makop | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
1798s
max time network
1565s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Size

114KB
MD5

b33e8ce6a7035bee5c5472d5b870b68a
SHA1

783d08fe374f287a4e0412ed8b7f5446c6e65687
SHA256

2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
SHA512

78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f
SSDEEP

3072:Rf1BDZ0kVB67Duw9AMcUTeQnbZ7pgHzL8O1oc8rEUvZfqv8dOWVIc:R9X0GGZpYzL8VcFUvZyUdb

Score

10^/10

makop defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8801) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

396 wbadmin.exe

pid	process
396	wbadmin.exe

Loads dropped DLL 55 IoCs

Processes:

MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exe

pid	process
2080	MAKOP_27_10_2020_115KB.exe
1800	MAKOP_27_10_2020_115KB.exe
2756	MAKOP_27_10_2020_115KB.exe
1968	MAKOP_27_10_2020_115KB.exe
1772	MAKOP_27_10_2020_115KB.exe
1704	MAKOP_27_10_2020_115KB.exe
2700	MAKOP_27_10_2020_115KB.exe
1736	MAKOP_27_10_2020_115KB.exe
1296	MAKOP_27_10_2020_115KB.exe
2768	MAKOP_27_10_2020_115KB.exe
1392	MAKOP_27_10_2020_115KB.exe
3028	MAKOP_27_10_2020_115KB.exe
1504	MAKOP_27_10_2020_115KB.exe
1732	MAKOP_27_10_2020_115KB.exe
2324	MAKOP_27_10_2020_115KB.exe
1744	MAKOP_27_10_2020_115KB.exe
1860	MAKOP_27_10_2020_115KB.exe
3040	MAKOP_27_10_2020_115KB.exe
1196	MAKOP_27_10_2020_115KB.exe
1680	MAKOP_27_10_2020_115KB.exe
1840	MAKOP_27_10_2020_115KB.exe
2040	MAKOP_27_10_2020_115KB.exe
1104	MAKOP_27_10_2020_115KB.exe
3064	MAKOP_27_10_2020_115KB.exe
1052	MAKOP_27_10_2020_115KB.exe
2604	MAKOP_27_10_2020_115KB.exe
2720	MAKOP_27_10_2020_115KB.exe
2980	MAKOP_27_10_2020_115KB.exe
236	MAKOP_27_10_2020_115KB.exe
1476	MAKOP_27_10_2020_115KB.exe
876	MAKOP_27_10_2020_115KB.exe
2256	MAKOP_27_10_2020_115KB.exe
888	MAKOP_27_10_2020_115KB.exe
1136	MAKOP_27_10_2020_115KB.exe
2088	MAKOP_27_10_2020_115KB.exe
912	MAKOP_27_10_2020_115KB.exe
2576	MAKOP_27_10_2020_115KB.exe
280	MAKOP_27_10_2020_115KB.exe
588	MAKOP_27_10_2020_115KB.exe
536	MAKOP_27_10_2020_115KB.exe
2508	MAKOP_27_10_2020_115KB.exe
1676	MAKOP_27_10_2020_115KB.exe
224	MAKOP_27_10_2020_115KB.exe
948	MAKOP_27_10_2020_115KB.exe
216	MAKOP_27_10_2020_115KB.exe
1644	MAKOP_27_10_2020_115KB.exe
1352	MAKOP_27_10_2020_115KB.exe
1812	MAKOP_27_10_2020_115KB.exe
1280	MAKOP_27_10_2020_115KB.exe
2876	MAKOP_27_10_2020_115KB.exe
808	MAKOP_27_10_2020_115KB.exe
2296	MAKOP_27_10_2020_115KB.exe
1548	MAKOP_27_10_2020_115KB.exe
2676	MAKOP_27_10_2020_115KB.exe
2124	MAKOP_27_10_2020_115KB.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MAKOP_27_10_2020_115KB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\MAKOP_27_10_2020_115KB.exe\""	MAKOP_27_10_2020_115KB.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

