7bf3e402c9332f4c8249298ff3ef89a09e9d38b9a11ac19a32240caf19c1e3ba

Processes:

stinger64.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE	stinger64.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

SIV64X.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SIV64X.exe

Executes dropped EXE 24 IoCs

Processes:

update-smart-drivedb.exesmartctl.exesmartctl.exesmartctl.exesmartctl.exesmartctl.exesmartctl.exewget.exewget.exewget.exewget.exewget.exewget.exenircmdc.exenircmdc.exenircmdc.exesolitaire.exesolitaire64-3534.exeSIV64X.exeEverything.execaffeine.exeProcessKiller.exeERUNT.EXEstinger64.exe

pid	process
3428	update-smart-drivedb.exe
1584	smartctl.exe
632	smartctl.exe
3432	smartctl.exe
4224	smartctl.exe
2380	smartctl.exe
1064	smartctl.exe
4552	wget.exe
916	wget.exe
1420	wget.exe
1192	wget.exe
3508	wget.exe
4776	wget.exe
1984	nircmdc.exe
4808	nircmdc.exe
3760	nircmdc.exe
1920	solitaire.exe
1472	solitaire64-3534.exe
1008	SIV64X.exe
4732	Everything.exe
4576	caffeine.exe
4916	ProcessKiller.exe
964	ERUNT.EXE
4624	stinger64.exe

Loads dropped DLL 6 IoCs

Processes:

update-smart-drivedb.exeSIV64X.exestinger64.exe

pid process

3428 update-smart-drivedb.exe
3428 update-smart-drivedb.exe
3428 update-smart-drivedb.exe
1008 SIV64X.exe
1008 SIV64X.exe
4624 stinger64.exe
Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

stinger64.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" stinger64.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	stinger64.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\tron\resources\stage_0_prep\capture_screenshot\nircmdc.exe	upx
behavioral1/memory/1984-3436-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1984-3438-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/4808-3441-0x0000000000400000-0x000000000041B000-memory.dmp	upx
C:\Users\Admin\Desktop\tron\resources\stage_0_prep\backup_registry\ERUNT.EXE	upx
behavioral1/memory/964-3562-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/964-3571-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

smartctl.exesmartctl.exesmartctl.exesmartctl.exesmartctl.exesmartctl.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	smartctl.exe
File opened for modification	\??\PhysicalDrive0	smartctl.exe
File opened for modification	\??\PhysicalDrive0	smartctl.exe
File opened for modification	\??\PhysicalDrive0	smartctl.exe
File opened for modification	\??\PhysicalDrive0	smartctl.exe
File opened for modification	\??\PhysicalDrive0	smartctl.exe

Drops file in System32 directory 7 IoCs

Processes:

stinger64.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dwm.exe	stinger64.exe
File opened for modification	C:\Windows\System32\svchost.exe	stinger64.exe
File opened for modification	C:\Windows\System32\spoolsv.exe	stinger64.exe
File opened for modification	C:\Windows\system32\winlogon.exe	stinger64.exe
File opened for modification	C:\Windows\system32\lsass.exe	stinger64.exe
File opened for modification	C:\Windows\system32\fontdrvhost.exe	stinger64.exe
File opened for modification	C:\Windows\system32\svchost.exe	stinger64.exe

Drops file in Program Files directory 4 IoCs

Processes:

stinger64.exe

description	ioc	process
File created	C:\Program Files\stinger\lockdown.dll	stinger64.exe
File created	C:\Program Files\stinger\OpenSans-Regular-webfont.ttf	stinger64.exe
File created	C:\Program Files\stinger\OpenSans-Light-webfont.ttf	stinger64.exe
File opened for modification	C:\Program Files\stinger\mcscan.vlt	stinger64.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5056 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5056	sc.exe

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\tron\resources\stage_6_optimize\defrag\update-smart-drivedb.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exeSIV64X.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SIV64X.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000324c0cbb4829e1b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000324c0cbb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900324c0cbb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d324c0cbb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000324c0cbb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	SIV64X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

SIV64X.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	SIV64X.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\4	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	SIV64X.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SIV64X.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\1	SIV64X.exe

Enumerates processes with tasklist 1 TTPs 7 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5024 tasklist.exe
3652 tasklist.exe
1480 tasklist.exe
4344 tasklist.exe
3604 tasklist.exe
3188 tasklist.exe
4432 tasklist.exe

pid	process
5024	tasklist.exe
3652	tasklist.exe
1480	tasklist.exe
4344	tasklist.exe
3604	tasklist.exe
3188	tasklist.exe
4432	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

SIV64X.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VirtualAddressBits	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PhysicalAddressBits	SIV64X.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4524 ipconfig.exe
2932 ipconfig.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3092 taskkill.exe
5052 taskkill.exe

pid	process
4524	ipconfig.exe
2932	ipconfig.exe

pid	process
3092	taskkill.exe
5052	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

Processes:

SearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

ERUNT.EXE

description ioc process

Key created \REGISTRY\USER\.DEFAULT ERUNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT	ERUNT.EXE

Modifies registry class 64 IoCs

Processes:

SearchApp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Anywhere;Trailing"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5233694"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "11.0.2013.1022"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ichiro - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - it-IT Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "404"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\lsr1036.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "410"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{0CFAE939-931E-4305-8D05-8C76C254EB34}"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = 49553b76dbc112bcd96e2ce32f82aa3750d88abb05779f5fac65e84c5363077e	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\MSTTSLocfrFR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ichiro"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_HW_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "English Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\c1041.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Universal Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "DebugPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Helena - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Elsa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ichiro"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "6;18;22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Sie haben %1 als Standardstimme ausgewählt."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Has seleccionado %1 como voz predeterminada."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-3082-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Female"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409;9"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "407"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR Engine (11.0) Text Normalization"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40A;C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; address=NativeSupported; message=NativeSupported; url=NativeSupported; currency=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

stinger64.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	stinger64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	stinger64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	stinger64.exe

Runs net.exe
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2908 PING.EXE
4416 PING.EXE
3376 PING.EXE
540 PING.EXE
2992 PING.EXE
2136 PING.EXE
3912 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

4528 svchost.exe

pid	process
2908	PING.EXE
4416	PING.EXE
3376	PING.EXE
540	PING.EXE
2992	PING.EXE
2136	PING.EXE
3912	PING.EXE

pid	process
4528	svchost.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

powershell.exepowershell.exesolitaire64-3534.exetaskmgr.exeSIV64X.exepowershell.exeProcessKiller.exestinger64.exe

pid	process
4340	powershell.exe
4340	powershell.exe
1104	powershell.exe
1104	powershell.exe
1472	solitaire64-3534.exe
1472	solitaire64-3534.exe
1472	solitaire64-3534.exe
1472	solitaire64-3534.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
1008	SIV64X.exe
1008	SIV64X.exe
1008	SIV64X.exe
1008	SIV64X.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
3916	powershell.exe
3916	powershell.exe
4916	ProcessKiller.exe
4624	stinger64.exe
4624	stinger64.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: 36	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: 36	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2512	WMIC.exe
Token: SeSecurityPrivilege	2512	WMIC.exe
Token: SeTakeOwnershipPrivilege	2512	WMIC.exe
Token: SeLoadDriverPrivilege	2512	WMIC.exe
Token: SeSystemProfilePrivilege	2512	WMIC.exe
Token: SeSystemtimePrivilege	2512	WMIC.exe
Token: SeProfSingleProcessPrivilege	2512	WMIC.exe
Token: SeIncBasePriorityPrivilege	2512	WMIC.exe
Token: SeCreatePagefilePrivilege	2512	WMIC.exe
Token: SeBackupPrivilege	2512	WMIC.exe
Token: SeRestorePrivilege	2512	WMIC.exe
Token: SeShutdownPrivilege	2512	WMIC.exe
Token: SeDebugPrivilege	2512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2512	WMIC.exe
Token: SeRemoteShutdownPrivilege	2512	WMIC.exe
Token: SeUndockPrivilege	2512	WMIC.exe
Token: SeManageVolumePrivilege	2512	WMIC.exe
Token: 33	2512	WMIC.exe
Token: 34	2512	WMIC.exe
Token: 35	2512	WMIC.exe
Token: 36	2512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2512	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe
2308	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

caffeine.exeStartMenuExperienceHost.exeSearchApp.exestinger64.exe

pid process

4576 caffeine.exe
4576 caffeine.exe
4496 StartMenuExperienceHost.exe
4376 SearchApp.exe
4624 stinger64.exe

pid	process
4576	caffeine.exe
4576	caffeine.exe
4496	StartMenuExperienceHost.exe
4376	SearchApp.exe
4624	stinger64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3648 wrote to memory of 2940	3648	cmd.exe	cmd.exe
PID 3648 wrote to memory of 2940	3648	cmd.exe	cmd.exe
PID 2940 wrote to memory of 1684	2940	cmd.exe	WMIC.exe
PID 2940 wrote to memory of 1684	2940	cmd.exe	WMIC.exe
PID 2940 wrote to memory of 3144	2940	cmd.exe	find.exe
PID 2940 wrote to memory of 3144	2940	cmd.exe	find.exe
PID 3648 wrote to memory of 2896	3648	cmd.exe	cmd.exe
PID 3648 wrote to memory of 2896	3648	cmd.exe	cmd.exe
PID 2896 wrote to memory of 2512	2896	cmd.exe	WMIC.exe
PID 2896 wrote to memory of 2512	2896	cmd.exe	WMIC.exe
PID 2896 wrote to memory of 1104	2896	cmd.exe	findstr.exe
PID 2896 wrote to memory of 1104	2896	cmd.exe	findstr.exe
PID 3648 wrote to memory of 5000	3648	cmd.exe	cmd.exe
PID 3648 wrote to memory of 5000	3648	cmd.exe	cmd.exe
PID 5000 wrote to memory of 3452	5000	cmd.exe	reg.exe
PID 5000 wrote to memory of 3452	5000	cmd.exe	reg.exe
PID 5000 wrote to memory of 3764	5000	cmd.exe	find.exe
PID 5000 wrote to memory of 3764	5000	cmd.exe	find.exe
PID 3648 wrote to memory of 4248	3648	cmd.exe	cmd.exe
PID 3648 wrote to memory of 4248	3648	cmd.exe	cmd.exe
PID 4248 wrote to memory of 4808	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 4808	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 4456	4248	cmd.exe	find.exe
PID 4248 wrote to memory of 4456	4248	cmd.exe	find.exe
PID 3648 wrote to memory of 2420	3648	cmd.exe	reg.exe
PID 3648 wrote to memory of 2420	3648	cmd.exe	reg.exe
PID 3648 wrote to memory of 4976	3648	cmd.exe	find.exe
PID 3648 wrote to memory of 4976	3648	cmd.exe	find.exe
PID 3648 wrote to memory of 4524	3648	cmd.exe	ipconfig.exe
PID 3648 wrote to memory of 4524	3648	cmd.exe	ipconfig.exe
PID 3648 wrote to memory of 3632	3648	cmd.exe	find.exe
PID 3648 wrote to memory of 3632	3648	cmd.exe	find.exe
PID 3648 wrote to memory of 1976	3648	cmd.exe	reg.exe
PID 3648 wrote to memory of 1976	3648	cmd.exe	reg.exe
PID 3444 wrote to memory of 972	3444	cmd.exe	cmd.exe
PID 3444 wrote to memory of 972	3444	cmd.exe	cmd.exe
PID 972 wrote to memory of 2840	972	cmd.exe	WMIC.exe
PID 972 wrote to memory of 2840	972	cmd.exe	WMIC.exe
PID 972 wrote to memory of 5052	972	cmd.exe	find.exe
PID 972 wrote to memory of 5052	972	cmd.exe	find.exe
PID 3444 wrote to memory of 3760	3444	cmd.exe	cmd.exe
PID 3444 wrote to memory of 3760	3444	cmd.exe	cmd.exe
PID 3760 wrote to memory of 4376	3760	cmd.exe	WMIC.exe
PID 3760 wrote to memory of 4376	3760	cmd.exe	WMIC.exe
PID 3760 wrote to memory of 4480	3760	cmd.exe	findstr.exe
PID 3760 wrote to memory of 4480	3760	cmd.exe	findstr.exe
PID 3444 wrote to memory of 1272	3444	cmd.exe	cmd.exe
PID 3444 wrote to memory of 1272	3444	cmd.exe	cmd.exe
PID 1272 wrote to memory of 2172	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 2172	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 3652	1272	cmd.exe	find.exe
PID 1272 wrote to memory of 3652	1272	cmd.exe	find.exe
PID 3444 wrote to memory of 2640	3444	cmd.exe	cmd.exe
PID 3444 wrote to memory of 2640	3444	cmd.exe	cmd.exe
PID 2640 wrote to memory of 3820	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 3820	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 2860	2640	cmd.exe	find.exe
PID 2640 wrote to memory of 2860	2640	cmd.exe	find.exe
PID 3444 wrote to memory of 872	3444	cmd.exe	reg.exe
PID 3444 wrote to memory of 872	3444	cmd.exe	reg.exe
PID 3444 wrote to memory of 1604	3444	cmd.exe	find.exe
PID 3444 wrote to memory of 1604	3444	cmd.exe	find.exe
PID 3444 wrote to memory of 2932	3444	cmd.exe	ipconfig.exe
PID 3444 wrote to memory of 2932	3444	cmd.exe	ipconfig.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

stinger64.exe

description ioc process

Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP stinger64.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP	stinger64.exe

C:\Users\Admin\AppData\Local\Temp\Tron v12.0.6 (2023-10-17).exe
"C:\Users\Admin\AppData\Local\Temp\Tron v12.0.6 (2023-10-17).exe"
1⤵
PID:4528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tron\tron.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c <NUL C:\Windows\System32\wbem\wmic.exe OS GET LocalDateTime | C:\Windows\System32\find.exe "."
2⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe OS GET LocalDateTime
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe "."
3⤵
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c <NUL C:\Windows\System32\wbem\wmic.exe timezone get StandardName |findstr /b /r [a-z]
2⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe timezone get StandardName
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\findstr.exe
findstr /b /r [a-z]
3⤵
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName | C:\Windows\System32\find.exe "ProductName"
2⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
3⤵
PID:3452

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe "ProductName"
3⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion | C:\Windows\System32\find.exe "CurrentVersion"
2⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
3⤵
PID:4808

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe "CurrentVersion"
3⤵
PID:4456

C:\Windows\system32\reg.exe
reg query "hklm\system\controlset001\control\nls\language" /v Installlanguage
2⤵
PID:2420

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe /i "0409"
2⤵
PID:4976

C:\Windows\system32\ipconfig.exe
C:\Windows\system32\ipconfig /all
2⤵
- Gathers network information
PID:4524

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe /i "Subnet Mask"
2⤵
PID:3632

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe query "HKU\S-1-5-19\Environment"
2⤵
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\tron\tron.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c <NUL C:\Windows\System32\wbem\wmic.exe OS GET LocalDateTime | C:\Windows\System32\find.exe "."
2⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe OS GET LocalDateTime
3⤵
PID:2840

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe "."
3⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c <NUL C:\Windows\System32\wbem\wmic.exe timezone get StandardName |findstr /b /r [a-z]
2⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe timezone get StandardName
3⤵
PID:4376

C:\Windows\system32\findstr.exe
findstr /b /r [a-z]
3⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName | C:\Windows\System32\find.exe "ProductName"
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
3⤵
PID:2172

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe "ProductName"
3⤵
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion | C:\Windows\System32\find.exe "CurrentVersion"
2⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
3⤵
PID:3820

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe "CurrentVersion"
3⤵
PID:2860

C:\Windows\system32\reg.exe
reg query "hklm\system\controlset001\control\nls\language" /v Installlanguage
2⤵
PID:872

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe /i "0409"
2⤵
PID:1604

C:\Windows\system32\ipconfig.exe
C:\Windows\system32\ipconfig /all
2⤵
- Gathers network information
PID:2932

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe /i "Subnet Mask"
2⤵
PID:4816

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe query "HKU\S-1-5-19\Environment"
2⤵
PID:5036

C:\Users\Admin\Desktop\tron\resources\stage_6_optimize\defrag\update-smart-drivedb.exe
update-smart-drivedb.exe /S
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c smartctl.exe --scan
2⤵
PID:1940

C:\Users\Admin\Desktop\tron\resources\stage_6_optimize\defrag\smartctl.exe
smartctl.exe --scan
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1584

C:\Users\Admin\Desktop\tron\resources\stage_6_optimize\defrag\smartctl.exe
smartctl.exe /dev/sda -a
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:632

C:\Windows\System32\findstr.exe
C:\Windows\System32\findstr.exe /i "Solid SSD RAID SandForce"
2⤵
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c smartctl.exe --scan
2⤵
PID:3828

C:\Users\Admin\Desktop\tron\resources\stage_6_optimize\defrag\smartctl.exe
smartctl.exe --scan
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3432

C:\Users\Admin\Desktop\tron\resources\stage_6_optimize\defrag\smartctl.exe
smartctl.exe /dev/sda -a
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4224

C:\Windows\System32\findstr.exe
C:\Windows\System32\findstr.exe /i "VMware VBOX XENSRC PVDISK"
2⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c smartctl.exe --scan
2⤵
PID:1460

C:\Users\Admin\Desktop\tron\resources\stage_6_optimize\defrag\smartctl.exe
smartctl.exe --scan
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2380

C:\Users\Admin\Desktop\tron\resources\stage_6_optimize\defrag\smartctl.exe
smartctl.exe /dev/sda -a
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1064

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe /i "Read Device Identity Failed"
2⤵
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c <NUL C:\Windows\System32\wbem\wmic.exe diskdrive get status
2⤵
PID:4004

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe diskdrive get status
3⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Status"
2⤵
PID:4320

C:\Windows\System32\findstr.exe
C:\Windows\System32\findstr.exe /i "Error Degraded Unknown PredFail Service Stressed NonRecover"
2⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo OK"
2⤵
PID:4340

C:\Windows\System32\findstr.exe
C:\Windows\System32\findstr.exe /i "Error Degraded Unknown PredFail Service Stressed NonRecover"
2⤵
PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "
2⤵
PID:3924

C:\Windows\System32\findstr.exe
C:\Windows\System32\findstr.exe /i "Error Degraded Unknown PredFail Service Stressed NonRecover"
2⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fsutil volume diskfree C:
2⤵
PID:2656

C:\Windows\system32\fsutil.exe
fsutil volume diskfree C:
3⤵
PID:4508

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootmenupolicy legacy
2⤵
- Modifies boot configuration data using bcdedit
PID:964

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\check_update\wget.exe
stage_0_prep\check_update\wget.exe --user-agent="Tron-Update-Checker/12.0.6 (Windows 10 Pro)" https://bmrf.org/repos/tron/sha256sums.txt -O "C:\Users\Admin\AppData\Local\Temp\sha256sums.txt"
2⤵
- Executes dropped EXE
PID:4552

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\check_update\wget.exe
stage_0_prep\check_update\wget https://github.com/bmrf/tron/raw/master/resources/stage_2_de-bloat/metro/metro_3rd_party_modern_apps_to_target_by_name.ps1 -O "C:\Users\Admin\AppData\Local\Temp\metro_3rd_party_modern_apps_to_target_by_name.ps1"
2⤵
- Executes dropped EXE
PID:916

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\check_update\wget.exe
stage_0_prep\check_update\wget https://github.com/bmrf/tron/raw/master/resources/stage_2_de-bloat/metro/metro_Microsoft_modern_apps_to_target_by_name.ps1 -O "C:\Users\Admin\AppData\Local\Temp\metro_Microsoft_modern_apps_to_target_by_name.ps1"
2⤵
- Executes dropped EXE
PID:1420

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\check_update\wget.exe
stage_0_prep\check_update\wget https://github.com/bmrf/tron/raw/master/resources/stage_2_de-bloat/oem/programs_to_target_by_GUID.txt -O "C:\Users\Admin\AppData\Local\Temp\programs_to_target_by_GUID.txt"
2⤵
- Executes dropped EXE
PID:1192

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\check_update\wget.exe
stage_0_prep\check_update\wget https://github.com/bmrf/tron/raw/master/resources/stage_2_de-bloat/oem/programs_to_target_by_name.txt -O "C:\Users\Admin\AppData\Local\Temp\programs_to_target_by_name.txt"
2⤵
- Executes dropped EXE
PID:3508

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\check_update\wget.exe
stage_0_prep\check_update\wget https://github.com/bmrf/tron/raw/master/resources/stage_2_de-bloat/oem/toolbars_BHOs_to_target_by_GUID.txt -O "C:\Users\Admin\AppData\Local\Temp\toolbars_BHOs_to_target_by_GUID.txt"
2⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
PID:1480

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" /i "wget"
2⤵
PID:2564

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
2⤵
- Runs ping.exe
PID:2136

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
PID:4344

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" /i "wget"
2⤵
PID:4612

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
2⤵
- Runs ping.exe
PID:3912

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
PID:3604

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" /i "wget"
2⤵
PID:740

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
2⤵
- Runs ping.exe
PID:2908

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
PID:3188

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" /i "wget"
2⤵
PID:1548

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
2⤵
- Runs ping.exe
PID:4416

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
PID:4432

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" /i "wget"
2⤵
PID:3592

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
2⤵
- Runs ping.exe
PID:3376

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
PID:5024

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" /i "wget"
2⤵
PID:4412

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
2⤵
- Runs ping.exe
PID:540

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
PID:3652

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" /i "wget"
2⤵
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "stage_2_de-bloat\metro\metro_3rd_party_modern_apps_to_target_by_name.ps1" | "C:\Windows\System32\find.exe" "SCRIPT_VERSION"
2⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "stage_2_de-bloat\metro\metro_3rd_party_modern_apps_to_target_by_name.ps1" "
3⤵
PID:1472

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" "SCRIPT_VERSION"
3⤵
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "stage_2_de-bloat\metro\metro_Microsoft_modern_apps_to_target_by_name.ps1" | "C:\Windows\System32\find.exe" "SCRIPT_VERSION"
2⤵
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "stage_2_de-bloat\metro\metro_Microsoft_modern_apps_to_target_by_name.ps1" "
3⤵
PID:316

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" "SCRIPT_VERSION"
3⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "stage_2_de-bloat\oem\programs_to_target_by_GUID.txt" | "C:\Windows\System32\find.exe" "SCRIPT_VERSION"
2⤵
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "stage_2_de-bloat\oem\programs_to_target_by_GUID.txt" "
3⤵
PID:4792

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" "SCRIPT_VERSION"
3⤵
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "stage_2_de-bloat\oem\programs_to_target_by_name.txt" | "C:\Windows\System32\find.exe" "SCRIPT_VERSION"
2⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "stage_2_de-bloat\oem\programs_to_target_by_name.txt" "
3⤵
PID:4564

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" "SCRIPT_VERSION"
3⤵
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "stage_2_de-bloat\oem\toolbars_BHOs_to_target_by_GUID.txt" | "C:\Windows\System32\find.exe" "SCRIPT_VERSION"
2⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "stage_2_de-bloat\oem\toolbars_BHOs_to_target_by_GUID.txt" "
3⤵
PID:2028

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" "SCRIPT_VERSION"
3⤵
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\metro_3rd_party_modern_apps_to_target_by_name.ps1" | "C:\Windows\System32\find.exe" "SCRIPT_VERSION"
2⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\metro_3rd_party_modern_apps_to_target_by_name.ps1" "
3⤵
PID:3440

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" "SCRIPT_VERSION"
3⤵
PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\metro_Microsoft_modern_apps_to_target_by_name.ps1" | "C:\Windows\System32\find.exe" "SCRIPT_VERSION"
2⤵
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\metro_Microsoft_modern_apps_to_target_by_name.ps1" "
3⤵
PID:3616

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" "SCRIPT_VERSION"
3⤵
PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\programs_to_target_by_GUID.txt" | "C:\Windows\System32\find.exe" "SCRIPT_VERSION"
2⤵
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\programs_to_target_by_GUID.txt" "
3⤵
PID:3292

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" "SCRIPT_VERSION"
3⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\programs_to_target_by_name.txt" | "C:\Windows\System32\find.exe" "SCRIPT_VERSION"
2⤵
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\programs_to_target_by_name.txt" "
3⤵
PID:1784

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" "SCRIPT_VERSION"
3⤵
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\toolbars_BHOs_to_target_by_GUID.txt" | "C:\Windows\System32\find.exe" "SCRIPT_VERSION"
2⤵
PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\toolbars_BHOs_to_target_by_GUID.txt" "
3⤵
PID:4224

C:\Windows\System32\find.exe
"C:\Windows\System32\find.exe" "SCRIPT_VERSION"
3⤵
PID:3368

C:\Windows\system32\net.exe
net stop themes
2⤵
PID:932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop themes
3⤵
PID:1544

C:\Windows\system32\taskkill.exe
taskkill /f /im HelpPane.exe /t
2⤵
- Kills process with taskkill
PID:3092

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /t reg_dword /v SystemRestorePointCreationFrequency /d 0 /f
2⤵
PID:4764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Enable-ComputerRestore -Drive "C:" | Out-Null"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
2⤵
PID:4772

C:\Windows\system32\findstr.exe
findstr /i /c:"server"
2⤵
PID:4120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Checkpoint-Computer -Description 'TRON v12.0.6: Pre-run checkpoint' | Out-Null"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\capture_screenshot\nircmdc.exe
stage_0_prep\capture_screenshot\nircmdc.exe sendkeypress rwin+m
2⤵
- Executes dropped EXE
PID:1984

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\capture_screenshot\nircmdc.exe
stage_0_prep\capture_screenshot\nircmdc.exe cmdwait 500 savescreenshotfull "C:\logs\tron\raw_logs\tron_PYDWGGUE_pre-run_screenshot_202404281335.png"
2⤵
- Executes dropped EXE
PID:4808

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\capture_screenshot\nircmdc.exe
stage_0_prep\capture_screenshot\nircmdc.exe sendkeypress rwin+shift+m
2⤵
- Executes dropped EXE
PID:3760

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\rkill\solitaire.exe
stage_0_prep\rkill\solitaire.exe -s -l "C:\Users\Admin\AppData\Local\Temp\tron_rkill.log" -w "C:\Users\Admin\Desktop\tron\resources\stage_0_prep\\rkill\rkill_process_whitelist.txt"
2⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\rkill\solitaire64-3534.exe
solitaire64-3534.exe -s -l C:\Users\Admin\AppData\Local\Temp\tron_rkill.log -w C:\Users\Admin\Desktop\tron\resources\stage_0_prep\\rkill\rkill_process_whitelist.txt
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\log_tools\siv\SIV64X.exe
stage_0_prep\log_tools\siv\siv64x.exe -save=[software]="C:\logs\tron\raw_logs\installed-programs-before.txt"
2⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1008

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\log_tools\everything\Everything.exe
stage_0_prep\log_tools\everything\everything.exe -create-filelist "C:\logs\tron\raw_logs\filelist-before.txt" C:
2⤵
- Executes dropped EXE
PID:4732

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe product get identifyingnumber,name,version /all
2⤵
PID:3516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Get-AppxPackage -AllUsers | Select Name"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916

C:\Windows\system32\taskkill.exe
taskkill /f /im "caffeine.exe"
2⤵
- Kills process with taskkill
PID:5052

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\caffeine\caffeine.exe
stage_0_prep\caffeine\caffeine.exe -noicon
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\processkiller\ProcessKiller.exe
ProcessKiller.exe /silent
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Windows\system32\sc.exe
sc config w32time start= auto
2⤵
- Launches sc.exe
PID:5056

C:\Windows\system32\net.exe
net stop w32time
2⤵
PID:1472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop w32time
3⤵
PID:2372

C:\Windows\system32\w32tm.exe
w32tm /config /syncfromswitches:manual /manualpeerlist:"1.pool.ntp.org,0x8 time.windows.com,0x8 time.nist.gov,0x8"
2⤵
PID:372

C:\Windows\system32\net.exe
net start w32time
2⤵
PID:2760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start w32time
3⤵
PID:2896

C:\Windows\system32\w32tm.exe
w32tm /resync /nowait
2⤵
PID:3524

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe timezone
2⤵
PID:1416

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\backup_registry\ERUNT.EXE
stage_0_prep\backup_registry\erunt.exe "C:\logs\tron\registry_backup" /noconfirmdelete /noprogresswindow
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:964

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 15
2⤵
- Runs ping.exe
PID:2992

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe query "hklm\software\microsoft\net framework setup\ndp\v3.5" /v Install
2⤵
PID:1496

C:\Windows\System32\find.exe
C:\Windows\System32\find.exe /i "0x1"
2⤵
PID:3900

C:\Users\Admin\Desktop\tron\resources\stage_0_prep\mcafee_stinger\stinger64.exe
stage_0_prep\mcafee_stinger\stinger64.exe --GO --SILENT --PROGRAM --REPORTPATH="C:\logs\tron\raw_logs" --DELETE
2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2240

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:3892

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2308

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery