makop | 257ebc7ed3762db257e623992b492ec32fecab362f9ef81e1143afcea7c31581

Analysis

max time kernel
73s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2025, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
Size

34KB
MD5

7d4ac74129b6b97caa5906ac68afcf34
SHA1

c8620068897281d16694133e3fdb0392624dff85
SHA256

257ebc7ed3762db257e623992b492ec32fecab362f9ef81e1143afcea7c31581
SHA512

67aa4bb106a2e4932783dd96bfb7e93bc3af88a9c310663a7b0ed8abb469108b87fb3e23addfb38672cc05dd3d4a1014c6f83098bb26265df87ced9a6fb5cf70
SSDEEP

768:h4HLd8VdhiqV1Esg8kdJCzSIZHkKRV6kNDzqmaG8ZCg:hQ8VdV1U8ZGURVFl8n

Score

10^/10

makop credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ClickToRun\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Makop family
makop
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8386) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4004	wbadmin.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
53	iplogger.org
54	iplogger.org

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_altform-unplated_contrast-black.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-150.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\microsoft-logo-color.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoPreview.xbf	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200_contrast-high.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_ForwardDirection_RoomScale.jpg	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-100.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-400_contrast-white.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-125.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-focus_32.svg	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Dev.msix	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-125.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-32.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\readme-warning.txt	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-125.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-125_contrast-white.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\XboxResourceDictionary.xaml	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\selector.js	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Stable.msix.DATA	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\9px.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\7.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.[47B6BA37].[[email protected]].makop	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page1.jpg	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SmallTile.scale-125_contrast-black.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Marble.jpg	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.ps1	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\readme-warning.txt	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_40x40x32.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\IncomingCallBrandingImage.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_light_environment.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125_contrast-white.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-400.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ru.pak.DATA	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-125.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-36_altform-unplated.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hr.pak	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.ps1	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Marble.dxt	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\readme-warning.txt	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\multiple-plans.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4908	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_HW_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033David"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Stefan"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5233694"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\lsr1031.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "6;18;22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Spanish (Spain)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Universal Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Helena - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Haruka"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-250031470-1197856012-2659781506-1000\{BD5A8929-5547-4D52-92FE-4E9C35F8E280}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1041-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\MSTTSLocfrFR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Anywhere;Trailing"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\tn3082.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_HW_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Laura"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - German (Germany)"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3732	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
3732	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	4152	vssvc.exe
Token: SeRestorePrivilege	4152	vssvc.exe
Token: SeAuditPrivilege	4152	vssvc.exe
Token: SeBackupPrivilege	2180	wbengine.exe
Token: SeRestorePrivilege	2180	wbengine.exe
Token: SeSecurityPrivilege	2180	wbengine.exe
Token: SeIncreaseQuotaPrivilege	208	WMIC.exe
Token: SeSecurityPrivilege	208	WMIC.exe
Token: SeTakeOwnershipPrivilege	208	WMIC.exe
Token: SeLoadDriverPrivilege	208	WMIC.exe
Token: SeSystemProfilePrivilege	208	WMIC.exe
Token: SeSystemtimePrivilege	208	WMIC.exe
Token: SeProfSingleProcessPrivilege	208	WMIC.exe
Token: SeIncBasePriorityPrivilege	208	WMIC.exe
Token: SeCreatePagefilePrivilege	208	WMIC.exe
Token: SeBackupPrivilege	208	WMIC.exe
Token: SeRestorePrivilege	208	WMIC.exe
Token: SeShutdownPrivilege	208	WMIC.exe
Token: SeDebugPrivilege	208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	208	WMIC.exe
Token: SeRemoteShutdownPrivilege	208	WMIC.exe
Token: SeUndockPrivilege	208	WMIC.exe
Token: SeManageVolumePrivilege	208	WMIC.exe
Token: 33	208	WMIC.exe
Token: 34	208	WMIC.exe
Token: 35	208	WMIC.exe
Token: 36	208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	208	WMIC.exe
Token: SeSecurityPrivilege	208	WMIC.exe
Token: SeTakeOwnershipPrivilege	208	WMIC.exe
Token: SeLoadDriverPrivilege	208	WMIC.exe
Token: SeSystemProfilePrivilege	208	WMIC.exe
Token: SeSystemtimePrivilege	208	WMIC.exe
Token: SeProfSingleProcessPrivilege	208	WMIC.exe
Token: SeIncBasePriorityPrivilege	208	WMIC.exe
Token: SeCreatePagefilePrivilege	208	WMIC.exe
Token: SeBackupPrivilege	208	WMIC.exe
Token: SeRestorePrivilege	208	WMIC.exe
Token: SeShutdownPrivilege	208	WMIC.exe
Token: SeDebugPrivilege	208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	208	WMIC.exe
Token: SeRemoteShutdownPrivilege	208	WMIC.exe
Token: SeUndockPrivilege	208	WMIC.exe
Token: SeManageVolumePrivilege	208	WMIC.exe
Token: 33	208	WMIC.exe
Token: 34	208	WMIC.exe
Token: 35	208	WMIC.exe
Token: 36	208	WMIC.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeCreatePagefilePrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeCreatePagefilePrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeCreatePagefilePrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeCreatePagefilePrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeCreatePagefilePrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeCreatePagefilePrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeCreatePagefilePrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeCreatePagefilePrivilege	2108	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
464	explorer.exe
464	explorer.exe
464	explorer.exe
464	explorer.exe
464	explorer.exe
464	explorer.exe
464	explorer.exe
464	explorer.exe
464	explorer.exe
464	explorer.exe
464	explorer.exe
4156	explorer.exe
4156	explorer.exe
4156	explorer.exe
4156	explorer.exe
4156	explorer.exe
4156	explorer.exe
4156	explorer.exe
4156	explorer.exe
4156	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4284	StartMenuExperienceHost.exe
4412	StartMenuExperienceHost.exe
4360	SearchApp.exe
4208	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 4336	3732	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe	90
PID 3732 wrote to memory of 4336	3732	2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe	90
PID 4336 wrote to memory of 4908	4336	cmd.exe	92
PID 4336 wrote to memory of 4908	4336	cmd.exe	92
PID 4336 wrote to memory of 4004	4336	cmd.exe	95
PID 4336 wrote to memory of 4004	4336	cmd.exe	95
PID 4336 wrote to memory of 208	4336	cmd.exe	100
PID 4336 wrote to memory of 208	4336	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-14_7d4ac74129b6b97caa5906ac68afcf34_makop.exe" n3732
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4732
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4908
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:4004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3140

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4360

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4208

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of SendNotifyMessage
PID:4156

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3692

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2676

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4256

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:644

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3176

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1524

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2576

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1720

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4160

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:272

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\readme-warning.txt

Filesize
1KB

MD5
7246308c2a9f9c7f840851ef1a832fcc

SHA1
17ac648dc7a2caefd9945b1a6aab6e76ffd796b9

SHA256
ed0505b0440a115f6d0c82b384d9e815cb0cb89ebafcbcbcdadd9b0be4836829

SHA512
3e4aa4b7beceb717d4d25c410062576530a079c3c3ce19c76ac3ccb18ccf5605c9297523b047969b99b543bd2261b85a58415f59ce7386dacbd8662fbb90b9e8

Download Submit
C:\USERS\ADMIN\DESKTOP\ADDMOUNT.OTF.[47B6BA37].[[email protected]].MAKOP

Filesize
160KB

MD5
6c6f64c40990d6639410d60a3c89b7e6

SHA1
f135910bbc7bd3ac0daa94b9f860d55b385e7f2f

SHA256
32f5fbc737c2ee37b04e32e35f363dc16916436e0da0fff6808aa5287327bdff

SHA512
dfaa0b24782142db56209aae7f6036ba5fef3fdec25273a7f45afa8d00ff1aaba78ec211b6b47819436451a894891fb65d3f7d67ab5996878e2e3dc2bae04778

Download Submit
C:\USERS\ADMIN\DESKTOP\CLEARSTART.ISO.[47B6BA37].[[email protected]].MAKOP

Filesize
188KB

MD5
b5e06216119a81b08771919edddfde45

SHA1
eefc31b5afc5f31c162be756735e265e9f7243dc

SHA256
1b5c1e221335dae9fa90463d52f771ba4a92ea1a6f88c8f5efdcbfe2a7e25c0f

SHA512
aa1370d0b66365fcf551b9132bb3c4f94c5101abbf0ea465409f92194ba8ee2ac4ceb2243eb52f254ea51a7b5ba9cdf87261831a77e5d349cf6cbb4e521c8b7e

Download Submit
C:\USERS\ADMIN\DESKTOP\CLOSEPING.MPG.[47B6BA37].[[email protected]].MAKOP

Filesize
202KB

MD5
d2faf1c29b65e6e37301352c77e4f006

SHA1
bcad33ece2739a891e21a4ac24ce0fb51185ae5f

SHA256
3f9ffdc173e3524d8183a549706d214798cfce04a751fa70d134c0c43b8ce09c

SHA512
b04089216d32509f97427ece509dc7cb0ef7a127ebb6a8a0fd53b3a91d05472084f988e08b59aa11e23e5c2ad3f5545c409f6703eb682d4aeda0d784d9dc3ce4

Download Submit
C:\USERS\ADMIN\DESKTOP\COMPRESSNEW.BAT.[47B6BA37].[[email protected]].MAKOP

Filesize
397KB

MD5
3938b04080ee753d877152610671f4be

SHA1
2265e0903faa4961016ec2a1d155eb66a50ce351

SHA256
201adb720cb9dd3753ad41ab6309020be6c7e2afa4c039c7d2e7974429935a9c

SHA512
d0ccde8d4214a958b1ea1a50a07d23749b59312174dd07056cc7b61e40a56771bc1e167b5f58233db7f51d153395923f18ee8393cc7e6c45a08659b1fdb3db58

Download Submit
C:\USERS\ADMIN\DESKTOP\CONVERTRESOLVE.PPSM.[47B6BA37].[[email protected]].MAKOP

Filesize
146KB

MD5
00c7e72e2ef5f53d1ff754c2610e64ed

SHA1
b34788a8fefe6231abe26cdb6756b7bf3cd5a34e

SHA256
0361cc5c2baa426f454da01a624885391615c2a20de75a905b8cdb31e9ffb28d

SHA512
2d70c02b5f56ce84cc9e8532684570da142c0a54e03c57fa7a7ef4308455529e3bbe2e9fa949e41c85f6edadc76eb085b24545ec52467c94ccc9942b00d1dde1

Download Submit
C:\USERS\ADMIN\DESKTOP\COPYTEST.MP4V.[47B6BA37].[[email protected]].MAKOP

Filesize
244KB

MD5
5fca22f2f5552330b3d8e5a12570697f

SHA1
4c73dbc443199147727bbdf7ccc8506c47aabe6c

SHA256
3c6ffc6a6a70e66bac20e4b11715c8c2dbbe37e99ce56c32ee7b31ffa3ef99fe

SHA512
ab91b7828bb8ecc03bbbb0ce4945c51914cf8ba66f8486f54108afcb7cb571e293ffdf868ecaf4f93f7ad565fe53078c99e5a8b0955d4b021e4ad2b76ce559cd

Download Submit
C:\USERS\ADMIN\DESKTOP\DEBUGSYNC.XLSX.[47B6BA37].[[email protected]].MAKOP

Filesize
12KB

MD5
d2d6435081fec63329c263c4174b9b51

SHA1
aaf42d2a1ba3b6ae9424c507e47bd0b89bfab960

SHA256
ef48a0e6f0322b7391fa9bd0b0022c9b585b0ca01a955859ea9a3196ec71b8a2

SHA512
9200575744520921c20567df21c9bf1bda1c6ee9ba3b89114c994e110c53656e96747e8a660a427e92bb8ddc2a7931592bc2690eeff0ac289592624b9d065947

Download Submit
C:\USERS\ADMIN\DESKTOP\EXPORTENTER.INF.[47B6BA37].[[email protected]].MAKOP

Filesize
355KB

MD5
60681bc343da75eb3b869862b5b88c6a

SHA1
9cd9945138543890aaff1d700b768c603041d7b0

SHA256
7f0d4a99cc3acf8817c8308ad6d3e62c35cadff48177909c1c6280521bcc4b63

SHA512
51bdd8cf31cf41573e2862bf563c2f2f34ed7d9d6782c9dae44359ccb20470e0915493b4d135984a658413fc9a63fa68a037cd2573d40ea8831bcfa358870a03

Download Submit
C:\USERS\ADMIN\DESKTOP\GETSWITCH.ODP.[47B6BA37].[[email protected]].MAKOP

Filesize
174KB

MD5
3f64658d51627ab12d7f3115485371f2

SHA1
cfc0cd16324de1c19b6566996e0c66c96554de87

SHA256
3fe79eda69bd922e6afbe650d6689637e3a51fcdc0b1040b3c8085b093b4a98d

SHA512
beac89bfef50567194ca8138ee8d3b182e0f16c6a4b175fb0bffe6b7144b592901986fe0afff4c5bdb17e17843889de6a9bb0f92af23a532fb631415113f2d10

Download Submit
C:\USERS\ADMIN\DESKTOP\MICROSOFT EDGE.LNK.[47B6BA37].[[email protected]].MAKOP

Filesize
2KB

MD5
253adea71a51d688c8c2290f7ae4d093

SHA1
e16ba474dbfb78bfe37299e4563f6bedfb7a0511

SHA256
a40087463f7320d347ee58c4ffbc537eaa79d62fdd7286b54d7acd1cb9516ba5

SHA512
f369cc534ca168c6f96b50e83cb902092f90305fbfef4d93cefaa00fca8a7adbd33f89b906856c87182613292ba2374d4600b5c3097a2117540356139995bbeb

Download Submit
C:\USERS\ADMIN\DESKTOP\OUTPING.DOCX.[47B6BA37].[[email protected]].MAKOP

Filesize
18KB

MD5
0ec9d63990090f9b2ce59f22f7de361c

SHA1
1d7cefd11c00b1ea1964a3bc0b6334a64f79dea3

SHA256
7dadb3ecea7a5fe9953a53731fbca28c740dd9fb08d394d9b660ea3f3636e386

SHA512
c66e51b7b6c3fefb45b4b2f46f5bd2f08ed39d805e9e9c64f7ef3fe93ea43ac86619310b2e7e04468f9cca7222b39f9d668baa9336979ad3be50f6af0daf4fa6

Download Submit
C:\USERS\ADMIN\DESKTOP\OUTRESUME.LOCK.[47B6BA37].[[email protected]].MAKOP

Filesize
299KB

MD5
4a7083349c021213df6a01d8e6ebb0d9

SHA1
730e573fa6cafbda303b818761a9b007acffb660

SHA256
0229baaa6c12f0a3cac287bebbab8c8fac8b1b011c1dff849be43c20995b4548

SHA512
de48daedcd1715b03d33828ebe01efcbd23ad200eece8cd2e0f06db5e97e4210e504a516a86bd242ef6136c3f61eab2f97f19cba8af65af080c45e7794af2117

