Malware Analysis Report

2025-03-15 00:48

Sample ID 250218-pzd24azpd1
Target 2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop
SHA256 b9d15b25c5b1e16e0264cc2f0569fd3be50b5ebdc2a240eb3d831b46f71629a8
Tags
makop defense_evasion discovery execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9d15b25c5b1e16e0264cc2f0569fd3be50b5ebdc2a240eb3d831b46f71629a8

Threat Level: Known bad

The file 2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop was found to be: Known bad.

Malicious Activity Summary

makop defense_evasion discovery execution impact ransomware

MAKOP ransomware payload

Makop family

Renames multiple (3380) files with added filename extension

Deletes shadow copies

Renames multiple (2793) files with added filename extension

Deletes backup catalog

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-18 12:45

Signatures

MAKOP ransomware payload

Description Indicator Process Target
N/A N/A N/A N/A

Makop family

makop

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-18 12:45

Reported

2025-02-18 12:48

Platform

win7-20241010-en

Max time kernel

92s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (2793) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\RegisterConnect.vdw C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\Genko_2.jtp C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1 C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\CET C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.[8EA81148].[[email protected]].scp C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Managua C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Berlin C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tr.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Miquelon C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11 C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\en-US\Mahjong.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fiji C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Anchorage C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2396 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2396 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2396 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2396 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2396 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2396 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2396 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2396 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

MD5 936a0e66a5ca9da192e197c372dacaeb
SHA1 6a1125710d40915d7beb8aca11bab150b405885a
SHA256 87bf8fb30411583e61de48b65a9017cf323d30b97f0a1edb4d8450794dc2de5f
SHA512 d775104663bfd0c971bd04a007d69023c90f3053151744d690ea7c058122a00c07f80ed3f89ec97b6b43d700b58270546352116c252868d94a9b90f705e8ab2b

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-18 12:45

Reported

2025-02-18 12:48

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (3380) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_SadMouth.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxC C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\6.jpg C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal_CustomCapability.sccd C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter.css C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\iheart-radio.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b19e8503.pri C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.winmd C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\+README-WARNING+.txt C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\7px.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\EmptyReport.rdlc C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\es-ES\wordpad.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ms-logo-no-text.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_en.json C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phone-small.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000fae86e0b4c91e041a8112999d2cefd5e00000000020000000000106600000001000020000000f7942312b7f87689cfeceac200bbe6176f98e9c23b2a3dd1a569a55261fc4b7a000000000e80000000020000200000006433f13e14506c92d72b1ba3b05085adfcd4aba6aee29025aa72d0150580df66700b00007f4382895380da3973fce377454184e78a1539dfa089f5e2e780f6b130bc6aca5fece9890d8542807be0448b91b50a4daf4bd9425bebb4c5befc258026d265d344d79136fc02c76d27c024118d4da7e0952864ce6d11cab4702a204b6124da291c4cc040c126af5344371b7856232123688e429b351d7cc628aaff35000ce9ecf2df22e861e3c6ed66eac7cc94c4a2657408f67c4e191530024f38af86312f6a3066c24eaaf9483f6e657aeb43aef9b68ebef85f223fa174082fc2d69ff8678964d8dca43da7a255174d7f8c4a5b57b28761de96c548ff4e873bf68a66aec007cad935b9951bd722d458be5d662c60ba58c003b74bc3cd226f1889ce8eece8e45a16facce6b693f6be3ea16bf28b35c8d2037ff9314b319e7e37da45490582425dc31a1f7728d92479be3d5dc3be3430f1002a600d180ef7bab8f37db1b9990db9a1b14575bebcea604e48add10fd5027a0eb27ea8de4f37c842a0003b0ffcf2a8b9846ffad968e9840545a90e9947260a7f720e0323d2358701d704904525f573d5281670fe16439dcc1e36340b361eba57924f9c6ca4834c7af4b9d1259e75b2c3dd0395426a657594fa480580b8828f6b12606e38aa44905897b4137db6e95facb25e3148d0f36d1fa137a1d0757018f86d0843f18da2741f2c0d57fa7150ada5641faad41e338121862b27b2c66be0bc38edfac3da5605997df74828ba4505d5086c2e8b4b0671524e4eec9b6754d76a68ad2aca44c81b57d6add14f62f43084a7d8a32bad71257aa99ae2ebf2644d947ab81ab5fb455c934d04969cf1e57d3ed68b57f78283a080aff550357689a877cb664f1e51e5c623cc1fae611558e18c71c1da9ac731c295618c2a06b314cd8dbc0f61ed99c767e02321748a606713693d738971931bb8934e45626538fb61d7dc3f008ee78a0f26643481f3711a0cc8808fd97a28cc0ee7645fc8a06b22fcc6ac3a3c4a12b2a304b32ea499261f40572359d38974a6d0e52b65531d6eec9aae55fe0e253a2743c2ad98811485d32042b691e96f72d207cc0d7cf67da3f2d6f5f80ad57a2b8cc9b1335d1a7b12e34768ad71c9fb3a727ef4b69a52a3b5ec5cfac4b0210ea27eb9cce0964aa277364aafbe2a7e98f17134dd36738681e3bc99a46013f70bc4eaa989a16fd9f6748f9a5deb282fd225689223045fbebeb73d2236718de4a775ec03f9819a2d41ef2a17fde6e5195e18cf396da4c40b4cffa6c61c1f0f9e74ee4c445bdeb5a84238476bcdda918cb21e04ebe219c122bea02de6538d1207d23fbaf0b7c2c8e0ae69bf741a8e6a68f74148a2cacc86b6ec23b423a6e9612608d0e2fd6aa86c9990f799b95e04f81d560c2c8ee044ed6eec991406ea2649e1b2ec7f0729079e20294bde6fcbc4fcafcd0dd90bff398ad85e86d99c806dcf55a546af43a73a600e7ab1e6bc2ce5c8e434d052fb9cef678daacadb736ffbec5dae479ad8bd3da7c7510be67b7aca58531e567f37dc29a572c0e28ddb888c6d8a8bd14216ce47c0217434e8b5dfad839311ecef9d8dc10bc491b97e1922e2c39ee3effbfced4df7df460224d494d467d021b8ee4e1230e7a668786052ea81db903fba1ea99cac9b09ade74fe8c47950f0085f940b86dd2d7c226f429740fd4c2b9a1d59618e425d93ef538903ca1353b8dacf3a7575fa718ab3f5bf40291f2ee9dca430d57f4a69c253dafa32acd5c3cce61217211c6c7464dda145237698a15de1b5848208ac2319aad91156633f7b616f7245892bb58a227aa31b1aca57a7f6405063216001baef7d5df83d4943e518ae59922dddbb4e6bae6795fd3532e6a9dafa83e81f47650ca2a1a6c3d91c7a1eeebb0a719ba5f8a531849e09f3461a79ef09d3e28c52d370cc341ca46433dcc88275a4eb74a56d69ac794afcd93ce7cfeff1a6fd2db2c4769caef97e871217a59fd98f75058cec5f8ebd6dccc49703bacd8ee2069aad54b2eb5082aa776362a69f2eb4d7ba835f447975b472079e878a196cdde8b29afdba464ef0dbff93dcacf13eb586af56f7110aee660ca315f74df7bb5fa5d141c63dc73da3c2c440dbd5f213c1a34ca15562e662b96c3b42dea5c4217be6b48c37d57c27666a47e9d129a5f7433d4f851996c2d7d2c88de454ba6d89b389e8ebbb12c19efd15097bcaef52dda76179741fb68e73c0d78f882e3f6558bcd7e29a0dc78d706a85d7a35abe582e48f13b9328baa8861a1880af0b70f2a61c8ec981b9f53687efdfa45c4b3832e14150e2d61bb6371397cf80a58509725d1005af25b19dc760bb0f42e2a0e465213cd7bfef8c9e0bc1359503af42a13bf0f894afbb4f09ad23f9c3c757f245d796d13b2203c483d96a6fa9f456ccf147ad180f8e0480f96ef40175ec74817be7049447577c81310dae20a2c56f420ba4ea39a381a51e8c39d2f92c7f914ee4bff38a44c3e8f7ed21e33771907a8a92060829527cfb583f67a5820dad2d7f3bb4fd1e44ed6c3e872dea2c8789d478edc9a2c1c004f1a2600e3c8273e1c4bfb4e00987992990881d5657fbe84a9d42f97eb75b96458d1444e618c6bde8b6cb74cd3e08827441b6e5589ef1d07497713e2295c20f1dc4c081df4f07ece661319c06d33f369cc3434e4e1b850cdcdeeb45f0a99af6c8e52be2ebf760a27e5973f36574288dbfa88ee5c4c8355fb69c1538e8315259fb1ecc945d8192f49f8f05bfac43742fbf3de278ffd478632b3f0b7c80848863cfac5a1bd20db6e5a95a99edef9f265b3fc10c9441ae8e14ddf8a40f9b6f3d452afd397eb91dcaea44a65471f20e55803afb35cb70d0a7fc7578c40f5325ed4b7d3df435dee0ab64b3f277266774ac852ef8e43eaa9c47caeed6f375809e320b215d3b6bc512b516f7f758a79986b30a61f179bbaa300d7fc842994e9b23f26f6a18fa43fefcd624f63a4007bd258d383b6b32f88efe5cf40c72e04bf085606ab3573304d921a7378cd27980120b473dee9020cfd98131bb6c93cbf9754640fd16daba88fdc25e6be2fc35ff42f0b72c4ab57b3517db2dc5e94384204e7f9b8fed92ee28bfc3cace203d1aada25e7bccb64d814f152f182a287c32722a1b2cda1edd4d32e199df8ec06f0af3de1188bb8fe2c384ddb184f5551066bcebd44425878f1c77eceb75dc2820ae043a620ca12f1981e8e29957e33109ec3d8d7a549a5f862620e43cd36499651087394545acdd64879d703d86b26d300456df9501e2b471ac5667c8d26e399edb42b068f1f0e453bff30a7bb341dc633205d8c381f30d1ba60fd37d63054d0c3cbe21a32df68e89365af3122efbf9f4b490e7a0aaaf7695b8155ca3088fc37937ebcc989f521630c3b691dac0e889172b9cae897627be5ba5bfd7d8cec1429f54985dccc2ad13cc98e98fb0a22e37c48a67e0864ccebb9245e0d9187ae11fa6a02592f800e9b462745cd2898f4bf10d2e307270f8eee0bf71a3a161fce9b191c97ba0274bf4a75ffd83c58516af3136ad46a8e614e10c9f16a86d0149748d7cc99cbe3651a5bafb6e4f4c3a482513d889ab3f86809bde4725e21dc051969606ac43b7b65878a57edb775bf198ab8fa8ad4ebca44ddcff1b335e2b1f4cb04836d09a0202102c6a089b26d9f2f1641157dd070a00d32dba736a5e6b75a26acbbad18a439ef5b860f85ce74546b300b8444beceb8d3de3411509afec5076f663db0e40967ce594eb19655cb5bfa8d970226c8b5168c4e4c095d66e43cb9c667d86304c77f53b8fd4b3049401b55c788554966eed7fcb796f02f6139cbffd96b478ac57a3c6137a6c1686404fc9179ac3e18955e3d7db81f5ec3047ce3664f81d37883a6f4622ebbefe6152a86d6dbca65ddbeefaf1a23aa21000cad79321d0ee15a811388e8aff1872a68f84cd221d5de8762b4cc872d2bad0b56c2ac94e0917cba5c4cfeee8263c03006272617e48773a01188b9e2efaa0da1da6c1ec8157f417957d0a134cc9d2242ff4a6af2a2a4faa1d23cd427c8f4eeec9a765f5435e1d5ea2ac9aa65086ddaba03981ca1b384f30d43c4f4a0695c0822519034a05ceec23a39a14c19a9c32a9a766f596acc0ea02674190fc9811c7a7bcfcccca79b0b4360b5639cc107d4cb9c61601c8ea40000000d12e13cbf80be8e0b35d1e103d9b5fabc151769229e4529318b7cba87700e47bc0cf7e96d014ecfa7b0fdb2a30630ca24efd4ae6195a4de567ffce94cc15cad9 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1739882811" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t|1739925951" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "001880114E5F0431" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001880114E5F0431 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000fae86e0b4c91e041a8112999d2cefd5e0000000002000000000010660000000100002000000075f24f856c45f601f6a40c05e46e284b43969cfe1831980ba5d2041f6ca72918000000000e8000000002000020000000eccf52b995de92c08891dff6da5936c0d6e11227982a7cc89a5fc1f45e2797a78000000097b54a8de8e891cd78d2f8138624c34005458a4db2f4344505e16b5afde11c3bf948eb9f8f4d0b7b35d42e456ae459618d4bca1117b0737c7f7325c9c22d154fe45a96999e062370697055f1294e7e03dcaade5e96bed7a9c71849a9cafc3c4716a2e1ab7f0521ec73e204dad18df999e19f02967f0ce40a8033aed15cddf18d40000000a4e5c7c2f0d3ddfd76218ae0e0ae0654f56588b4fb32e60e92190c4a67546c410689d9fc9594a4fd22da8a6f480d565a6f2db2869953e118e3922f1172eaf5ff C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={ABD828F6-A6AA-4E08-92ED-6908246F7B7E}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUbVtUa9wjWgmEIwjX9d7dccnghw8OZgAAEJCo2yPGqQxhpnumoeMyJPjgAHRQOj3IB48qLWzeuTMNGF7HaxxpE2JDDNj75PL76nQ7AoWsNCJVtcVvy2KVugW4V4rVKwwerHEuYFQ+iNs5IAzMoyqGH1I5Q9GJpPdmk8U5BK0vIgp+SIHADN9AHF2jWovaYOI3lYUg0MFsqRbLc4+UQPpgcwX+97Exehf6tNld2gUKkjOU9Tt5K+wKGvFyCmyf6yh10o1aV7wWiMQu+cNgG/5c8gziBZA0qbSkR4ZbqV2Z8Vy/6qWGtL2rZ+7J7UvG/D4AGNam/upa4HevWP+oPzDJd9h7d/LhcBarM4/5HwE=&p=" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ETag = "std::wstring|\"WLKSyaj8cBrjDuyUppRePJWXIOD0R3UPMlJluSW2CUc=\"" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 18 Feb 2025 12:46:51 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Network

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\+README-WARNING+.txt

MD5 719bbb3bea3f7d88e9715f2faae3b472
SHA1 2fc318acddf640091b1acaea9f151263e200c3f1
SHA256 1310e8b4abf06577caaf948439e2ace7fa91c1a8a7f9b2a2a1318e40c50ae068
SHA512 a8de7f43602f5b4a47ffdac2ef3085e81da7e9472d3d4ac4102bf15c7de378d0401713fafb41591412b3b85cf936129e83157b5ab4e47b54b082cfd5b10c87cf