Analysis Overview
SHA256
b9d15b25c5b1e16e0264cc2f0569fd3be50b5ebdc2a240eb3d831b46f71629a8
Threat Level: Known bad
The file 2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop was found to be: Known bad.
Malicious Activity Summary
Makop family
MAKOP ransomware payload
Deletes shadow copies
Renames multiple (3363) files with added filename extension
Renames multiple (2777) files with added filename extension
Deletes backup catalog
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies data under HKEY_USERS
Checks processor information in registry
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-18 12:34
Signatures
MAKOP ransomware payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makop family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-18 12:34
Reported
2025-02-18 12:37
Platform
win7-20241010-en
Max time kernel
65s
Max time network
155s
Command Line
Signatures
Deletes shadow copies
Renames multiple (2777) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\security\java.policy | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\it.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Louisville | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\America\Argentina\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msadomd28.tlb | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3 | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Hermosillo | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Chess\it-IT\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bn.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\handler.reg | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\Welcome.html | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\offset.ax | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\images\bing.ico | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Resolute | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\Microsoft Games\FreeCell\es-ES\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\adcjavas.inc | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt
| MD5 | abb71b9a5c4d0f824c7be7b0bdd0b026 |
| SHA1 | 97faeaab7c0415b1962f2076b3398fd38901a9f9 |
| SHA256 | 84503976c6a8bb2266c72a0e155dde24f6bd2c40a55e8d27b4e2eaa938d88acf |
| SHA512 | 7219f34c609362463ac1b402ddd6e7501b6624d525306eeaa50edc53664f7eec12dc9b7469a620da10464362d06a0867f8624f80f46ddde1ef8b54ba9200788b |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-18 12:34
Reported
2025-02-18 12:37
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Deletes shadow copies
Renames multiple (3363) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\modules\common.luac | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.Upgrade.winmd | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-24_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected.m4a | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-150_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TinyTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\3DViewerProductDescription-universal.xml | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\no_camera_dialog_image01.jpg | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.INF | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ControlStyles.xbf | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-20.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-48_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t|1739925309" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 18 Feb 2025 12:36:11 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ETag = "std::wstring|\"5OZ1iRqrhjcR/deNMNTi7aQT4uVIFKUCMlJkZVgs6VU=\"" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1C02EF6E-D517-42E5-B941-AAC38BBE66CE}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1739882170" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | C:\Windows\system32\cmd.exe |
| PID 1288 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | C:\Windows\system32\cmd.exe |
| PID 4420 wrote to memory of 1988 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 4420 wrote to memory of 1988 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 4420 wrote to memory of 4924 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wbadmin.exe |
| PID 4420 wrote to memory of 4924 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wbadmin.exe |
| PID 4420 wrote to memory of 8 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\Wbem\WMIC.exe |
| PID 4420 wrote to memory of 8 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\Wbem\WMIC.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Program Files\Common Files\microsoft shared\ClickToRun\+README-WARNING+.txt
| MD5 | a73e09e9f84f9e3318bb5bde69411f6c |
| SHA1 | 6ec2338d54c20e2e29df91c2c804e02c8afdf791 |
| SHA256 | 6bc05a01f47fe0d9ef0631cac43761230b25f80f3861d8f9e7bb6d376ec10789 |
| SHA512 | 18cefcac5ceee08c2c6fa9d0f50999ae99f0ca4ec38fd78a7c86cefbce4f119418686df53a4846d23c222918bdabd8e2e1bec7fd23980bfd9ea09706752e6ac4 |