makop | cb4957ca31c15745b25aaf474f66582daf99a9060a54f31aa5557317ea010684

Analysis

max time kernel
130s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/01/2025, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Size

41KB
MD5

2ef05873f585d356665f0ea0fd8678ff
SHA1

0be8c14efaf9752d48f8bf34ca5d75a40284967b
SHA256

cb4957ca31c15745b25aaf474f66582daf99a9060a54f31aa5557317ea010684
SHA512

785bbb3090af3f82aa0ff501f761f66e3904ffd6707da39667ce87e0478aa5adcd8c8060e0472e460322a55a037850418beeccd0145b1ec9a04b8bc8cd14c908
SSDEEP

768:5xyl5HeOrgHICm1+Gu5NjY2eX7exwr2QB/9QSNTsryu+BFrForD8tMEWV+:585H7wLm14NtSmQeriBc8twV+

Score

10^/10

makop credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "CARLOS" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Makop family
makop
Renames multiple (8539) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QMPQWRBT\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Public\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AQYH36ZT\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BY17T927\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1DP8V76\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MT4W94IX\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\39RANI6K\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

T1102

flow	ioc
23	iplogger.org
10	iplogger.org
11	iplogger.org
13	iplogger.org
14	iplogger.org
18	iplogger.org
21	iplogger.org
25	iplogger.org
5	iplogger.org
8	iplogger.org
12	iplogger.org
15	iplogger.org
17	iplogger.org
4	iplogger.org
9	iplogger.org
20	iplogger.org
22	iplogger.org
24	iplogger.org
16	iplogger.org
19	iplogger.org

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02067_.WMF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332268.WMF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ERROR.GIF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00008_.WMF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18193_.WMF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00186_.WMF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02127_.WMF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297725.WMF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15301_.GIF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30F.GIF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01293_.GIF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\de-DE\wordpad.exe.mui	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXT	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\BASMLA.XSL	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLNOTER.FAE	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDCNCLL.ICO	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javaws.jar	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif.[D0998456].[[email protected]].CARLOS	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00453_.WMF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298897.WMF	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2172	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	31
PID 2520 wrote to memory of 2172	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	31
PID 2520 wrote to memory of 2172	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	31
PID 2520 wrote to memory of 2172	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	31
PID 2520 wrote to memory of 2692	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	35
PID 2520 wrote to memory of 2692	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	35
PID 2520 wrote to memory of 2692	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	35
PID 2520 wrote to memory of 2692	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	35
PID 2520 wrote to memory of 1236	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	38
PID 2520 wrote to memory of 1236	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	38
PID 2520 wrote to memory of 1236	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	38
PID 2520 wrote to memory of 1236	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	38
PID 2520 wrote to memory of 2728	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	40
PID 2520 wrote to memory of 2728	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	40
PID 2520 wrote to memory of 2728	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	40
PID 2520 wrote to memory of 2728	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	40
PID 2520 wrote to memory of 2644	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	42
PID 2520 wrote to memory of 2644	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	42
PID 2520 wrote to memory of 2644	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	42
PID 2520 wrote to memory of 2644	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	42
PID 2520 wrote to memory of 1660	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	44
PID 2520 wrote to memory of 1660	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	44
PID 2520 wrote to memory of 1660	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	44
PID 2520 wrote to memory of 1660	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	44
PID 2520 wrote to memory of 1908	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	46
PID 2520 wrote to memory of 1908	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	46
PID 2520 wrote to memory of 1908	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	46
PID 2520 wrote to memory of 1908	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	46
PID 2520 wrote to memory of 1672	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	48
PID 2520 wrote to memory of 1672	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	48
PID 2520 wrote to memory of 1672	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	48
PID 2520 wrote to memory of 1672	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	48
PID 2520 wrote to memory of 2888	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	50
PID 2520 wrote to memory of 2888	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	50
PID 2520 wrote to memory of 2888	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	50
PID 2520 wrote to memory of 2888	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	50
PID 2520 wrote to memory of 2540	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	52
PID 2520 wrote to memory of 2540	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	52
PID 2520 wrote to memory of 2540	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	52
PID 2520 wrote to memory of 2540	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	52
PID 2520 wrote to memory of 2448	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	54
PID 2520 wrote to memory of 2448	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	54
PID 2520 wrote to memory of 2448	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	54
PID 2520 wrote to memory of 2448	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	54
PID 2520 wrote to memory of 1964	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	56
PID 2520 wrote to memory of 1964	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	56
PID 2520 wrote to memory of 1964	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	56
PID 2520 wrote to memory of 1964	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	56
PID 2520 wrote to memory of 2812	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	58
PID 2520 wrote to memory of 2812	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	58
PID 2520 wrote to memory of 2812	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	58
PID 2520 wrote to memory of 2812	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	58
PID 2520 wrote to memory of 1960	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	60
PID 2520 wrote to memory of 1960	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	60
PID 2520 wrote to memory of 1960	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	60
PID 2520 wrote to memory of 1960	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	60
PID 2520 wrote to memory of 2236	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	62
PID 2520 wrote to memory of 2236	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	62
PID 2520 wrote to memory of 2236	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	62
PID 2520 wrote to memory of 2236	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	62
PID 2520 wrote to memory of 1272	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	64
PID 2520 wrote to memory of 1272	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	64
PID 2520 wrote to memory of 1272	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	64
PID 2520 wrote to memory of 1272	2520	2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe	64

C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:2172
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:628
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:320
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1908
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:448
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1472
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2476
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1856
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1272
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1576
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:656
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n2520
  2⤵
  - System Location Discovery: System Language Discovery
  PID:968
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini

Filesize
356B

MD5
00844ad37ae6dabd413478e001d499a8

SHA1
56ba0ea738b99efe565723e0f1ad80a20d35d7b6

SHA256
af97bd3a056ddd80e87dc3d523b82a40bd32eae7803c0d142c0e05bdb115fd54

SHA512
5e7981dbccd1e57d0ecd2c2e5ac0202d54fed61ee4cf85743d3f1b7b883bf2e4810128bf2a679a6d41ff59f598e5c0369457c6d589461929278fd9b72a368d38

Download Submit
C:\Users\Admin\Desktop\readme-warning.txt

Filesize
1KB

MD5
5b847e2c729d9b78c10c5a05a7f00e4d

SHA1
753c40fe7f8f18159eb9702660773502e7eb564a

SHA256
1647ba80119c23da45a2b01d70c8564a062122b9273f94f130379a4bead68435

SHA512
e450eff2150d7cec896a46391d51477c57f8cc22b41a66587d56b6d8b3642ea61cc52f85455521a2d8ced28ef284f20caca129eb01da73cf9bb29d902a9f3de0

Download Submit