Download Submit
C:\USERS\ADMIN\DESKTOP\PUBLISHCONVERTTO.GIF.[47B6BA37].[[email protected]].MAKOP

Filesize
216KB

MD5
5d935ba130264b919b58ee4184de1b70

SHA1
ed93424379d1f69518b98d0e72d521185ce1438f

SHA256
43f90fe19d2f221b0fd1be898f35eebe0f7523e3ede5eb75d990b380318e2b5c

SHA512
2a56770b5ba2c3aec29f433d2447652cf2bad1b928d5bb0ec42a52824e2720501b24e550d1e1ca95259d102c09e73979ab880ee3f62261eeca0854ec6f0c9a5f

Download Submit
C:\USERS\ADMIN\DESKTOP\RESIZEGROUP.WDP.[47B6BA37].[[email protected]].MAKOP

Filesize
313KB

MD5
16605f0a5b131ff8139d46c133973beb

SHA1
d28a7e46e2a506f62f9eb6ef6f68bdde049907f1

SHA256
af7f824272d780c667c854f0ebc7cdf3b4eaa4361c3b7140a1e22aca8d487423

SHA512
bf03b6633eb75786d8d11abb64e4e3ef136b31063dac89785b001263a2834b531a5464393448fd83103a19fd2db7e63876d9d5cb6df12e955b9d9318641b55ac

Download Submit
C:\USERS\ADMIN\DESKTOP\RESIZEUNINSTALL.JPG.[47B6BA37].[[email protected]].MAKOP

Filesize
285KB

MD5
b498e9ed0dac5d5fe98b0826412ca0bf

SHA1
52f55f0d3ad5c91a1a8c4267de805c8fd0a4e13e

SHA256
7c870326e9b6c83a164ad0a863e593aeb5d9283c5becd9305695175c66ca935c

SHA512
54508c8435b2de3aa4e5e0c742bf8475037775b880506904061ea6ffe545c317fa1076dbaa53af45fcbac220b78aad2862db5cc38c827e5050b2e3d6e51eb46c

Download Submit
C:\USERS\ADMIN\DESKTOP\RESOLVEOPTIMIZE.INI.[47B6BA37].[[email protected]].MAKOP

Filesize
271KB

MD5
5354936b6bd2873e8b7845de588e09ed

SHA1
3f8e7b0a01ffe925aa7289597eafb2987a7ee997

SHA256
4c87249f02cec74815d41a1ec8bfa2b445a7d09d5d1d838a65d6dad4101d58fb

SHA512
e6af9b8756fc605a3d5de1fec13564a23f310713fc5274cf10cd18175206fea73533c18637fc278bb4e895fcb3901561a30c15d3bb03fdd6c48c45d39e60b2d3

Download Submit
C:\USERS\ADMIN\DESKTOP\RESTARTCOPY.DVR.[47B6BA37].[[email protected]].MAKOP

Filesize
327KB

MD5
6f37cdd8b4faa65ef5370ae6d40c785a

SHA1
76a9ef9490522e84badb665b83efa43f3e605399

SHA256
7aa73fdf669d3ee76b60e14f68ad2a6a0adf07c2364a0cd9e49a7bb15de4cd6b

SHA512
d31732a0761b7dfff3dbc23ea2ba8228f4c6fd17508d266e716df3fbaf60f4dac4fbeb0aae7f2c000ec7538ffdf2332565c91c8804e278bec2a76102ac058dbc

Download Submit
C:\USERS\ADMIN\DESKTOP\RESTORECLEAR.RM.[47B6BA37].[[email protected]].MAKOP

Filesize
383KB

MD5
fc19d8e13909ef40b1cb66591677b9de

SHA1
39bf717154f3dcc6ef6bfd8888a34daff1277b69

SHA256
83827ced6b7a639867d058c7d3ee228d0f67b2db04b87fee60b11b5d3469af31

SHA512
60599c15ad183ffd7a8d095338e37342a9e2f9d3846f9208179f322c708b3e62aa24bb8e681f036b1f651dece07f6e001ed47ddc6ded37abd61fe04022f50a4e

Download Submit
C:\USERS\ADMIN\DESKTOP\SELECTSHOW.INI.[47B6BA37].[[email protected]].MAKOP

Filesize
571KB

MD5
a74d67f22cf7fea87ffd8980cd00a938

SHA1
fa60290b11252faf99669937c9766187f485279c

SHA256
646b35a68c044c0f5864908b948470a23dc63b1f8b79c2314f03eabdbb4f747a

SHA512
91ab6ace5416c10a0f7b094aaf9906b3bb42b80cce93f42ca08892ff13b3819eb7f24538b998e51970a5f04eda5f2d7c63f4cb2f3d6c9fe78ca8f2a138eb2d3b

Download Submit
C:\USERS\ADMIN\DESKTOP\SENDSAVE.JPE.[47B6BA37].[[email protected]].MAKOP

