exe Token: SeSystemEnvironmentPrivilege 2916 WMIC.exe Token: SeRemoteShutdownPrivilege 2916 WMIC.exe Token: SeUndockPrivilege 2916 WMIC.exe Token: SeManageVolumePrivilege 2916 WMIC.exe Token: 33 2916 WMIC.exe Token: 34 2916 WMIC.exe Token: 35 2916 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.execmd.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exedescription pid process target process PID 2080 wrote to memory of 2812 2080 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2080 wrote to memory of 2812 2080 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2080 wrote to memory of 2812 2080 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2080 wrote to memory of 2812 2080 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2080 wrote to memory of 2812 2080 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2812 wrote to memory of 2656 2812 MAKOP_27_10_2020_115KB.exe cmd.exe PID 2812 wrote to memory of 2656 2812 MAKOP_27_10_2020_115KB.exe cmd.exe PID 2812 wrote to memory of 2656 2812 MAKOP_27_10_2020_115KB.exe cmd.exe PID 2812 wrote to memory of 2656 2812 MAKOP_27_10_2020_115KB.exe cmd.exe PID 2656 wrote to memory of 3036 2656 cmd.exe vssadmin.exe PID 2656 wrote to memory of 3036 2656 cmd.exe vssadmin.exe PID 2656 wrote to memory of 3036 2656 cmd.exe vssadmin.exe PID 2656 wrote to memory of 396 2656 cmd.exe wbadmin.exe PID 2656 wrote to memory of 396 2656 cmd.exe wbadmin.exe PID 2656 wrote to memory of 396 2656 cmd.exe wbadmin.exe PID 2656 wrote to memory of 2916 2656 cmd.exe WMIC.exe PID 2656 wrote to memory of 2916 2656 cmd.exe WMIC.exe PID 2656 wrote to memory of 2916 2656 cmd.exe WMIC.exe PID 1800 wrote to memory of 2524 1800 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1800 wrote to memory of 2524 1800 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1800 wrote to memory of 2524 1800 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1800 wrote to memory of 2524 1800 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1800 wrote to memory of 2524 1800 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2756 wrote to memory of 1260 2756 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2756 wrote to memory of 1260 2756 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2756 wrote to memory of 1260 2756 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2756 wrote to memory of 1260 2756 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2756 wrote to memory of 1260 2756 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1968 wrote to memory of 1004 1968 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1968 wrote to memory of 1004 1968 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1968 wrote to memory of 1004 1968 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1968 wrote to memory of 1004 1968 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1968 wrote to memory of 1004 1968 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1772 wrote to memory of 2032 1772 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1772 wrote to memory of 2032 1772 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1772 wrote to memory of 2032 1772 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1772 wrote to memory of 2032 1772 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1772 wrote to memory of 2032 1772 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1704 wrote to memory of 528 1704 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1704 wrote to memory of 528 1704 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1704 wrote to memory of 528 1704 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1704 wrote to memory of 528 1704 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1704 wrote to memory of 528 1704 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2700 wrote to memory of 1364 2700 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2700 wrote to memory of 1364 2700 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2700 wrote to memory of 1364 2700 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2700 wrote to memory of 1364 2700 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2700 wrote to memory of 1364 2700 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1736 wrote to memory of 2848 1736 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1736 wrote to memory of 2848 1736 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1736 wrote to memory of 2848 1736 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1736 wrote to memory of 2848 1736 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1736 wrote to memory of 2848 1736 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1296 wrote to memory of 3060 1296 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1296 wrote to memory of 3060 1296 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1296 wrote to memory of 3060 1296 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1296 wrote to memory of 3060 1296 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1296 wrote to memory of 3060 1296 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2768 wrote to memory of 2076 2768 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2768 wrote to memory of 2076 2768 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2768 wrote to memory of 2076 2768 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2768 wrote to memory of 2076 2768 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 2768 wrote to memory of 2076 2768 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe PID 1392 wrote to memory of 2224 1392 MAKOP_27_10_2020_115KB.exe MAKOP_27_10_2020_115KB.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"2⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2524
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3036 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:396 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:528
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:236 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:876 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:888 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:912 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:280 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:588 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:536 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:224 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:948 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:216 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:900
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:808 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28124⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n28123⤵
- Loads dropped DLL
PID:2124
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2092
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2876
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d171c561e20fc9714f85da3c4331d0b6
SHA18f7e6cd4bda627a0a3d1a0e687c8b998db3b9438
SHA2563c829147b1f82f255e4032d2a22d5b83932bc7f74f3540137146530be0353aac
SHA512b52823ac0dba9dec6a243d1a3d68718c2a825dae4d6f4f312e92d87ecb87dbb066f259b317628fa588ad1abc4a59e095e5e302e53294bd8b34d414fadc8420c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b90448ce29f4e674788aeb7ad767303
SHA19b8f30a99850feb5d15a34adf623460628cc8468
SHA25638ac14ad85a09c9f1390823699b30156c4f3b5220566afd2ba971270cb2d5c3d
SHA5120187c6d45549d7cda4b76634a3e49bb1093d52aa6db97ad57c69049de908927f2af6afbc7dd492dd4f8f85a20dce62b4c90ce06ed342e1ebdba62155cfe76945
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
56KB
MD5df63728d68a4ac8b176671b22e5b3b76
SHA1839728f505861e48749e9ee81210cca4125d3537
SHA256bd1aa34af510bdbe455df7e883e3ab3d2a220a703fffe872e13d2167519f311e
SHA5126e6878f30d7dfa2aae6eb6a874852df9c440c9a3257d4dba97176706c4b68cfceec1dc3eabf8d02329b2fbca7a4f7995ebd944f1926e19b689bf5d3ff850fb50
-
Filesize
56KB
MD58e7e18c8210e7d646ba907dc2cfa4a6b
SHA14255763de5f28bf6fd0d8fedecdcfd2404640c2d
SHA2568ffe6a6cebda792b30d97a1a63c83022eb68e40cbe707e6d17dd02dce7af63a1
SHA512a8f977c603ea40b17afbad99f734e3bf3a0b51d0c2e4680508d3b23c555794c8b7031a4c8df39b65ba9f29ee84f154c37475b0b30bc70bc897871d15043ec996
-
Filesize
56KB
MD54a3b09bfb912f280a4aa4b8dc4b58862
SHA1bd37c1b38e009f035e16ca6f4c73d730508f8e5e
SHA256f640cf30c960268b2b2e27ee202a5d7474b5da127b3c9374724166858c24a8a7
SHA51276ad7cf9f6f14d7d51e22b231e60fd6f42f3683ec921d19ff886e8e54ba7518ebdc88942b0d546200983949c56d8dc9067833f84803737e66d56891a4e2efeb2
-
Filesize
56KB
MD59b0399133aed66f49a14ff6a227f88d4
SHA1ab030c6437390e573b9dc2e7a60a8db193264422
SHA2568dae63d671d34974468b6d9f39b75ad69fc20fb513606f93f82ddcd4b61a3f3c
SHA512176f1d0358fe911bb1a23e33e66cd5021453a91f5a33b399930c2338ba46e3719326aefbdaab4ba198408c6a4aa889d4b6809d115b37309fc4271b922666a546
-
Filesize
56KB
MD5c5da74a39363bc6170af60df8b32c49f
SHA12c129125a373564ce77d4ac4475c8a887566ae8c
SHA256544e5401fc63101ff7383fb4b696ab1d5b4a55071c7ea463237633c574621384
SHA51276e26c133adc776df9063c0c852fd3b57d98aa97f764dff880440594ba1d32318e3ebe3989b927eb78b0564674d86f313836ae1e47c459a9a881d26789760bb7
-
Filesize
56KB
MD5fe292e7917d830e18d27a3998fca1ec3
SHA1bac8235e38cb0568b13f26d945bee18257b38a46
SHA25662cd2f8be0163a0cf04bfd27b24b23149574d8c1226389dfa1bff638f8394651
SHA512148e60e57982d79695fe3cb8361a3580e321b8872bd2f232262a0aa46aa28d1bf51be3cf32bcc5c80a2093b6f2a7cf68f80e5705b46bb2eb71d0212844e2d82b
-
Filesize
56KB
MD50f33a9748ef0bb30d30b783bdc83a99c
SHA11a7fbc4b6e0cde24f7ee58eb45627c1641c989fa
SHA256aa93019b5bcc01adf7726d6f15aee83ea62cbc14f327e59f02a9a2342eb58e30
SHA5120f17a23dbf1251ec90291d54e4c8bacbd231c4809368fa0aa7d733c523174de43ad319eb098a7120ae9b60400894cf83b7eecb401744c36ec0e1fd5e4d6f2ca1
-
Filesize
56KB
MD5a524ebe0dfab9ea297286050d66ba1ed
SHA1665c7d801635dd431f3d97f08baf14b9daf8a6e1
SHA2564a095728d509404987228dc20d6e23db732f4a0ec6c66b0cf89699926b5ed3f6
SHA512a924e8ba45d96c7193c9a61b2f1753bbaa48beeeb1a9058974534bb1fb58aa213841c6c729b414016d0c00fa7b1eca08da862a9fd045e3e5455aba826ba5c1c4
-
Filesize
56KB
MD52d17f934f25fa2afe05b03468cb39468
SHA17e1de8cb0b326438aa7a7e3dc2168579615dcd8d
SHA2561c07aeddbabbf1775679040612da2e23ece91fc59f04b54bbf8a3c13c4baf8b3
SHA512b79fc2195d752e62b1afd6bbccf745facd9f47442a7a843d55892189770914fc201fc75ed12c36cb2e53323396543ac68a405a0bdac973c21b5cee3a8d956bca
-
Filesize
56KB
MD532e8ec4346f13ce0568de7bf7fefb6fe
SHA1ad04279bd0147432c997ebe0d52fd80d662b2f8d
SHA256cf0ab6f8beb2f23ee9b75633ed2faaf82f14fa3ed797d8407a6a841b6e94d227
SHA5122abbe29c8f7342779da0ada5ce245a76e6c2f3b601615407e8924f847327063b09455233727562bb4367500b73ebe22ff0a2ff3257dd23f07f38b20ad2242199
-
Filesize
56KB
MD579ecf11a4c0e2c95c2cb132dd124da9d
SHA12d36fc5b1a614127b5699e257c9df7ebc9fd7f0a
SHA2568cffbaceb7c043551fef7b20ab7d5ce465c00e656980fc8bff19e1bc7f03b235
SHA51292bef0f9e1c521e05b37187c47f69a8fd9ea842c2c964613be798e528fc70eae15e18fcb5489176529c6ab546715a55b47f08dbeb141d998c8a8f993fee36c62
-
Filesize
56KB
MD5ba41580a52e592f902ce53d5bf4eaddc
SHA1463acff5a71dd7c580b7ae52091dc5ec3075fb0a
SHA25650577e8ae3331aa6d25cfb4a270291ee3503d88febca708d9de04b796ee694df
SHA5124697440accd08c20b9807471d6443f827f001ef4bbb733f2323d29cb4613bfc944f0798d5b3a2502931826898a3ff0255f0e62118445118e296bdb2e92b77086
-
Filesize
56KB
MD540b7f298d30296864906d4e175ff9f43
SHA1349b60915d0ce78aacc57231ae1e0df151e20087
SHA2562448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4
SHA512ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c