MAKOP_27_10_2020_115KB.exe

description ioc process

File opened (read-only) \??\F: MAKOP_27_10_2020_115KB.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 iplogger.org
5 iplogger.org

description	ioc	process
File opened (read-only)	\??\F:	MAKOP_27_10_2020_115KB.exe

flow	ioc
4	iplogger.org
5	iplogger.org

Suspicious use of SetThreadContext 54 IoCs

Processes:

description	pid	process	target process
PID 2080 set thread context of 2812	2080	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1800 set thread context of 2524	1800	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2756 set thread context of 1260	2756	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1968 set thread context of 1004	1968	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1772 set thread context of 2032	1772	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1704 set thread context of 528	1704	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2700 set thread context of 1364	2700	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1736 set thread context of 2848	1736	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1296 set thread context of 3060	1296	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2768 set thread context of 2076	2768	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1392 set thread context of 2224	1392	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3028 set thread context of 2988	3028	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1504 set thread context of 1808	1504	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1732 set thread context of 2616	1732	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2324 set thread context of 1960	2324	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1744 set thread context of 2200	1744	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1860 set thread context of 2188	1860	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3040 set thread context of 2532	3040	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1196 set thread context of 2368	1196	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1680 set thread context of 980	1680	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1840 set thread context of 2388	1840	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2040 set thread context of 2152	2040	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1104 set thread context of 2724	1104	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 3064 set thread context of 1496	3064	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1052 set thread context of 1632	1052	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2604 set thread context of 2488	2604	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2720 set thread context of 1628	2720	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2980 set thread context of 2120	2980	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 236 set thread context of 2672	236	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1476 set thread context of 1616	1476	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 876 set thread context of 1620	876	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2256 set thread context of 2792	2256	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 888 set thread context of 2164	888	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1136 set thread context of 1688	1136	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2088 set thread context of 2364	2088	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 912 set thread context of 1696	912	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2576 set thread context of 2744	2576	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 280 set thread context of 388	280	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 588 set thread context of 1592	588	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 536 set thread context of 2212	536	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2508 set thread context of 2564	2508	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1676 set thread context of 1768	1676	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 224 set thread context of 2068	224	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 948 set thread context of 1152	948	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 216 set thread context of 2552	216	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1644 set thread context of 900	1644	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1352 set thread context of 396	1352	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1812 set thread context of 2284	1812	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1280 set thread context of 756	1280	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2876 set thread context of 2640	2876	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 808 set thread context of 2880	808	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2296 set thread context of 2132	2296	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1548 set thread context of 2412	1548	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2676 set thread context of 1964	2676	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe

Drops file in Program Files directory 64 IoCs

Processes:

MAKOP_27_10_2020_115KB.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286034.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\settings.ini	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01462_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\THMBNAIL.PNG	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTS.ICO	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO11.POC	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.INF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293234.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer.[76AC78C0].[[email protected]].makop	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sitka	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVHM.POC	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300912.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSO.ACL	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Beirut	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\drag.png	MAKOP_27_10_2020_115KB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

3036 vssadmin.exe

pid	process
3036	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MAKOP_27_10_2020_115KB.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	MAKOP_27_10_2020_115KB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	MAKOP_27_10_2020_115KB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	MAKOP_27_10_2020_115KB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	MAKOP_27_10_2020_115KB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	MAKOP_27_10_2020_115KB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	MAKOP_27_10_2020_115KB.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MAKOP_27_10_2020_115KB.exe

pid process

2812 MAKOP_27_10_2020_115KB.exe

pid	process
2812	MAKOP_27_10_2020_115KB.exe

Suspicious behavior: MapViewOfSection 54 IoCs

Processes:

pid	process
2080	MAKOP_27_10_2020_115KB.exe
1800	MAKOP_27_10_2020_115KB.exe
2756	MAKOP_27_10_2020_115KB.exe
1968	MAKOP_27_10_2020_115KB.exe
1772	MAKOP_27_10_2020_115KB.exe
1704	MAKOP_27_10_2020_115KB.exe
2700	MAKOP_27_10_2020_115KB.exe
1736	MAKOP_27_10_2020_115KB.exe
1296	MAKOP_27_10_2020_115KB.exe
2768	MAKOP_27_10_2020_115KB.exe
1392	MAKOP_27_10_2020_115KB.exe
3028	MAKOP_27_10_2020_115KB.exe
1504	MAKOP_27_10_2020_115KB.exe
1732	MAKOP_27_10_2020_115KB.exe
2324	MAKOP_27_10_2020_115KB.exe
1744	MAKOP_27_10_2020_115KB.exe
1860	MAKOP_27_10_2020_115KB.exe
3040	MAKOP_27_10_2020_115KB.exe
1196	MAKOP_27_10_2020_115KB.exe
1680	MAKOP_27_10_2020_115KB.exe
1840	MAKOP_27_10_2020_115KB.exe
2040	MAKOP_27_10_2020_115KB.exe
1104	MAKOP_27_10_2020_115KB.exe
3064	MAKOP_27_10_2020_115KB.exe
1052	MAKOP_27_10_2020_115KB.exe
2604	MAKOP_27_10_2020_115KB.exe
2720	MAKOP_27_10_2020_115KB.exe
2980	MAKOP_27_10_2020_115KB.exe
236	MAKOP_27_10_2020_115KB.exe
1476	MAKOP_27_10_2020_115KB.exe
876	MAKOP_27_10_2020_115KB.exe
2256	MAKOP_27_10_2020_115KB.exe
888	MAKOP_27_10_2020_115KB.exe
1136	MAKOP_27_10_2020_115KB.exe
2088	MAKOP_27_10_2020_115KB.exe
912	MAKOP_27_10_2020_115KB.exe
2576	MAKOP_27_10_2020_115KB.exe
280	MAKOP_27_10_2020_115KB.exe
588	MAKOP_27_10_2020_115KB.exe
536	MAKOP_27_10_2020_115KB.exe
2508	MAKOP_27_10_2020_115KB.exe
1676	MAKOP_27_10_2020_115KB.exe
224	MAKOP_27_10_2020_115KB.exe
948	MAKOP_27_10_2020_115KB.exe
216	MAKOP_27_10_2020_115KB.exe
1644	MAKOP_27_10_2020_115KB.exe
1352	MAKOP_27_10_2020_115KB.exe
1812	MAKOP_27_10_2020_115KB.exe
1280	MAKOP_27_10_2020_115KB.exe
2876	MAKOP_27_10_2020_115KB.exe
808	MAKOP_27_10_2020_115KB.exe
2296	MAKOP_27_10_2020_115KB.exe
1548	MAKOP_27_10_2020_115KB.exe
2676	MAKOP_27_10_2020_115KB.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

vssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2704	vssvc.exe
Token: SeRestorePrivilege	2704	vssvc.exe
Token: SeAuditPrivilege	2704	vssvc.exe
Token: SeBackupPrivilege	1548	wbengine.exe
Token: SeRestorePrivilege	1548	wbengine.exe
Token: SeSecurityPrivilege	1548	wbengine.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeSecurityPrivilege	2916	WMIC.exe
Token: SeTakeOwnershipPrivilege	2916	WMIC.exe
Token: SeLoadDriverPrivilege	2916	WMIC.exe
Token: SeSystemProfilePrivilege	2916	WMIC.exe
Token: SeSystemtimePrivilege	2916	WMIC.exe
Token: SeProfSingleProcessPrivilege	2916	WMIC.exe
Token: SeIncBasePriorityPrivilege	2916	WMIC.exe
Token: SeCreatePagefilePrivilege	2916	WMIC.exe
Token: SeBackupPrivilege	2916	WMIC.exe
Token: SeRestorePrivilege	2916	WMIC.exe
Token: SeShutdownPrivilege	2916	WMIC.exe
Token: SeDebugPrivilege	2916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2916	WMIC.exe
Token: SeRemoteShutdownPrivilege	2916	WMIC.exe
Token: SeUndockPrivilege	2916	WMIC.exe
Token: SeManageVolumePrivilege	2916	WMIC.exe
Token: 33	2916	WMIC.exe
Token: 34	2916	WMIC.exe
Token: 35	2916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeSecurityPrivilege	2916	WMIC.exe
Token: SeTakeOwnershipPrivilege	2916	WMIC.exe
Token: SeLoadDriverPrivilege	2916	WMIC.exe
Token: SeSystemProfilePrivilege	2916	WMIC.exe
Token: SeSystemtimePrivilege	2916	WMIC.exe
Token: SeProfSingleProcessPrivilege	2916	WMIC.exe
Token: SeIncBasePriorityPrivilege	2916	WMIC.exe
Token: SeCreatePagefilePrivilege	2916	WMIC.exe
Token: SeBackupPrivilege	2916	WMIC.exe
Token: SeRestorePrivilege	2916	WMIC.exe
Token: SeShutdownPrivilege	2916	WMIC.exe
Token: SeDebugPrivilege	2916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2916	WMIC.exe
Token: SeRemoteShutdownPrivilege	2916	WMIC.exe
Token: SeUndockPrivilege	2916	WMIC.exe
Token: SeManageVolumePrivilege	2916	WMIC.exe
Token: 33	2916	WMIC.exe
Token: 34	2916	WMIC.exe
Token: 35	2916	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.execmd.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exe

description	pid	process	target process
PID 2080 wrote to memory of 2812	2080	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2080 wrote to memory of 2812	2080	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2080 wrote to memory of 2812	2080	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2080 wrote to memory of 2812	2080	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2080 wrote to memory of 2812	2080	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2812 wrote to memory of 2656	2812	MAKOP_27_10_2020_115KB.exe	cmd.exe
PID 2812 wrote to memory of 2656	2812	MAKOP_27_10_2020_115KB.exe	cmd.exe
PID 2812 wrote to memory of 2656	2812	MAKOP_27_10_2020_115KB.exe	cmd.exe
PID 2812 wrote to memory of 2656	2812	MAKOP_27_10_2020_115KB.exe	cmd.exe
PID 2656 wrote to memory of 3036	2656	cmd.exe	vssadmin.exe
PID 2656 wrote to memory of 3036	2656	cmd.exe	vssadmin.exe
PID 2656 wrote to memory of 3036	2656	cmd.exe	vssadmin.exe
PID 2656 wrote to memory of 396	2656	cmd.exe	wbadmin.exe
PID 2656 wrote to memory of 396	2656	cmd.exe	wbadmin.exe
PID 2656 wrote to memory of 396	2656	cmd.exe	wbadmin.exe
PID 2656 wrote to memory of 2916	2656	cmd.exe	WMIC.exe
PID 2656 wrote to memory of 2916	2656	cmd.exe	WMIC.exe
PID 2656 wrote to memory of 2916	2656	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 2524	1800	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1800 wrote to memory of 2524	1800	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1800 wrote to memory of 2524	1800	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1800 wrote to memory of 2524	1800	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1800 wrote to memory of 2524	1800	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2756 wrote to memory of 1260	2756	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2756 wrote to memory of 1260	2756	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2756 wrote to memory of 1260	2756	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2756 wrote to memory of 1260	2756	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2756 wrote to memory of 1260	2756	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1968 wrote to memory of 1004	1968	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1968 wrote to memory of 1004	1968	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1968 wrote to memory of 1004	1968	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1968 wrote to memory of 1004	1968	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1968 wrote to memory of 1004	1968	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1772 wrote to memory of 2032	1772	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1772 wrote to memory of 2032	1772	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1772 wrote to memory of 2032	1772	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1772 wrote to memory of 2032	1772	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1772 wrote to memory of 2032	1772	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1704 wrote to memory of 528	1704	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1704 wrote to memory of 528	1704	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1704 wrote to memory of 528	1704	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1704 wrote to memory of 528	1704	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1704 wrote to memory of 528	1704	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2700 wrote to memory of 1364	2700	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2700 wrote to memory of 1364	2700	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2700 wrote to memory of 1364	2700	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2700 wrote to memory of 1364	2700	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2700 wrote to memory of 1364	2700	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1736 wrote to memory of 2848	1736	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1736 wrote to memory of 2848	1736	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1736 wrote to memory of 2848	1736	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1736 wrote to memory of 2848	1736	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1736 wrote to memory of 2848	1736	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1296 wrote to memory of 3060	1296	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1296 wrote to memory of 3060	1296	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1296 wrote to memory of 3060	1296	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1296 wrote to memory of 3060	1296	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1296 wrote to memory of 3060	1296	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2768 wrote to memory of 2076	2768	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2768 wrote to memory of 2076	2768	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2768 wrote to memory of 2076	2768	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2768 wrote to memory of 2076	2768	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2768 wrote to memory of 2076	2768	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1392 wrote to memory of 2224	1392	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
2⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2524