Filesize
230KB

MD5
a6dba11c718fd597662c5d2af526f782

SHA1
05c93fb3f45ebad1239f42ebd75b4bbacfb9a42d

SHA256
484107cdeff39a464dd4303488d537e0023af14e8e06c8f655e48d888878851f

SHA512
5a4c81d07d03de53490238cc009b5057e7e4bafc952ab071c6774050d1921b0c042b48374eb70b8644be92ef4f76044d2d4996dc9b6586e01bf17d51cbd93486

Download Submit
C:\USERS\ADMIN\DESKTOP\SKIPWRITE.CAB.[47B6BA37].[[email protected]].MAKOP

Filesize
411KB

MD5
6062230559d204e41ec294f18c68eddc

SHA1
f42fe602b259de2085b16e632c634c05adc0defa

SHA256
6670885f4d43fc489d1ae8a3bad0e2363d482e1d4e52b457a01661b0b8fdb016

SHA512
fed5e87874fa896f52117e756b0bfbd156489e7b77e9e251ba124c243bf72d10a9d0108c118349d7879d3aea78625ba2fd7bb04da4e99d4b70a740a4cdaeecf7

Download Submit
C:\USERS\ADMIN\DESKTOP\SPLITPUSH.ODP.[47B6BA37].[[email protected]].MAKOP

Filesize
369KB

MD5
06395283ec6917a0452407f4aab846f3

SHA1
353d78ecf534942624eb3ea12f46b1089aeab722

SHA256
8dffe8d22987d1d6f9cb9ff71af44741fd28152c3ea64fc239adb587edb7019d

SHA512
ef0ea748f3eb23480cddfa2943dc7afa30427bc0732bbce6ff195ca4747a311ef5b2d64c63fbc2813a4dea9d16abafc1e1690b472ecb1b9f2a4c725e3f34ca01

Download Submit
C:\USERS\ADMIN\DESKTOP\SWITCHEDIT.XLSX.[47B6BA37].[[email protected]].MAKOP

Filesize
11KB

MD5
3fb4639a3396f493ee257f6ecbb388aa

SHA1
37296c021d7ff80d25e1823441a70385459ee010

SHA256
ada44203ee1c6dc1cbbbc3a7c7df5ce534448174994ef5dd5a7caf73cedc8abd

SHA512
8f6fcf91be6dd2da3a2ca4d073fac422656a71afab4dd5c895b373f9f8c0b17640b1765451f41bc4b966747dd0d5330525430477eccaf55919a0adc435bcd85e

Download Submit
C:\USERS\ADMIN\DESKTOP\UNPUBLISHGET.SVG.[47B6BA37].[[email protected]].MAKOP

Filesize
257KB

MD5
e68357b35b42f3c53d0b5d5702c5cd83

SHA1
e3be9ee37468689f95dd9f652c390a7689aab041

SHA256
44d5f8cecfd0f45731a874667000809019ecef7a264eb78a2cb3f8705d691dfb

SHA512
83893cc7decf8ff15580c2f451c0781d6b08d43b2d048693a85597928595b2b67f6b98f6b520c927305c3856153d869e38b74f7122dc94dc5b89e630922bd3be

Download Submit
C:\USERS\ADMIN\DESKTOP\UNREGISTERAPPROVE.7Z.[47B6BA37].[[email protected]].MAKOP

Filesize
341KB

MD5
069960ced6281b9c92e6bf13f8adc462

SHA1
9ae1d101a37a191bedd9fd3fcf62bd8240d9c5da

SHA256
7ccbe0065ed108932b706131a95a3e2f2323a678422bbf682adc4b8c4bde0513

SHA512
a3833dc751ec3277a0c650ed6f279138f794dc5f4dd5a3e0c82ef10bcf30f409c015f37a5875b92ce2c4431ee54216e90a7422b461906142ef29626b25ff272a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
6d2755724941fb244ecd401a1574d3ab

SHA1
c4541b84cce637dc7b7e8c788f22768b49474344

SHA256
e246d6db345c904fa83a404d98eb3d206daf20aa37616e0dae33f32bd3084ad6

SHA512
69bdefd6f16cf45e249b89ed0490ac616406f4f4d7e4cc4c192e751804e98aa1024b914200f58e5be67d393272d221b3dcc39bfa98a62ae4581020bf32150aac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
b7c27509279a3e11441b5f39f0d13449

SHA1
9996aadacf4d57be97e30fdf3e1c18a6f08086b9

SHA256
7be35072c34f097b37813b7d98cd7ed9dbb8f1c2f7f3e15a306b20a0e76b252e

SHA512
783cc2e942af52f236ea7c95665343e7dc02fe8c1c053fbc61f33f8ff45f4ef891aacab47c012c7544e534841236453c8cf9402b81ee38a394802b10fa907cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
413KB

MD5
2350b47261040b1ee32f7df427ab30fc

SHA1
e656cced405e01b6a60b7444b2c9e1b31ed7c63a

SHA256
612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db

SHA512
a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

Filesize
16KB

MD5
619847f20a7a3ef2217d3960a8e57cbc

SHA1
7ce6b53b78071eb1e0ed5e860ffbcb13f05075c2

SHA256
e4a7c29e7c140e6268287c32df9273765ba27257dbfb8b407d942b06e3fb17d6

SHA512
6e4624b45538863d2a8a61f63d8d20fa515f07bf724f390e18eeb382938c0d95043b02e5db1983104c018ae20fc4dbcddc5263efbe8f5ce6421a1f5be907a6aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.[47B6BA37].[[email protected]].makop

Filesize
414KB

MD5
7b5262827afd1cca6d9b654616286d7f

SHA1
0eeb878b2ab82f0e3b9b2f01170bd60b3be3ddcd

SHA256
2215ead284655b7a9a692203c212175e858381d162c9171da9a9266cfb0576c3

SHA512
21b16003e1154f0abb5a7bfefbcc2a2a72920dc408e66607f69825389f4ebd70b28e897b6a0cd24a3e8aa23677e4ac04c06d9e18eb627f64bbc971eeab640edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
3177e5eaed49b7ddb3a6205046a17488

SHA1
abecb4c2e2e623f37c57069804c19eccbfc372b7

SHA256
8c59edbf8559de3ae290ca4de282755f36d2f64a679b7d2a9b8aadb51e6bccb8

SHA512
e198accb16759494d246f81242a8e0369f3a6b6914bdc905b88c27d07beac4f37c3c667d84730081898b7fc8889907e893d5f5d47181531d5370786d7efec2f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
d4f075ddca0d508e463d72769facf4ac

SHA1
158bde228813559e8114d6779352297175b56bf3

SHA256
b82f18cc7e5e2d5a031184d841f393493478f73a82dd81a35ba56ddce8dd8b7a

SHA512
d38b991531b2d35d1a25fd298dd81e04d0514d79b1be834433ff2527df5c5aa19d7c6211e4489393af1ad1876d7a59df56345e8293830412623cc7ea0551003a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
777dd969da3dd17026244668b774e058

SHA1
e0a066d28dfc6bcca1c13a50bfc4b35a37541b7a

SHA256
221f1bd7bad281fe93374736df606e52ce7393ae4fe0bdd4682935b90f184e59

SHA512
1f1a19b1a969a62cd8c83622e89077492457dd00f28505f0fe49a600688b18bf0407cae61e0da9f0d23fd0f6d874125fe83a5666ca7975976d612743fda08158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
ea8bae4b6b289a5389facb099c83797d

SHA1
488e40701de22854893d1e639788405f9e87a548

SHA256
ab53fd2a4f4bf945bf5265a551a44e0e04bfc2cd74ff6b5e8f567fb2d7cc4c28

SHA512
04a75a60e6e76c9b091a54f5b48e8065870f9ea53bfc9c74a0016efd3e13572ef383ec97da967a0028555b3c9e865cf248d946f765539738ab8ed539006f18bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
77b65a77cac00fe47b16dd4819c4a4c7

SHA1
5d174cc05cfc487ee35db8aaa770930a26529bc0

SHA256
31aa3f7fa15dc18c49e4e36554fbaed761808284a0fa4a792a48e46d267e0383

SHA512
abcc320916161427a5b5683edd9242ad065680eee55f35b770e24c58f3ddb5b77bc1f58bc4c5fb851bec15b441a8de904a10dbb7eeaf6dcdf9460470d3d33d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
867a7c4019a1de8b72e9e92eda192d01

SHA1
840f2fbba14c0d13c4bdfaec616ee6c1dd529bb3

SHA256
716612abbb4f0db8b40dfe66d1e9f3278eea7350b8c93cb7da5f74bb35ba04ee

SHA512
50cb09c611aeb4c9a6ef7cb8535e4c8325fa83a10f398626c9605bb1afc9791135a62d8459ffe55643866706e3ba23de7f30f3eb8e94acd02ed191d9bd08259a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
1024KB

MD5
2747a381a878c262484288ab4c0994d8

SHA1
70842dda8a23a028d3eb89f94bb4bb013a1f9f9a

SHA256
6ccc3477eec17ed15e4bd161b15c5253f7a9ee291265511bd7d55dd29270bc48

SHA512
7d4eeebbeabed7d43e2d5955064789ae7a729821b47f3f6b92f687a56f24b022eb65d5610b9d71931a7a1a46651456cbe06a52efd55a31de343efd7fc598ed60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
0f525f98cb69ff89a6bb8c2f80835ec6

SHA1
044b533e2cf38d046a519d9d482dcef7ea021ad1

SHA256
569ad286b5eb8ebaaefecf92c9c675987d7beb4c2bddc3c1f1c9a88e5245ada3

SHA512
f530669625ed60cc444f30e441009cf189d3e28adbc2fcab1737d4eca7118d02c39d22fbdfdc4ee92cae06e6ad9571e9e7b667eef3e68256ffa26810614fc63f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
2ee22fa65610a2575ceec9163fd2ddc6

SHA1
e9b28ce26dd19a957ec2562de10dd71e8df60db4

SHA256
bc555447b63ff441bbe9f3916e21bae235f6242c748612070028b8b0f4838931

SHA512
ba092430d667f6a07bf9aac60af83097847e7b9f689f48e0ea177f80e58c30d64309c5691c57abd76b06acbd9193b16d9e4bd03b76126355969ba8cac5a3a966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
b14a65284b8dc557bc1b19ceec9dec97

SHA1
0bd00cb4290516695d13f85b5d8aaf96a5ad1758

SHA256
78f19c240036a344f9ea5a7e637f69939d5f5d86ebf0d0b57cf5fe916944f6be

SHA512
e51dae1839194e585ea2a437f0fb56177b22cfe3ca0860c28abe48bbbbf801d45ec542ef435982772f04a90a82c2051b7e9e8b3914c8cb592569c2627ab05993

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
b13c0698dbb84f1fe2417125444426c7

SHA1
ac5375d6c50361e09c2ef8bac3fafa5656f62820

SHA256
4e6ddd1d605bbb56372cec5f7a5cb00f80926f4885bb4d337a9312d18de4a50f

SHA512
933a31a892826157b1132531dbf950ba0c40a0ffaf0351f2d4bab19bbdbc0e9ea591e408b9014c32a5d1d15e0d1366f359db538c58137001b15cc53a42e5f62e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133864022538715484.txt

Filesize
2KB

MD5
ecaea544af9da1114077b951d8cb520d

SHA1
5820b2d71e7b2543cf1804eb91716c4e9f732fde

SHA256
9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6

SHA512
dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
1KB

MD5
fc1aab432d05c717767d3569b82b83f3

SHA1
3ec62af3ba92fc8d8fb98ef32cb819bffc58d0ed

SHA256
b93618ef3a1c7dd04075b108b93dd899495e0f6f0f6bf710248d2f3f3ecee90e

SHA512
8fd5fb88427654fcc78427804486ab6d7bbf4b2e9c8c2edd0ee2262e6dbba4b8a9af230be021a47716a6cda23e0af5c4e4b5aaea61b94105045b7d2fdae0c255

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
5KB

MD5
40983aedc35d80121eb61ae768aff35f

SHA1
4165dc8639c8ca0c91aa701e8b3d1d6adbd93672

SHA256
7eb42de2fbea05cd7c9553bc7490b8484a47742a145da380458f13fbc9af8216

SHA512
588672c416753a8f25c9d2a4cb88a2881f5775d7430a21a35c7b33de281fc2f1ea4a039eae8a0ab63e7f2c974619eddd9bbafe4592a6bde702045e75590ee9fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\8PKTZ3BC\microsoft.windows[1].xml

Filesize
97B

MD5
77cc82955ce893463f41601027f87ac2

SHA1
735452540cbaec9e70d0e63c0d8433a3ea230678

SHA256
9be9016f70328b4742f54c3a3bb7387bccd76210084593015a42972593d48a34

SHA512
0b060b863f9ec90c3c9e3bac05111f0a793c570b443af6a982df027d13f4377c4b50662c7cbd7e1862fdd985410a08895b45eb80d86a95a950bdc7a4ba727ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
51KB

MD5
bd74a3c50fd08981e89d96859e176d68

SHA1
0a98b96aefe60b96722d587b7c3aabcd15927618

SHA256
ab305218ee0e95fa553885fa52f3a25dcc13b4deade8b7993ccb9f230a272837

SHA512
0704243904abc3691177e34606fe2741945f69cf7ecb898655d98e81b145bf707d20cfa0af01fb3aa1cd170e2f3ce8f625b1612e0fcf5eba01f770617ffc9f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

Filesize
71KB

MD5
6d7960a52b61551fed5ae46fc1f475aa

SHA1
68424a542d1d8b2ba26486753c9fa63d733172eb

SHA256
9fcc5fc179dc359ce73e4ba4b7730a5ce57fb6575ad9b26171970812de25c5db

SHA512
61a65528964576ea79e9f75b2e39d7562c0f4bf730b605fe6cd67fed41ffae40abe2ece54e277ed3346dff951d59902d5fe4329374e11f813dd571ffaf3c94d9

Download Submit
memory/272-20185-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/1256-20481-0x000001BB04FC0000-0x000001BB04FE0000-memory.dmp

Filesize
128KB

Download
memory/1256-20490-0x000001BB04F80000-0x000001BB04FA0000-memory.dmp

Filesize
128KB

Download
memory/1256-20507-0x000001BB055A0000-0x000001BB055C0000-memory.dmp

Filesize
128KB

Download
memory/2168-19625-0x0000021DD1720000-0x0000021DD1740000-memory.dmp

Filesize
128KB

Download
memory/2168-19609-0x0000021DD1320000-0x0000021DD1340000-memory.dmp

Filesize
128KB

Download
memory/2168-19599-0x0000021DD0400000-0x0000021DD0500000-memory.dmp

Filesize
1024KB

Download
memory/2168-19604-0x0000021DD1360000-0x0000021DD1380000-memory.dmp

Filesize
128KB

Download
memory/2168-19600-0x0000021DD0400000-0x0000021DD0500000-memory.dmp

Filesize
1024KB

Download
memory/2560-20193-0x0000020FCB1A0000-0x0000020FCB1C0000-memory.dmp

Filesize
128KB

Download
memory/2560-20201-0x0000020FCB160000-0x0000020FCB180000-memory.dmp

Filesize
128KB

Download
memory/2560-20224-0x0000020FCB780000-0x0000020FCB7A0000-memory.dmp

Filesize
128KB

Download
memory/2576-20780-0x0000019648390000-0x00000196483B0000-memory.dmp

Filesize
128KB

Download
memory/2576-20773-0x00000196483D0000-0x00000196483F0000-memory.dmp

Filesize
128KB

Download
memory/2956-19298-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3176-20331-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/3236-20061-0x0000014823520000-0x0000014823540000-memory.dmp

Filesize
128KB

Download
memory/3236-20064-0x0000014823B40000-0x0000014823B60000-memory.dmp

Filesize
128KB

Download
memory/3236-20040-0x0000014823560000-0x0000014823580000-memory.dmp

Filesize
128KB

Download
memory/3236-20036-0x0000014822740000-0x0000014822840000-memory.dmp

Filesize
1024KB

Download
memory/3236-20035-0x0000014822740000-0x0000014822840000-memory.dmp

Filesize
1024KB

Download
memory/3692-19480-0x00000196441E0000-0x0000019644200000-memory.dmp

Filesize
128KB

Download
memory/3692-19481-0x00000196445F0000-0x0000019644610000-memory.dmp

Filesize
128KB

Download
memory/3692-19462-0x0000019644220000-0x0000019644240000-memory.dmp

Filesize
128KB

Download
memory/3736-19598-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/3884-20766-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/3972-20622-0x000001A063200000-0x000001A063300000-memory.dmp

Filesize
1024KB

Download
memory/3972-20620-0x000001A063200000-0x000001A063300000-memory.dmp

Filesize
1024KB

Download
memory/3972-20625-0x000001A064210000-0x000001A064230000-memory.dmp

Filesize
128KB

Download
memory/3972-20632-0x000001A0641D0000-0x000001A0641F0000-memory.dmp

Filesize
128KB

Download
memory/3972-20655-0x000001A0645E0000-0x000001A064600000-memory.dmp

Filesize
128KB

Download
memory/4008-19736-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4132-20619-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/4156-19454-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/4280-19888-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/4360-19299-0x0000026B15300000-0x0000026B15400000-memory.dmp

Filesize
1024KB

Download
memory/4360-19327-0x0000026B168C0000-0x0000026B168E0000-memory.dmp

Filesize
128KB

Download
memory/4360-19300-0x0000026B15300000-0x0000026B15400000-memory.dmp

Filesize
1024KB

Download
memory/4360-19313-0x0000026B161B0000-0x0000026B161D0000-memory.dmp

Filesize
128KB

Download
memory/4360-19304-0x0000026B16500000-0x0000026B16520000-memory.dmp

Filesize
128KB

Download
memory/4360-19301-0x0000026B15300000-0x0000026B15400000-memory.dmp

Filesize
1024KB

Download
memory/4460-20473-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/4616-19900-0x000002C2C05F0000-0x000002C2C0610000-memory.dmp

Filesize
128KB

Download
memory/4616-19890-0x000002C2BF620000-0x000002C2BF720000-memory.dmp

Filesize
1024KB

Download
memory/4616-19895-0x000002C2C0630000-0x000002C2C0650000-memory.dmp

Filesize
128KB

Download
memory/4616-19922-0x000002C2C0A00000-0x000002C2C0A20000-memory.dmp

Filesize
128KB

Download
memory/4616-19891-0x000002C2BF620000-0x000002C2BF720000-memory.dmp

Filesize
1024KB

Download
memory/4632-20333-0x0000011B1EE00000-0x0000011B1EF00000-memory.dmp

Filesize
1024KB

Download
memory/4632-20334-0x0000011B1EE00000-0x0000011B1EF00000-memory.dmp

Filesize
1024KB

Download
memory/4632-20338-0x0000012320D20000-0x0000012320D40000-memory.dmp

Filesize
128KB

Download
memory/4632-20359-0x00000123209E0000-0x0000012320A00000-memory.dmp

Filesize
128KB

Download
memory/4632-20360-0x00000123210F0000-0x0000012321110000-memory.dmp

Filesize
128KB

Download
memory/4776-20033-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4908-19764-0x000001FEDB3D0000-0x000001FEDB3F0000-memory.dmp

Filesize
128KB

Download
memory/4908-19766-0x000001FEDBAE0000-0x000001FEDBB00000-memory.dmp

Filesize
128KB

Download
memory/4908-19743-0x000001FEDB720000-0x000001FEDB740000-memory.dmp

Filesize
128KB

Download
memory/4908-19739-0x000001FEDA700000-0x000001FEDA800000-memory.dmp

Filesize
1024KB

Download
memory/4908-19738-0x000001FEDA700000-0x000001FEDA800000-memory.dmp

Filesize
1024KB

Download