Malware Analysis Report

2025-03-15 00:48

Sample ID 250218-psafbsznht
Target 2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop
SHA256 b9d15b25c5b1e16e0264cc2f0569fd3be50b5ebdc2a240eb3d831b46f71629a8
Tags
makop defense_evasion discovery execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9d15b25c5b1e16e0264cc2f0569fd3be50b5ebdc2a240eb3d831b46f71629a8

Threat Level: Known bad

The file 2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop was found to be: Known bad.

Malicious Activity Summary

makop defense_evasion discovery execution impact ransomware

Makop family

MAKOP ransomware payload

Deletes shadow copies

Renames multiple (3363) files with added filename extension

Renames multiple (2777) files with added filename extension

Deletes backup catalog

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies data under HKEY_USERS

Checks processor information in registry

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-18 12:34

Signatures

MAKOP ransomware payload

Description Indicator Process Target
N/A N/A N/A N/A

Makop family

makop

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-18 12:34

Reported

2025-02-18 12:37

Platform

win7-20241010-en

Max time kernel

65s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (2777) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\java.policy C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Louisville C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msadomd28.tlb C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3 C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Hermosillo C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\Microsoft Games\Chess\it-IT\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\handler.reg C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\Welcome.html C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\DVD Maker\offset.ax C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\bing.ico C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Resolute C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\es-ES\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\adcjavas.inc C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe C:\Windows\system32\cmd.exe
PID 2092 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe C:\Windows\system32\cmd.exe
PID 2092 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe C:\Windows\system32\cmd.exe
PID 2092 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2896 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2896 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2896 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2896 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2896 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2896 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2896 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2896 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

MD5 abb71b9a5c4d0f824c7be7b0bdd0b026
SHA1 97faeaab7c0415b1962f2076b3398fd38901a9f9
SHA256 84503976c6a8bb2266c72a0e155dde24f6bd2c40a55e8d27b4e2eaa938d88acf
SHA512 7219f34c609362463ac1b402ddd6e7501b6624d525306eeaa50edc53664f7eec12dc9b7469a620da10464362d06a0867f8624f80f46ddde1ef8b54ba9200788b

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-18 12:34

Reported

2025-02-18 12:37

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (3363) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\common.luac C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.Upgrade.winmd C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected.m4a C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TinyTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\no_camera_dialog_image01.jpg C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.INF C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ControlStyles.xbf C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-20.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-48_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t|1739925309" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 18 Feb 2025 12:36:11 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ETag = "std::wstring|\"5OZ1iRqrhjcR/deNMNTi7aQT4uVIFKUCMlJkZVgs6VU=\"" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1C02EF6E-D517-42E5-B941-AAC38BBE66CE}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1739882170" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\+README-WARNING+.txt

MD5 a73e09e9f84f9e3318bb5bde69411f6c
SHA1 6ec2338d54c20e2e29df91c2c804e02c8afdf791
SHA256 6bc05a01f47fe0d9ef0631cac43761230b25f80f3861d8f9e7bb6d376ec10789
SHA512 18cefcac5ceee08c2c6fa9d0f50999ae99f0ca4ec38fd78a7c86cefbce4f119418686df53a4846d23c222918bdabd8e2e1bec7fd23980bfd9ea09706752e6ac4