Analysis Overview
SHA256
b9d15b25c5b1e16e0264cc2f0569fd3be50b5ebdc2a240eb3d831b46f71629a8
Threat Level: Known bad
The file 2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop was found to be: Known bad.
Malicious Activity Summary
MAKOP ransomware payload
Makop family
Renames multiple (3380) files with added filename extension
Deletes shadow copies
Renames multiple (2793) files with added filename extension
Deletes backup catalog
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-18 12:45
Signatures
MAKOP ransomware payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makop family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-18 12:45
Reported
2025-02-18 12:48
Platform
win7-20241010-en
Max time kernel
92s
Max time network
19s
Command Line
Signatures
Deletes shadow copies
Renames multiple (2793) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\RegisterConnect.vdw | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\Templates\Genko_2.jtp | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\Microsoft Games\FreeCell\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1 | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\CET | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.[8EA81148].[[email protected]].scp | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Managua | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\es-ES\wmpnssci.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Berlin | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tr.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Miquelon | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fy.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\plugins.dat | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado25.tlb | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11 | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\en-US\Mahjong.exe.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fiji | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Anchorage | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
Network
Files
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt
| MD5 | 936a0e66a5ca9da192e197c372dacaeb |
| SHA1 | 6a1125710d40915d7beb8aca11bab150b405885a |
| SHA256 | 87bf8fb30411583e61de48b65a9017cf323d30b97f0a1edb4d8450794dc2de5f |
| SHA512 | d775104663bfd0c971bd04a007d69023c90f3053151744d690ea7c058122a00c07f80ed3f89ec97b6b43d700b58270546352116c252868d94a9b90f705e8ab2b |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-18 12:45
Reported
2025-02-18 12:48
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
Deletes shadow copies
Renames multiple (3380) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_SadMouth.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\3DViewerProductDescription-universal.xml | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\View3d\3DViewerProductDescription-universal.xml | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxC | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\6.jpg | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal_CustomCapability.sccd | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter.css | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\legal\javafx\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-125.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\iheart-radio.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b19e8503.pri | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-150_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.winmd | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\+README-WARNING+.txt | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\7px.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-72_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\EmptyReport.rdlc | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\Accessories\es-ES\wordpad.exe.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ms-logo-no-text.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_en.json | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\installation_telemetry.json | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phone-small.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000fae86e0b4c91e041a8112999d2cefd5e00000000020000000000106600000001000020000000f7942312b7f87689cfeceac200bbe6176f98e9c23b2a3dd1a569a55261fc4b7a000000000e80000000020000200000006433f13e14506c92d72b1ba3b05085adfcd4aba6aee29025aa72d0150580df66700b00007f4382895380da3973fce377454184e78a1539dfa089f5e2e780f6b130bc6aca5fece9890d8542807be0448b91b50a4daf4bd9425bebb4c5befc258026d265d344d79136fc02c76d27c024118d4da7e0952864ce6d11cab4702a204b6124da291c4cc040c126af5344371b7856232123688e429b351d7cc628aaff35000ce9ecf2df22e861e3c6ed66eac7cc94c4a2657408f67c4e191530024f38af86312f6a3066c24eaaf9483f6e657aeb43aef9b68ebef85f223fa174082fc2d69ff8678964d8dca43da7a255174d7f8c4a5b57b28761de96c548ff4e873bf68a66aec007cad935b9951bd722d458be5d662c60ba58c003b74bc3cd226f1889ce8eece8e45a16facce6b693f6be3ea16bf28b35c8d2037ff9314b319e7e37da45490582425dc31a1f7728d92479be3d5dc3be3430f1002a600d180ef7bab8f37db1b9990db9a1b14575bebcea604e48add10fd5027a0eb27ea8de4f37c842a0003b0ffcf2a8b9846ffad968e9840545a90e9947260a7f720e0323d2358701d704904525f573d5281670fe16439dcc1e36340b361eba57924f9c6ca4834c7af4b9d1259e75b2c3dd0395426a657594fa480580b8828f6b12606e38aa44905897b4137db6e95facb25e3148d0f36d1fa137a1d0757018f86d0843f18da2741f2c0d57fa7150ada5641faad41e338121862b27b2c66be0bc38edfac3da5605997df74828ba4505d5086c2e8b4b0671524e4eec9b6754d76a68ad2aca44c81b57d6add14f62f43084a7d8a32bad71257aa99ae2ebf2644d947ab81ab5fb455c934d04969cf1e57d3ed68b57f78283a080aff550357689a877cb664f1e51e5c623cc1fae611558e18c71c1da9ac731c295618c2a06b314cd8dbc0f61ed99c767e02321748a606713693d738971931bb8934e45626538fb61d7dc3f008ee78a0f26643481f3711a0cc8808fd97a28cc0ee7645fc8a06b22fcc6ac3a3c4a12b2a304b32ea499261f40572359d38974a6d0e52b65531d6eec9aae55fe0e253a2743c2ad98811485d32042b691e96f72d207cc0d7cf67da3f2d6f5f80ad57a2b8cc9b1335d1a7b12e34768ad71c9fb3a727ef4b69a52a3b5ec5cfac4b0210ea27eb9cce0964aa277364aafbe2a7e98f17134dd36738681e3bc99a46013f70bc4eaa989a16fd9f6748f9a5deb282fd225689223045fbebeb73d2236718de4a775ec03f9819a2d41ef2a17fde6e5195e18cf396da4c40b4cffa6c61c1f0f9e74ee4c445bdeb5a84238476bcdda918cb21e04ebe219c122bea02de6538d1207d23fbaf0b7c2c8e0ae69bf741a8e6a68f74148a2cacc86b6ec23b423a6e9612608d0e2fd6aa86c9990f799b95e04f81d560c2c8ee044ed6eec991406ea2649e1b2ec7f0729079e20294bde6fcbc4fcafcd0dd90bff398ad85e86d99c806dcf55a546af43a73a600e7ab1e6bc2ce5c8e434d052fb9cef678daacadb736ffbec5dae479ad8bd3da7c7510be67b7aca58531e567f37dc29a572c0e28ddb888c6d8a8bd14216ce47c0217434e8b5dfad839311ecef9d8dc10bc491b97e1922e2c39ee3effbfced4df7df460224d494d467d021b8ee4e1230e7a668786052ea81db903fba1ea99cac9b09ade74fe8c47950f0085f940b86dd2d7c226f429740fd4c2b9a1d59618e425d93ef538903ca1353b8dacf3a7575fa718ab3f5bf40291f2ee9dca430d57f4a69c253dafa32acd5c3cce61217211c6c7464dda145237698a15de1b5848208ac2319aad91156633f7b616f7245892bb58a227aa31b1aca57a7f6405063216001baef7d5df83d4943e518ae59922dddbb4e6bae6795fd3532e6a9dafa83e81f47650ca2a1a6c3d91c7a1eeebb0a719ba5f8a531849e09f3461a79ef09d3e28c52d370cc341ca46433dcc88275a4eb74a56d69ac794afcd93ce7cfeff1a6fd2db2c4769caef97e871217a59fd98f75058cec5f8ebd6dccc49703bacd8ee2069aad54b2eb5082aa776362a69f2eb4d7ba835f447975b472079e878a196cdde8b29afdba464ef0dbff93dcacf13eb586af56f7110aee660ca315f74df7bb5fa5d141c63dc73da3c2c440dbd5f213c1a34ca15562e662b96c3b42dea5c4217be6b48c37d57c27666a47e9d129a5f7433d4f851996c2d7d2c88de454ba6d89b389e8ebbb12c19efd15097bcaef52dda76179741fb68e73c0d78f882e3f6558bcd7e29a0dc78d706a85d7a35abe582e48f13b9328baa8861a1880af0b70f2a61c8ec981b9f53687efdfa45c4b3832e14150e2d61bb6371397cf80a58509725d1005af25b19dc760bb0f42e2a0e465213cd7bfef8c9e0bc1359503af42a13bf0f894afbb4f09ad23f9c3c757f245d796d13b2203c483d96a6fa9f456ccf147ad180f8e0480f96ef40175ec74817be7049447577c81310dae20a2c56f420ba4ea39a381a51e8c39d2f92c7f914ee4bff38a44c3e8f7ed21e33771907a8a92060829527cfb583f67a5820dad2d7f3bb4fd1e44ed6c3e872dea2c8789d478edc9a2c1c004f1a2600e3c8273e1c4bfb4e00987992990881d5657fbe84a9d42f97eb75b96458d1444e618c6bde8b6cb74cd3e08827441b6e5589ef1d07497713e2295c20f1dc4c081df4f07ece661319c06d33f369cc3434e4e1b850cdcdeeb45f0a99af6c8e52be2ebf760a27e5973f36574288dbfa88ee5c4c8355fb69c1538e8315259fb1ecc945d8192f49f8f05bfac43742fbf3de278ffd478632b3f0b7c80848863cfac5a1bd20db6e5a95a99edef9f265b3fc10c9441ae8e14ddf8a40f9b6f3d452afd397eb91dcaea44a65471f20e55803afb35cb70d0a7fc7578c40f5325ed4b7d3df435dee0ab64b3f277266774ac852ef8e43eaa9c47caeed6f375809e320b215d3b6bc512b516f7f758a79986b30a61f179bbaa300d7fc842994e9b23f26f6a18fa43fefcd624f63a4007bd258d383b6b32f88efe5cf40c72e04bf085606ab3573304d921a7378cd27980120b473dee9020cfd98131bb6c93cbf9754640fd16daba88fdc25e6be2fc35ff42f0b72c4ab57b3517db2dc5e94384204e7f9b8fed92ee28bfc3cace203d1aada25e7bccb64d814f152f182a287c32722a1b2cda1edd4d32e199df8ec06f0af3de1188bb8fe2c384ddb184f5551066bcebd44425878f1c77eceb75dc2820ae043a620ca12f1981e8e29957e33109ec3d8d7a549a5f862620e43cd36499651087394545acdd64879d703d86b26d300456df9501e2b471ac5667c8d26e399edb42b068f1f0e453bff30a7bb341dc633205d8c381f30d1ba60fd37d63054d0c3cbe21a32df68e89365af3122efbf9f4b490e7a0aaaf7695b8155ca3088fc37937ebcc989f521630c3b691dac0e889172b9cae897627be5ba5bfd7d8cec1429f54985dccc2ad13cc98e98fb0a22e37c48a67e0864ccebb9245e0d9187ae11fa6a02592f800e9b462745cd2898f4bf10d2e307270f8eee0bf71a3a161fce9b191c97ba0274bf4a75ffd83c58516af3136ad46a8e614e10c9f16a86d0149748d7cc99cbe3651a5bafb6e4f4c3a482513d889ab3f86809bde4725e21dc051969606ac43b7b65878a57edb775bf198ab8fa8ad4ebca44ddcff1b335e2b1f4cb04836d09a0202102c6a089b26d9f2f1641157dd070a00d32dba736a5e6b75a26acbbad18a439ef5b860f85ce74546b300b8444beceb8d3de3411509afec5076f663db0e40967ce594eb19655cb5bfa8d970226c8b5168c4e4c095d66e43cb9c667d86304c77f53b8fd4b3049401b55c788554966eed7fcb796f02f6139cbffd96b478ac57a3c6137a6c1686404fc9179ac3e18955e3d7db81f5ec3047ce3664f81d37883a6f4622ebbefe6152a86d6dbca65ddbeefaf1a23aa21000cad79321d0ee15a811388e8aff1872a68f84cd221d5de8762b4cc872d2bad0b56c2ac94e0917cba5c4cfeee8263c03006272617e48773a01188b9e2efaa0da1da6c1ec8157f417957d0a134cc9d2242ff4a6af2a2a4faa1d23cd427c8f4eeec9a765f5435e1d5ea2ac9aa65086ddaba03981ca1b384f30d43c4f4a0695c0822519034a05ceec23a39a14c19a9c32a9a766f596acc0ea02674190fc9811c7a7bcfcccca79b0b4360b5639cc107d4cb9c61601c8ea40000000d12e13cbf80be8e0b35d1e103d9b5fabc151769229e4529318b7cba87700e47bc0cf7e96d014ecfa7b0fdb2a30630ca24efd4ae6195a4de567ffce94cc15cad9 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1739882811" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t|1739925951" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "001880114E5F0431" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001880114E5F0431 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000fae86e0b4c91e041a8112999d2cefd5e0000000002000000000010660000000100002000000075f24f856c45f601f6a40c05e46e284b43969cfe1831980ba5d2041f6ca72918000000000e8000000002000020000000eccf52b995de92c08891dff6da5936c0d6e11227982a7cc89a5fc1f45e2797a78000000097b54a8de8e891cd78d2f8138624c34005458a4db2f4344505e16b5afde11c3bf948eb9f8f4d0b7b35d42e456ae459618d4bca1117b0737c7f7325c9c22d154fe45a96999e062370697055f1294e7e03dcaade5e96bed7a9c71849a9cafc3c4716a2e1ab7f0521ec73e204dad18df999e19f02967f0ce40a8033aed15cddf18d40000000a4e5c7c2f0d3ddfd76218ae0e0ae0654f56588b4fb32e60e92190c4a67546c410689d9fc9594a4fd22da8a6f480d565a6f2db2869953e118e3922f1172eaf5ff | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={ABD828F6-A6AA-4E08-92ED-6908246F7B7E}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUbVtUa9wjWgmEIwjX9d7dccnghw8OZgAAEJCo2yPGqQxhpnumoeMyJPjgAHRQOj3IB48qLWzeuTMNGF7HaxxpE2JDDNj75PL76nQ7AoWsNCJVtcVvy2KVugW4V4rVKwwerHEuYFQ+iNs5IAzMoyqGH1I5Q9GJpPdmk8U5BK0vIgp+SIHADN9AHF2jWovaYOI3lYUg0MFsqRbLc4+UQPpgcwX+97Exehf6tNld2gUKkjOU9Tt5K+wKGvFyCmyf6yh10o1aV7wWiMQu+cNgG/5c8gziBZA0qbSkR4ZbqV2Z8Vy/6qWGtL2rZ+7J7UvG/D4AGNam/upa4HevWP+oPzDJd9h7d/LhcBarM4/5HwE=&p=" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ETag = "std::wstring|\"WLKSyaj8cBrjDuyUppRePJWXIOD0R3UPMlJluSW2CUc=\"" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 18 Feb 2025 12:46:51 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2576 wrote to memory of 4460 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | C:\Windows\system32\cmd.exe |
| PID 2576 wrote to memory of 4460 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe | C:\Windows\system32\cmd.exe |
| PID 4460 wrote to memory of 1980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 4460 wrote to memory of 1980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 4460 wrote to memory of 3912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wbadmin.exe |
| PID 4460 wrote to memory of 3912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wbadmin.exe |
| PID 4460 wrote to memory of 3468 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\Wbem\WMIC.exe |
| PID 4460 wrote to memory of 3468 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\Wbem\WMIC.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Network
Files
C:\Program Files\Common Files\microsoft shared\ClickToRun\+README-WARNING+.txt
| MD5 | 719bbb3bea3f7d88e9715f2faae3b472 |
| SHA1 | 2fc318acddf640091b1acaea9f151263e200c3f1 |
| SHA256 | 1310e8b4abf06577caaf948439e2ace7fa91c1a8a7f9b2a2a1318e40c50ae068 |
| SHA512 | a8de7f43602f5b4a47ffdac2ef3085e81da7e9472d3d4ac4102bf15c7de378d0401713fafb41591412b3b85cf936129e83157b5ab4e47b54b082cfd5b10c87cf |