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3036

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:396

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3028

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1504

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1732

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2324

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1744

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1860

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3040

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1196

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1680

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1840

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2040

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1104

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3064

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1052

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2604

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2720

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2980

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:236

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1476

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:876

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2256

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:888

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1136

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2088

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:912

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2576

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:280

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:588

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:536

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2508

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1676

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:224

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:948

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:216

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1644

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1352

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1280

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2876

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:808

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2296

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1548

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2676

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
4⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
3⤵
- Loads dropped DLL
PID:2124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

Filesize
1KB

MD5
d171c561e20fc9714f85da3c4331d0b6

SHA1
8f7e6cd4bda627a0a3d1a0e687c8b998db3b9438

SHA256
3c829147b1f82f255e4032d2a22d5b83932bc7f74f3540137146530be0353aac

SHA512
b52823ac0dba9dec6a243d1a3d68718c2a825dae4d6f4f312e92d87ecb87dbb066f259b317628fa588ad1abc4a59e095e5e302e53294bd8b34d414fadc8420c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b90448ce29f4e674788aeb7ad767303

SHA1
9b8f30a99850feb5d15a34adf623460628cc8468

SHA256
38ac14ad85a09c9f1390823699b30156c4f3b5220566afd2ba971270cb2d5c3d

SHA512
0187c6d45549d7cda4b76634a3e49bb1093d52aa6db97ad57c69049de908927f2af6afbc7dd492dd4f8f85a20dce62b4c90ce06ed342e1ebdba62155cfe76945

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8317.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar83F4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
df63728d68a4ac8b176671b22e5b3b76

SHA1
839728f505861e48749e9ee81210cca4125d3537

SHA256
bd1aa34af510bdbe455df7e883e3ab3d2a220a703fffe872e13d2167519f311e

SHA512
6e6878f30d7dfa2aae6eb6a874852df9c440c9a3257d4dba97176706c4b68cfceec1dc3eabf8d02329b2fbca7a4f7995ebd944f1926e19b689bf5d3ff850fb50

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
8e7e18c8210e7d646ba907dc2cfa4a6b

SHA1
4255763de5f28bf6fd0d8fedecdcfd2404640c2d

SHA256
8ffe6a6cebda792b30d97a1a63c83022eb68e40cbe707e6d17dd02dce7af63a1

SHA512
a8f977c603ea40b17afbad99f734e3bf3a0b51d0c2e4680508d3b23c555794c8b7031a4c8df39b65ba9f29ee84f154c37475b0b30bc70bc897871d15043ec996

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
4a3b09bfb912f280a4aa4b8dc4b58862

SHA1
bd37c1b38e009f035e16ca6f4c73d730508f8e5e

SHA256
f640cf30c960268b2b2e27ee202a5d7474b5da127b3c9374724166858c24a8a7

SHA512
76ad7cf9f6f14d7d51e22b231e60fd6f42f3683ec921d19ff886e8e54ba7518ebdc88942b0d546200983949c56d8dc9067833f84803737e66d56891a4e2efeb2

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
9b0399133aed66f49a14ff6a227f88d4

SHA1
ab030c6437390e573b9dc2e7a60a8db193264422

SHA256
8dae63d671d34974468b6d9f39b75ad69fc20fb513606f93f82ddcd4b61a3f3c

SHA512
176f1d0358fe911bb1a23e33e66cd5021453a91f5a33b399930c2338ba46e3719326aefbdaab4ba198408c6a4aa889d4b6809d115b37309fc4271b922666a546

