Analysis
-
max time kernel
124s -
max time network
136s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
21/03/2025, 20:49
Behavioral task
behavioral1
Sample
pisun.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
26 signatures
900 seconds
Errors
Reason
Machine shutdown
General
-
Target
pisun.exe
-
Size
54KB
-
MD5
45140e967970cd63521eaa76dc4db7d7
-
SHA1
aae8aa4c5fb8e1d5a830f1f095d7550a89b7634a
-
SHA256
3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8
-
SHA512
d8c5274fc1c66700c3fb63527973cb20106070698eebdf90e6b3f9ace371e34a653e382f949683d9aab0cb33fdd00ab2b943e499a4d2d6f42a24822fa2142129
-
SSDEEP
768:U8I0g652Esltuq55JR2ET3NwJSNbxWQG35bmaePD5PvXOC2XXJdxIEpmvg:U8ZVGtZ5DTCGlWQcGD0LX3xIEpmvg
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Njrat family
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/files/0x0008000000028249-29.dat modiloader_stage2 behavioral1/memory/3580-38-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 behavioral1/memory/3580-40-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation pisun.exe Key value queried \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation c25bc3a215454c08b6d316bc3b0da046.exe Key value queried \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation 5fda5be195fc4b58b1f5e73f3bef5d6c.exe -
Executes dropped EXE 7 IoCs
pid Process 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 5236 24f42c7a7aa449d28b33f49ca1b65d82.exe 4488 6576448befc34053be36e65d415e8e6e.exe 3756 1e25feadfc42484e92b88ff9bc327934.exe 3968 211d6587ee2d4d799117e95e10e05dc0.exe 2044 f7aa3b071ce244ddae6079fac73f648b.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc c25bc3a215454c08b6d316bc3b0da046.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power c25bc3a215454c08b6d316bc3b0da046.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys c25bc3a215454c08b6d316bc3b0da046.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc c25bc3a215454c08b6d316bc3b0da046.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend c25bc3a215454c08b6d316bc3b0da046.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager c25bc3a215454c08b6d316bc3b0da046.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys c25bc3a215454c08b6d316bc3b0da046.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c25bc3a215454c08b6d316bc3b0da046.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c25bc3a215454c08b6d316bc3b0da046.exe" c25bc3a215454c08b6d316bc3b0da046.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\F: explorer.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 211d6587ee2d4d799117e95e10e05dc0.exe File opened for modification \??\PhysicalDrive0 pisun.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2712 3968 WerFault.exe 108 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c25bc3a215454c08b6d316bc3b0da046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24f42c7a7aa449d28b33f49ca1b65d82.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6576448befc34053be36e65d415e8e6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 211d6587ee2d4d799117e95e10e05dc0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pisun.exe -
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\L3082" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "409" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech HW Voice Activation - Italian (Italy)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{0CFAE939-931E-4305-8D05-8C76C254EB34}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_EnUS_ZiraM" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR ja-JP Locale Handler" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Helena - Spanish (Spain)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR es-ES Lts Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "L1036" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR ja-JP Lookup Lexicon" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "16000" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\tn1031.bin" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Stefan - German (Germany)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "5218064" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "È stata selezionata la voce predefinita %1." SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\c1031.fe" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "6;18;22" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "L1031" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR en-US Locale Handler" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Pablo" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\sidubm.table" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Japanese Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Male" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Haruka" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "L3082" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Zira" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Laura" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Cosimo" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Stefan" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR en-US Lookup Lexicon" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech HW Voice Activation - Japanese (Japan)" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SW" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Vous avez sélectionné %1 comme voix par défaut." SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023" SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe 3580 c25bc3a215454c08b6d316bc3b0da046.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3736 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4272 pisun.exe Token: 33 4272 pisun.exe Token: SeIncBasePriorityPrivilege 4272 pisun.exe Token: 33 4272 pisun.exe Token: SeIncBasePriorityPrivilege 4272 pisun.exe Token: 33 4272 pisun.exe Token: SeIncBasePriorityPrivilege 4272 pisun.exe Token: SeDebugPrivilege 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: 33 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: SeIncBasePriorityPrivilege 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: 33 4272 pisun.exe Token: SeIncBasePriorityPrivilege 4272 pisun.exe Token: 33 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: SeIncBasePriorityPrivilege 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: 33 4272 pisun.exe Token: SeIncBasePriorityPrivilege 4272 pisun.exe Token: 33 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: SeIncBasePriorityPrivilege 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: 33 4272 pisun.exe Token: SeIncBasePriorityPrivilege 4272 pisun.exe Token: 33 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: SeIncBasePriorityPrivilege 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: 33 4272 pisun.exe Token: SeIncBasePriorityPrivilege 4272 pisun.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe Token: 33 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: SeIncBasePriorityPrivilege 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: 33 4272 pisun.exe Token: SeIncBasePriorityPrivilege 4272 pisun.exe Token: 33 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: SeIncBasePriorityPrivilege 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe Token: 33 4272 pisun.exe Token: SeIncBasePriorityPrivilege 4272 pisun.exe Token: SeShutdownPrivilege 3736 explorer.exe Token: SeCreatePagefilePrivilege 3736 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3360 StartMenuExperienceHost.exe 1740 SearchApp.exe 5236 24f42c7a7aa449d28b33f49ca1b65d82.exe 3736 explorer.exe 4488 6576448befc34053be36e65d415e8e6e.exe 4488 6576448befc34053be36e65d415e8e6e.exe 4488 6576448befc34053be36e65d415e8e6e.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4272 wrote to memory of 1824 4272 pisun.exe 91 PID 4272 wrote to memory of 1824 4272 pisun.exe 91 PID 4272 wrote to memory of 1824 4272 pisun.exe 91 PID 4272 wrote to memory of 3580 4272 pisun.exe 93 PID 4272 wrote to memory of 3580 4272 pisun.exe 93 PID 4272 wrote to memory of 3580 4272 pisun.exe 93 PID 3580 wrote to memory of 3736 3580 c25bc3a215454c08b6d316bc3b0da046.exe 95 PID 3580 wrote to memory of 3736 3580 c25bc3a215454c08b6d316bc3b0da046.exe 95 PID 1824 wrote to memory of 5236 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe 104 PID 1824 wrote to memory of 5236 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe 104 PID 1824 wrote to memory of 5236 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe 104 PID 1824 wrote to memory of 4488 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe 105 PID 1824 wrote to memory of 4488 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe 105 PID 1824 wrote to memory of 4488 1824 5fda5be195fc4b58b1f5e73f3bef5d6c.exe 105 PID 4272 wrote to memory of 3756 4272 pisun.exe 107 PID 4272 wrote to memory of 3756 4272 pisun.exe 107 PID 4272 wrote to memory of 3968 4272 pisun.exe 108 PID 4272 wrote to memory of 3968 4272 pisun.exe 108 PID 4272 wrote to memory of 3968 4272 pisun.exe 108 PID 4272 wrote to memory of 2044 4272 pisun.exe 112 PID 4272 wrote to memory of 2044 4272 pisun.exe 112 PID 4272 wrote to memory of 4052 4272 pisun.exe 113 PID 4272 wrote to memory of 4052 4272 pisun.exe 113 PID 4272 wrote to memory of 4052 4272 pisun.exe 113 PID 4052 wrote to memory of 4324 4052 cmd.exe 115 PID 4052 wrote to memory of 4324 4052 cmd.exe 115 PID 4052 wrote to memory of 4324 4052 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pisun.exe"C:\Users\Admin\AppData\Local\Temp\pisun.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\5fda5be195fc4b58b1f5e73f3bef5d6c.exe"C:\Users\Admin\AppData\Local\Temp\5fda5be195fc4b58b1f5e73f3bef5d6c.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\24f42c7a7aa449d28b33f49ca1b65d82.exe"C:\Users\Admin\AppData\Local\Temp\24f42c7a7aa449d28b33f49ca1b65d82.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5236
-
-
C:\Users\Admin\AppData\Local\Temp\6576448befc34053be36e65d415e8e6e.exe"C:\Users\Admin\AppData\Local\Temp\6576448befc34053be36e65d415e8e6e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4488
-
-
-
C:\Users\Admin\AppData\Local\Temp\c25bc3a215454c08b6d316bc3b0da046.exe"C:\Users\Admin\AppData\Local\Temp\c25bc3a215454c08b6d316bc3b0da046.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3736
-
-
-
C:\Users\Admin\AppData\Local\Temp\1e25feadfc42484e92b88ff9bc327934.exe"C:\Users\Admin\AppData\Local\Temp\1e25feadfc42484e92b88ff9bc327934.exe"2⤵
- Executes dropped EXE
PID:3756
-
-
C:\Users\Admin\AppData\Local\Temp\211d6587ee2d4d799117e95e10e05dc0.exe"C:\Users\Admin\AppData\Local\Temp\211d6587ee2d4d799117e95e10e05dc0.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 5243⤵
- Program crash
PID:2712
-
-
-
C:\Users\Admin\AppData\Local\Temp\f7aa3b071ce244ddae6079fac73f648b.exe"C:\Users\Admin\AppData\Local\Temp\f7aa3b071ce244ddae6079fac73f648b.exe"2⤵
- Executes dropped EXE
PID:2044
-
-
C:\Windows\SysWOW64\cmd.execmd /c start shutdown /r /f /t 32⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\shutdown.exeshutdown /r /f /t 33⤵
- System Location Discovery: System Language Discovery
PID:4324
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5448
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3360
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1740
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x310 0x3e81⤵PID:5808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3968 -ip 39681⤵PID:2028
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39db855 /state1:0x41c64e6d1⤵PID:1528
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133870638714209394.txt
Filesize83KB
MD559ef71bba361ebbf3e534fb449f23ce3
SHA1289ec7be9479810148310417c8432d3a5676979e
SHA25649f62d8abfb2f8c72b579c75c668f77f171458fbf40608aa2b33f1e76889639b
SHA5128c41c53f5d6959e30b4e06cdd529230550a6d06711de3937c1edfd8e6ec3069e963770612bc88ccd3926a04f79f073554c812670305c7c3d4a53ab52615296f7
-
Filesize
10.0MB
MD5be9b8e7c29977c01f3122f1e5082f45d
SHA1c53a253ac33ab33e94f3ad5e5200645b6391b779
SHA256cb6384b855d46fe5678bb3d5d1fc77c800884f8345cb490e1aa71646e872d3ae
SHA51291514128a7a488581372881a556b081ad920086fd43da84188033f0bd48f294199192b753ec691c2cb79072420b346f767d9cfb4ef2d119ca1e345d65df8dc34
-
Filesize
47KB
MD5c61693e8d501dcdbcd2346853a80417a
SHA1edf5803d2c9cc7807b571d9d081ca06387ee7cd9
SHA256f0d5399c42971102e56abbcc9efd1d0b104ddb36da5bccd67e18850a1a21fad4
SHA5128cc0fe94e144e754cf0fd0d4de2f4361adaf7fc83116fc3009272efa6df2eb0c60b04dc037ffde1581906471196ffae0cb51262a7ac731b515ff091a64da41d6
-
Filesize
28KB
MD562cbb85434223022a0b0e369b227a3d9
SHA14978b691168f16c678a1ffe53e126ba1d946bce0
SHA256ea3087204e3ed644308a0a96bbf319590a9b2701ac850bb63f2ba3dc4955f1fd
SHA512f76d281ce4c4401315f811dba1512757fa59a9c1ca6486c006f7861aed793a1f196fd66b772405374a751f383b5a234234e64de16f2fe9d613694e354b882f69
-
Filesize
54KB
MD5036b3d9a4d952a24395e7bb611c343fc
SHA1c22e1bd6a08cb355af0916d071c1bca492b71948
SHA2564f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414
SHA5122a0e6508fba8adec93929db094e664b252cfa635694a7d2e72c4b7d3ba2be6d30c37e5de17559dd728fdeda27fd5f843247a197339255b1d2c178dea34c6652b
-
Filesize
500KB
MD507a9f858f9867f52163d7cec3bd899e3
SHA1d7feae9f88b807606b747a27ac95ede57b2615f5
SHA2560fde5da043382f46f04eaa04028fba0d127c20b87b88fbd7966805d5c93307ca
SHA512e07185b51ea52aa9850beaa099a621383a06d452666e96b25e2f0a9f7152fe5f4dbcc8a75a6cb336ee80c4273f85d04abdc142e7d0f87a4f2a9b85a51036cb30
-
Filesize
397KB
MD52807ad9dd62546a82e0becf51478711f
SHA181825e16e7017884b2490b3be78ca0171f0e80c3
SHA2562a6a7744dab101b5bccd7340ca0dd5fe02cb5f6e06529094e95ba7aa44608bfb
SHA51216b8f7a5dccb75a1091ac5f405900a8dfa97e988799d011b6e027fbd4d624428b52916f496ca73ccc41e2f9cd86bf5d2741f917fae3700b852d532541d8c87ec
-
Filesize
4.7MB
MD5bb4a5266324a3dee6cb4b06d03f3f3e9
SHA19f08e998088faa8386928c4a4dcbca5214b4f422
SHA2567dd0d8c33379f84e3e23d29340051465197735d7fc1e5debf9bf5a6b4f220484
SHA51218fc7355ea1182096aac1786369e07b0828346dcb68405082089c2498fbaffce32563cb666600e6d50ea4c0810ffaa8bbbca014e4b5fd14a0c6100483885ad66