a759a7890339539e919244c1e2f438ee64efa29523722b98eaa862e4760f2e65

Analysis

max time kernel
149s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 08:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
Size

816KB
MD5

1a8d14612eb50ba085a4bdfe7114739b
SHA1

47782eedbd2c766052da4a80e8618f4c4992edac
SHA256

a759a7890339539e919244c1e2f438ee64efa29523722b98eaa862e4760f2e65
SHA512

d8d42c5ade0beb7e36477b977b8f6e94601314930485aa3a97c153e7b5d3d3a9c216a71a739f1fefc4b3086f36f29b8cc12b603140b6f18ff0fabcbf3c6c173f
SSDEEP

12288:cPl+qkZDtg2uQzG3XdBLO4U6AqSl5ciBqnFV+:ctl4g2nz+X3i4UvlqiAF

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Spanish Phone Converter"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR en-US Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "11.0.2016.0129"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Discrete;Continuous"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR Engine (11.0) Text Normalization"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Near"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "404"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = 4f12242f895bd461c879f1e773d97c8ee816e4b5a37737ac6216dd9bb9e3a2bb	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\Total = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "English Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft David - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HW"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "40A;C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "409"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{2984A9DB-5689-43AD-877D-14999A15DD46}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{06405088-BC01-4E08-B392-5303E75090C8}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "804"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_EnUS_ZiraM"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "6;18;22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Zira - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "11.0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "en-US"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "1"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\ = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "40C"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "1033"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2728	svchost.exe
Token: SeDebugPrivilege	3748	SearchApp.exe
Token: SeDebugPrivilege	3748	SearchApp.exe
Token: SeDebugPrivilege	3748	SearchApp.exe
Token: SeDebugPrivilege	3748	SearchApp.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4352	1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
4160	SearchApp.exe
3748	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a8d14612eb50ba085a4bdfe7114739b_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4352

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:4016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:4164

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:3964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp

Filesize
8KB

MD5
2a064e35cff16be0b710bcc54e1e0ac3

SHA1
e7adb4ba45fbedffa61fedc5dc21742c070f812a

SHA256
d22074e50f51b30c944ca9e7e8f995fab5b77350fe11f09a5f9882f3528a197d

SHA512
f3175d8d87ccf3bc19db7d4f61af72a55b09f134cb9f00b9b6701015823ff58a1dcf81264fd2530bc3cf6d6b72a1b4f3aee8eb5d8953cec81f7850d6df683d51

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\F1I8M0RI\microsoft.windows[1].xml

Filesize
97B

MD5
5bc2f1e161a7206c65dc5d208b184523

SHA1
5205351764be33c7bb45f69c90bca91693cb2715

SHA256
1d6aeab007dd83091cd3b465f3c408296701b5dc41218076003036e0c3447e36

SHA512
733205945bbc6414115f18717fa66304cf458f1c995009a21538cb3d85726c0a26baf01722a335e776a3f423a5bfe653645244147242344c8dccca7591d7a69a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{288f055f-3f29-4580-9d04-e48d8f6010c9}\0.0.filtertrie.intermediate.txt

Filesize
1KB

MD5
9913dee3ab28ad6ebd60b930d6ee8da3

SHA1
6e6327df9f85d9037d83a4f537f32541f46a1dbc

SHA256
3bfac338a56813338b62dba88261ff9b1aa7e505af5f7a50ab9960a35f6ed5e4

SHA512
e7dead4ccbd7468e7d3d1cc930be40bc5fa0a881b406318bd56346b27651c3a58611c086b369de641f058af5748fa02eb5e02b9f482ff2443d2fbf442c04188d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{288f055f-3f29-4580-9d04-e48d8f6010c9}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{288f055f-3f29-4580-9d04-e48d8f6010c9}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{288f055f-3f29-4580-9d04-e48d8f6010c9}\Apps.ft

Filesize
2KB

MD5
ae92d8e34c6863d31010632e1472cd7e

SHA1
b6a286b8bc20d4b8fa1b29d234d71a89d696de9a

SHA256
ed6fdb649852ae050e65b42f4b2f0151f06aeb57f58aee36818fd6925ce1e217

SHA512
589e9ee259b2efe4cd4d94307075850274d324ba4232d2870ba4bf8fc570ad0b2d9b9ba1ea31f9aa81615b144c61418c6d09d6b24200a5d16b01eb36450e5eab

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{288f055f-3f29-4580-9d04-e48d8f6010c9}\Apps.index

Filesize
881KB

MD5
832fb9cd22b122f6c9d68f9f4fcc3424

SHA1
d398a299d12f6aeb005c724d1abd62edebabbac3

SHA256
e439f475eb0b32c6dfc9fc485c979b3e15126b54995e2ff9719bc4aa1910339a

SHA512
ba9e934a0880d09c4675d012215001feb282beca68d6c9885caaaabb31d6d3ef32bfb0d48cc9132bb977eee64ade2245fba29c6d5878e9dc9d3c740268d47922

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{740e3a06-c6ed-4cd9-a56d-3af5d908e0fc}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{740e3a06-c6ed-4cd9-a56d-3af5d908e0fc}\apps.schema

Filesize
150B

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{740e3a06-c6ed-4cd9-a56d-3af5d908e0fc}\appsconversions.txt

Filesize
1.4MB

MD5
2bef0e21ceb249ffb5f123c1e5bd0292

SHA1
86877a464a0739114e45242b9d427e368ebcc02c

SHA256
8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

SHA512
f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{740e3a06-c6ed-4cd9-a56d-3af5d908e0fc}\appsglobals.txt

Filesize
343KB

MD5
931b27b3ec2c5e9f29439fba87ec0dc9

SHA1
dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

SHA256
541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

SHA512
4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{740e3a06-c6ed-4cd9-a56d-3af5d908e0fc}\appssynonyms.txt

Filesize
237KB

MD5
06a69ad411292eca66697dc17898e653

SHA1
fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

SHA256
2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

SHA512
ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133642951030386857.txt

Filesize
2KB

MD5
ecaea544af9da1114077b951d8cb520d

SHA1
5820b2d71e7b2543cf1804eb91716c4e9f732fde

SHA256
9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6

SHA512
dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
1KB

MD5
6ba17ff0efbf93d563a5582bf05bc71a

SHA1
e9a262ffbe27314cba5317f32343957eafef6f1d

SHA256
fe900cc38808db1b218d28379dfc5194c2c5fcc512f5ce1b44097bc68416d993

SHA512
8b4f044b7e42f2b6ddae0c27f503ca74f808c864eb226b638a0da37bed2968b476433020b2711ed8bebe73062c51ee33190f35e08ac8ecfa4671ab22247af365

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
1KB

MD5
31633d552589104772a297b156282dc9

SHA1
1ad53813eb453f02159420d3b8decf119903432d

SHA256
61e900dec3ad34bf2bc4d3ca1905bcd3c638f90adb1adb7ffcb09ea0d251895a

SHA512
1a0d14d75ec71b846e6bb55e093b66c75fac832b9b808d9793bc731c3116a438630fb393cea45d1c4c1651f85ad50f70866f56171d5c6a2f7ac904582d506a34

Download Submit
memory/2728-47-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-49-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-55-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-54-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-57-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-56-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-60-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-59-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-58-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-61-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-63-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-62-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-64-0x00000240D6570000-0x00000240D6571000-memory.dmp

Filesize
4KB

Download
memory/2728-65-0x00000240D6570000-0x00000240D6571000-memory.dmp

Filesize
4KB

Download
memory/2728-66-0x00000240D6580000-0x00000240D6581000-memory.dmp

Filesize
4KB

Download
memory/2728-67-0x00000240D65D0000-0x00000240D65D1000-memory.dmp

Filesize
4KB

Download
memory/2728-68-0x00000240D65D0000-0x00000240D65D1000-memory.dmp

Filesize
4KB

Download
memory/2728-2-0x00000240CE140000-0x00000240CE150000-memory.dmp

Filesize
64KB

Download
memory/2728-37-0x00000240D63F0000-0x00000240D63F1000-memory.dmp

Filesize
4KB

Download
memory/2728-39-0x00000240D6530000-0x00000240D6531000-memory.dmp

Filesize
4KB

Download
memory/2728-52-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-51-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-50-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-18-0x00000240CE240000-0x00000240CE250000-memory.dmp

Filesize
64KB

Download
memory/2728-48-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-53-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-46-0x00000240D6560000-0x00000240D6561000-memory.dmp

Filesize
4KB

Download
memory/2728-45-0x00000240D6540000-0x00000240D6541000-memory.dmp

Filesize
4KB

Download
memory/2728-44-0x00000240D6540000-0x00000240D6541000-memory.dmp

Filesize
4KB

Download
memory/2728-41-0x00000240D6530000-0x00000240D6531000-memory.dmp

Filesize
4KB

Download
memory/2728-42-0x00000240D6540000-0x00000240D6541000-memory.dmp

Filesize
4KB

Download
memory/3748-110-0x000002A0FEA30000-0x000002A0FEA50000-memory.dmp

Filesize
128KB

Download
memory/3748-91-0x000002A0FE3A0000-0x000002A0FE3C0000-memory.dmp

Filesize
128KB

Download
memory/3748-75-0x000002A0FE3E0000-0x000002A0FE400000-memory.dmp

Filesize
128KB

Download