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
c5da74a39363bc6170af60df8b32c49f

SHA1
2c129125a373564ce77d4ac4475c8a887566ae8c

SHA256
544e5401fc63101ff7383fb4b696ab1d5b4a55071c7ea463237633c574621384

SHA512
76e26c133adc776df9063c0c852fd3b57d98aa97f764dff880440594ba1d32318e3ebe3989b927eb78b0564674d86f313836ae1e47c459a9a881d26789760bb7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
fe292e7917d830e18d27a3998fca1ec3

SHA1
bac8235e38cb0568b13f26d945bee18257b38a46

SHA256
62cd2f8be0163a0cf04bfd27b24b23149574d8c1226389dfa1bff638f8394651

SHA512
148e60e57982d79695fe3cb8361a3580e321b8872bd2f232262a0aa46aa28d1bf51be3cf32bcc5c80a2093b6f2a7cf68f80e5705b46bb2eb71d0212844e2d82b

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
0f33a9748ef0bb30d30b783bdc83a99c

SHA1
1a7fbc4b6e0cde24f7ee58eb45627c1641c989fa

SHA256
aa93019b5bcc01adf7726d6f15aee83ea62cbc14f327e59f02a9a2342eb58e30

SHA512
0f17a23dbf1251ec90291d54e4c8bacbd231c4809368fa0aa7d733c523174de43ad319eb098a7120ae9b60400894cf83b7eecb401744c36ec0e1fd5e4d6f2ca1

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
a524ebe0dfab9ea297286050d66ba1ed

SHA1
665c7d801635dd431f3d97f08baf14b9daf8a6e1

SHA256
4a095728d509404987228dc20d6e23db732f4a0ec6c66b0cf89699926b5ed3f6

SHA512
a924e8ba45d96c7193c9a61b2f1753bbaa48beeeb1a9058974534bb1fb58aa213841c6c729b414016d0c00fa7b1eca08da862a9fd045e3e5455aba826ba5c1c4

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
2d17f934f25fa2afe05b03468cb39468

SHA1
7e1de8cb0b326438aa7a7e3dc2168579615dcd8d

SHA256
1c07aeddbabbf1775679040612da2e23ece91fc59f04b54bbf8a3c13c4baf8b3

SHA512
b79fc2195d752e62b1afd6bbccf745facd9f47442a7a843d55892189770914fc201fc75ed12c36cb2e53323396543ac68a405a0bdac973c21b5cee3a8d956bca

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
32e8ec4346f13ce0568de7bf7fefb6fe

SHA1
ad04279bd0147432c997ebe0d52fd80d662b2f8d

SHA256
cf0ab6f8beb2f23ee9b75633ed2faaf82f14fa3ed797d8407a6a841b6e94d227

SHA512
2abbe29c8f7342779da0ada5ce245a76e6c2f3b601615407e8924f847327063b09455233727562bb4367500b73ebe22ff0a2ff3257dd23f07f38b20ad2242199

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
79ecf11a4c0e2c95c2cb132dd124da9d

SHA1
2d36fc5b1a614127b5699e257c9df7ebc9fd7f0a

SHA256
8cffbaceb7c043551fef7b20ab7d5ce465c00e656980fc8bff19e1bc7f03b235

SHA512
92bef0f9e1c521e05b37187c47f69a8fd9ea842c2c964613be798e528fc70eae15e18fcb5489176529c6ab546715a55b47f08dbeb141d998c8a8f993fee36c62

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
ba41580a52e592f902ce53d5bf4eaddc

SHA1
463acff5a71dd7c580b7ae52091dc5ec3075fb0a

SHA256
50577e8ae3331aa6d25cfb4a270291ee3503d88febca708d9de04b796ee694df

SHA512
4697440accd08c20b9807471d6443f827f001ef4bbb733f2323d29cb4613bfc944f0798d5b3a2502931826898a3ff0255f0e62118445118e296bdb2e92b77086

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nso8B5F.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1260-18905-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-18907-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-18906-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2524-6795-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2524-6796-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2524-6141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2812-2181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2812-18827-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2812-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2812-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2812-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2812-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2812-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download