hxxps://github[.]com/Zusyaku/Malware-Collection-Part-2

Analysis

max time kernel
27s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 01:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Zusyaku/Malware-Collection-Part-2

Score

10^/10

defense_evasion discovery persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\Userinit.exe, C:\\Windows\\first.exe"	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\Userinit.exe, C:\\Windows\\first.exe"	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\Userinit.exe, C:\\Windows\\first.exe"	666.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	666.exe

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	666.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	666.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "p2settings.exe"	666.exe

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	666.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	666.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Downloads MZ/PE file 1 IoCs

flow	pid	Process
120	1772	msedge.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processhacker.exe	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processhacker.exe\Debugger = "C:\\Windows\\death.exe"	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	666.exe

Executes dropped EXE 1 IoCs

pid	Process
5892	666.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\666.ico"	666.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	666.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
114	raw.githubusercontent.com
115	raw.githubusercontent.com
116	raw.githubusercontent.com
118	raw.githubusercontent.com
119	raw.githubusercontent.com
120	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0"	666.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp"	666.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\lt\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1604_2091510297\manifest.fingerprint	msedge.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\first.exe	666.exe
File opened for modification	C:\Windows\death.exe	666.exe
File opened for modification	C:\Windows\666.bmp	666.exe
File opened for modification	C:\Windows\first.exe	666.exe
File created	C:\Windows\666.bmp	666.exe
File created	C:\Windows\death.exe	666.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	666.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Control Panel 1 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\Desktop	666.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133882050620309948"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Discrete;Continuous"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "DebugPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ayumi"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{BA005912-C6C5-46D4-911D-27796468C3B0}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Has seleccionado %1 como voz predeterminada."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\lsr1036.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Haruka - Japanese (Japan)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "16000"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Near"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR en-US Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR fr-FR Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ichiro - Japanese (Japan)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	666.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; media=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR it-IT Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\c3082.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - fr-FR Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "6;18;22"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Male"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\AI041041"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "German Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_EnUS_ZiraM"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\MSTTSLocjaJP.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\tn3082.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "MS-1040-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - Italian (Italy)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "English Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft David - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Laura"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Zira - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{31350404-77AC-4471-B33A-9020A2EDA1D1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR ja-JP Locale Handler"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR es-ES Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR Engine (11.0) Text Normalization"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe
5892	666.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5892	666.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5892	666.exe
2984	StartMenuExperienceHost.exe
4436	SearchApp.exe
736	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 4320	1604	msedge.exe	86
PID 1604 wrote to memory of 4320	1604	msedge.exe	86
PID 1604 wrote to memory of 1772	1604	msedge.exe	87
PID 1604 wrote to memory of 1772	1604	msedge.exe	87
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 4400	1604	msedge.exe	89
PID 1604 wrote to memory of 4400	1604	msedge.exe	89
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 5052	1604	msedge.exe	88
PID 1604 wrote to memory of 4400	1604	msedge.exe	89
PID 1604 wrote to memory of 4400	1604	msedge.exe	89
PID 1604 wrote to memory of 4400	1604	msedge.exe	89

System policy modification 1 TTPs 13 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "~\x7f{â€¡â€°Ë†"	666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "~\x7f{â€¡â€°Ë†"	666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop	666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper = "1"	666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon = "0"	666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\AutoAdminLogon = "0"	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	666.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop	666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	666.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Zusyaku/Malware-Collection-Part-2
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffac977f208,0x7ffac977f214,0x7ffac977f220
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1832,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=2632 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2184,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2604,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:2
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5208,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5580,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5628,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5628,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5108,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5136,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3448,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=5728,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6732,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  PID:5084
- C:\Users\Admin\Downloads\666.exe
  "C:\Users\Admin\Downloads\666.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5356

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
df2d1721cd4e4eff7049314710dc7c11

SHA1
f5aed0158b2c0a00302f743841188881d811637a

SHA256
ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93

SHA512
11fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
5c83e107d31aa5cb971356cfd32b931e

SHA1
dbd69ae500064da7068693f9d63fb87ccbba0fe2

SHA256
5c0138218ff3e1b2c4bfe7cbb5e53781dd744ae99d5755f7db818c0619e498d3

SHA512
f79640e09c54ddd9a34f15b5d83d260c28391b77995a4ae5e3f6640ca8840ffe6e37830b9a7cd64fc60ebfa14dd09c50de29419508dddef859c442000b6231a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
d673ddf81b82ad3bfdd207f046cccb6a

SHA1
eb20483237fb10caa785090dac086e19d1430925

SHA256
3e744697dd06351c93d7e96197234822b6e17a216199359edcfa9299f3b51242

SHA512
fa0b8fa734c033ab9800dd708e6c9dab681338f8c0fb736cc348b2111700e68f960f0c4425651c7b711bf8a3bb47adbd5496ff90fc7b4c0975ee41f1440883d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
21KB

MD5
ec136f9a5175bf1eb52d396d73460233

SHA1
b97e0b16facab3b17d6db7cae9628df1b74bf176

SHA256
81688aa8ca09253d2007f2a078bba68b98d3ceaee49d41e97ef910b471b96df2

SHA512
1a07cc9f7cfdcbc619443067e73365d13e9db9d82a8808f2356a82cb0ff3c252504402321a57edd1546c66a9ded32f563c14ebc69ac397557215f62394741898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
3751368ac66ab9f9d890f0a2ee64c436

SHA1
fb1ec5f4959d07be0eb68b817e5e69d6e0e8deed

SHA256
b5c504535097e9354c12e3999722b9d8b591a3f1dc38b07c1dee54f239be0076

SHA512
acdf6b8ab0c9f85592101ad9bbf17e91da8670ac2c52cf6abc7b1db9029f8921ba23df2a61879503731a29d71fb1eacf841da9af2563c9da2a448121145e5588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a9beb6977a18f364f29caae4776bec12

SHA1
1a67c54333078b07041f5bea778c70568a76284a

SHA256
367c56b2c6644109736e966f7d24641e596b96be6b48db4ba9a2cf698d2ecd00

SHA512
d10a57cc65bcd78a81ac7a3325e8e5674bfdeaae88adf665f570ad3d9c7d71a917c32ac369ac9734be6cf3c905b27f4408bbdb8c7979c45fa3f1424daef9c2d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
8d536ba5dae7d8819039906231fd701c

SHA1
ca2e277a608dfb5db4cf885c7bc9a098c5f71eca

SHA256
e7dfa0f015f4cbb729103f28b58f5c9b1c5f0548b390f730456e62e447d8fe11

SHA512
8d35ecfbf1ea2b55f644e990b2b9ac13f3d86745d025d667287f7a63f99f899a72896909c72841cf6be9497d38a933b6cb19a6c8a65f07f27b3d27820d34b845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
892d44f4bc2ac71aa95a431846ba0b9e

SHA1
dadc9a7f3e19addfdf7b8725d3144ca0335d109e

SHA256
8eb9ea94df80ced7fe3de33be62d6e66078edf380a805890c1ce0feefc6364b5

SHA512
36cf55409ed8fc6e9b10c8cf58ceb248867306ae8ca8fd3ff03e020f36f10912773a7c6f5caac0b91c24aeb4710ee8e53efc6bd0811ec79647df2e4ce3a74ad2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133882050755172422.txt

Filesize
85KB

MD5
b6cc1b03395e59dfb431bf8590770495

SHA1
23ccc50ed8cfe65a61ea20fb1571232175a673c2

SHA256
645a99b8dbb436cf436819b794c4855319e33812e8aed0110dd303be4d718023

SHA512
108a191f20e2a5d67d5f6f0b1a3d995dc4d0c6e135ab7fae67fb5477fa2d23ec31680c849f9e1f26177a27d5c1708ad6ad403395cf2b9765ce20089726880fac

Download Submit
C:\Users\Admin\Downloads\666.exe.crdownload

Filesize
4.0MB

MD5
fb06afbe05e9006fb0974b34db9b3e47

SHA1
798adfdf387a81d4e4784508b1c7a45c2574e5fb

SHA256
4958c554787a589449e918fc5e3acc61b0ca61fdbf7ce0b658d4f60e2052f48e

SHA512
5a7d0ae0e43cce249f4a8bd1239697a36b6f903336b23dd0b9c7aec415e0209dd24385e4f90d14a911208214415625f4a90ac490c1439f48be34cabde1c89080

Download Submit
memory/4436-776-0x000001CE05500000-0x000001CE05600000-memory.dmp

Filesize
1024KB

Download
memory/4436-781-0x000001CE06410000-0x000001CE06430000-memory.dmp

Filesize
128KB

Download
memory/4436-792-0x000001CE063D0000-0x000001CE063F0000-memory.dmp

Filesize
128KB

Download
memory/4436-803-0x000001CE067E0000-0x000001CE06800000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads