Analysis
-
max time kernel
23s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 19:47
Behavioral task
behavioral1
Sample
VeryFun.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
VeryFun.exe
Resource
win11-20240426-en
General
-
Target
VeryFun.exe
-
Size
3.0MB
-
MD5
ef7b3c31bc127e64627edd8b89b2ae54
-
SHA1
310d606ec2f130013cc9d2f38a9cc13a2a34794a
-
SHA256
8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387
-
SHA512
a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5
-
SSDEEP
49152:wshda+bFz6dmTTfO0JBhybeUXzELz/RkxI6Zxkxur4E5IReTD5GKHmDVJPY8:Js/4ibecELz/RkO6LF4hRq5GKHmBBY
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "°\\¤+þ\x10ºÇ’8:ªÝH~ºé #\bÅž=\nÚºMØ" cmd.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\x01ô>Ên}É!Û\x10¼É%ª\x1dü©g©\x02`\rœl\x16\x13\x14™" cmd.exe -
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "FÁ\"\a*£\u008f‘2-€òÞ=TÑ|û\x0e\x15«\x04ô\x19‰JÙ»" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "Aå²W–?4°\x1f‡\x0fN”!Náó<¯Íú#@&\u00adI1u" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "é‘\x1fa7{\x117ÊóB¡¨¯Íf\x03ŒÐÝ‚\x14\x1d¤\u009dºôŠ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "í\x14Zfø\fT^Ñw¹,¶+iéqUØ*[ªþIÃT±E" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "îr•†¥¿«Ý'\x01»\u0090\x06p©Ðý" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "ÁðlË>E\x05j÷ZZ\tÖØ\nT\x11b§J…mÎUAj¾J" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = ",Y\x18©ºqEÝž¤¥œO<åh!zÁ\x03\x1a\a\x04‰ÛËA\v" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "sbŸ\x17\x06׿\x13\u009dJ'tÑÄV\x1b\x0e\x18\u008fã\b\x04\v\x13ß\x7f1\v" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = "*" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "ù¦\x12€\x19\x1f,ý{˜ÄçÊ6<T´†\f§)§|¡\x15¡" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "Qª^äè¼éøÊÂÂ\x1dëè0G\x06¥“\x1et?Æ\u00adR1Æ\u00a0" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name = "(ÔTØ7³cO$&û¤XX]\u00a0¥Ö`žnj¢D÷+ŸM" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = ";Çhd»Éì̬^\x17Å¥*þ[½wÃr\u0090rÄä¿\x17\u0081ø" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "ZA\"J\x01#[\x1dÍ9\u008fÐ\txÖD”5p\x17{5\u00a0žõ\x02¿ï" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "®\vò“ц¼û\x0e\\ÍãÌÝ0Û5Ÿ¾R>Ìê?NX\nX" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "ã9\"äÓu¸f\x7f3ä\x0f¶žf\x1c\u008d1±ˆÉÿ¦Œ¦\x1a7\f" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "¡\x13ñ”kë~èÐD\x03'.ó´ƒNºiaØÒ\að\\œ+\x1d" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WYhx_\u009dóüêàhšÏ\x04£?,‰ŒD\u00a0p°wî¡éŒ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "÷Jdf\x0e\b 5\u00a06\x06\x10b@/Ý'#w“\x02Ö«Ó\x11L¯=" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "ò]¯0Ü\vè´\u008dõÄt“„Æ6ƒ£¢Ñ”¬0\u0081è\u00a0Í)" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "\x7fÖ´µÅ•}\tÏ’" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "xоÕkP±\x15JøHŒœò[Ïϧc\x02\fšLz\x16Ÿyi" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046}\FuncName = "ÁqaH)¥ú\u008d\x1aúɹÁwЃ¶ý¾P\u008f\x06Å\x0eŒ¾\x11Ò" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "\x064\x15¾šÏ²ӟ*û†\"ï*,W››†²Ôکߺ\f" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "Ê" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "(Bæ ‹bqüƒ‡Ö\x0f;´bQH\x19$K\x05ÚŠø+â\x03@" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "XåÆÍúÓ\x1cëÎ0™¸áhôжÉâï¡\"\nŸ_bÊb" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "\\ÀÝÈ6\u00a0F[®\x7f\u00ad[oé\u0081†LÇ„ÇÃ.\u0081½RFÈF" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "_åWÅÕô<G\x1eÓ\nœ¦6°é\x189of¢@0qWðÇ\\" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "úr\rí¿VŸ\rTi¬Rp[HX\x11À¨\aùôç³t¿Ü¡" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "{׎‰\\4\x1a:¢¾q/bJ¡D¥i\x19\x15ÂgÉ,ލ\x16B" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "jö毆ýóª¶\x18 \x14Ç%ï+5K¬\x1b¦KVW¿í†ß" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "-Aðé£a\x03\"àûѰ¥ÀRy¾{\x01óûðpô\x05a\r™" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\FuncName = "\x1e\x01\fŒ€j‰6\u008fr7\x0e{ßž¥Är.ÌA7+\x02\u00ad\x06\x18Ì" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "*ø<HºÐljÔ´áï‚|ä;³–HtãÏrVÉT" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "sìçU†eÏ&Q“\u008dX°\f‘}ã¡:.¿\x05“jïð+„" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "^欸1¢¤áôpÙq1œÃä\u0090Ìü}ðÐPd>ȦÓ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "\x7fÕ\x18¡žMÌZ/v‰Ãÿ\nÅ\u0081ÂgH61*Ä|’ ôz" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "c:{~‘\"ïâ32Ð3ežðµâ\x02%eO{Zæg(*›" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "©\u00a0rYZVFù¶\x06\u0090áñÆûþ\rúî§qqÞ²&ȉ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "^\u00a0¡ÄÑ\x7fa\x02\aÍ\x04E\x1c)Õ:Nô\\´1‰6ôåŒüë" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "í“ð\rã7(\f(pàý$µGÊ}b»Ì\x15+˜Û\u0090ËÜš" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\v\x15ÊܕĞ!¯{{àòÚ„¼)fnQ2þ\x1b<p;á¡" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "¨BÆp%\x17ÈÙT(ã+Ø…4æî\"ßhÒ¢ºáü÷jT" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "†òϼBØ\x1b\x1b{Õ\tˆƒXL\x18»låT”+TŒa‰(™" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "V©Ó\u008d\x1fµ_žêoœÿ?®*JêXIá\n¸´QÍ\x13F¢" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "\"ßÓgª‚9¼gÒ-1}ÅÚÒ·\x12î\x1e\x046e+\x16!z÷" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "²ŽíÐA_µ|û²‘\u0090E\x13ˆV]\t´Ó7PÍžêŒ ž" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "ÌèÀœ\x15lp\x14fMÇ„&\x1378Ðl2\x13Ña—÷îð\x01®" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\Dll = "pQƒ\b¤‡ÞE\x18\nµ\x102\rW¯–ÇñfsáŸY%÷*º" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\Dll = "ËM\x13î(Â\u008fÞ>Þ\x1fï‰\x1aI*9¨vXÁc¯-\u00ad¬Ûç" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "\x1dD@d'ÍïJ\x17éÄ—ìgÝ&\u008f“\x19\x1eÂÝY¯ùh¡Ò" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\x01\x1aeÞw©)çý\x04\x1a½v\x1f\u00a0kGê\x1fqŠ*ƒ\x03¦ˆiÜ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "À«W¼Í" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "fWa<-2‘‡Ñ.R%Öi½¨VmX\x12TT–׎—ÄÓ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "—RÍ…œ\u00815Bc ö/?\u0081¹”ì$¯\u008dŽ\u00ad\x06D^&Sµ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "µ\x13òSƒìX\rø›ýÜÅ`nò\u009d\x7f–¯É\rÉüÂý<;" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "ÑÑ‘\\9.¢Þ_zœ ºn¥•g#¼<\u009dUì\a?PTÌ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "‰YpsZú?(tu\u00813nš\x17žŠ\x06.Ojª^\u008fZábÓ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "\vó\vd\n+¾ðy·ì5\a\x04\u008d²\a\r9/\u0090îO½£€i\x1d" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\FuncName = "å‹–õÇÏî…\x15Ø«íò\x1bÁ\x03»è¡â\x05´+Kˆ”Ím" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "´ÃspêØ{·PÀ’\u008daŸpv9¡êÊôå¬\u008dr\x1aÿk" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "©\x1d'<l\x0féë\x1cjùÝr™F\t\fí°Ö‹¯\x14¸°µ\x17\r" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "…Œ*æ\u00ad`¬\"\u009d9³EïÝÓ\u0081³l\u008dÏŽfuy\nÐeÉ" cmd.exe -
Modifies AppInit DLL entries 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "\\;zgÒM¹êeZÅKøh ™¹*„²ð‘•\x1bP\a+U" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "•\u008dXX¢%Ò\x1a\x05°²öOáËIî*ùõ(\u00a0½Z·Y¡Ù" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Version = "Bc`Úháf;”‚wÌ ŠûFR\x19ÖÎïZ. —î\r—" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Locale = "^\x0fѦMÇ\x03Í;)6àâv\x14äÑš\x04X\føcbô×g." cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "yº9±”îINnëW\u008dÑqÊ\x01ë€Û–$í\bjÃ)" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "”YÂòé’Õa\x0eÛa£öD<˜÷?ÅeK\x7f„\x05F›œT" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "\x02Œqô$é–iæq˜2>dºƒÐ³˜\x03ä4÷ú‰\x16å(" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "\u009dîóI\x1cIòôXµ€pmd\x10I>~\x10[îŠðÅ`¯KŠ" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "×åü›»·»]É\x19¤\x02Õ6c2¸àfóäé:ö˦HÈ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Version = "«y~Ô™R{3wË\x11S//þvêwR6ì—݈\u0081\u00ad\x1c¹" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ComponentID = "唘1½Åþ¼Gï[¸_°¨ÞAkÌy\tyúu¤aÆ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "R!—ñÑÊcÃQ2©NQ\u00ad\x0f%[åô" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "\v:%\x05>\x10oŃÈö\x18·Ùw³\"\v\x1b·ù²Å·1/" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "åÒ\nÊ\x156I\x1ay-€\x0e\x0f\x0f—ÏÓBݘ”y\u0090£Ïñ„Ç" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "B¥õÛê\x10ÁSÇ_íU8{eB)\u00ad–g‘û-×äkv\t" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "¬ÃÃäe/=FÃ\x15\veéiýë ©4‚Dú¤vé=%" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Locale = "ȇ\x1biQk\u008dÓ±\x1eCè®)™$D패Ç\x01\x1e]\x11VML" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "™œˆb7•KÈYEœÕaL$_\u0081ˆNÎqótŸÁ„ƒ9" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "\t\x1cßÖ0¥êÖÞÜåÑ^:´hÉP\x7f¬Öv\u00a0ð÷ï\n\a" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "´“„°±´ñ=.û\x03M\\gç»k1'\x0fØï2\x05?û1¤" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ComponentID = "ö\x0e\x7fÚ\u008d\b,ý^\u009d|Û\x06÷\x13Ù#½¤ô–ËÙä" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "šˆ¼‰éq\t`ƒô®\u009dÍ\x10”2ƒ¸û{¥¢Ö-¥Ž¿´" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "QÈÆÀ\x18»ª\x12…µô‚\x16Ú¶O\x06\rWËv¾Í\bÜchÜ" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "©\x1f¼\x03´\aÝW~ƒ \u008fœ5ዾzÓÿé±€\x1föè³¼" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "]¥~g\u00a0@\x1fN.p\x14,\x17³Ê{'^\r–\u008dƒ\x1eE76Ô]" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "\fN6\x15ª4ŠÁ5\u00adü\u008dä{\u0081;+…&级«9u«rÚ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "ï\x19.íARî/¾Ê\u00a0\u008fäŠ\t´¢)¸|i–RÒ\x06D\x1fk" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Locale = "L±\n$p1Ì@\x1c‹7ÙÌ\b\x1c\t\x12çô3µ”ò\x18KËãr" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ComponentID = "bòG’|\x1el\u008d\x12Öy>\x15ÑŒ\x06œ\x19ÓmÌXJ|\vŠ\x10*" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "\u008d?0\b\a¡\x11Stsç²jL\x1aØP\x10·zfÑ162†¡O" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ = "\fR\x17\x15KIPEÔ\x03ü\u008f\b\tÑe\x17f<¨Dp…³%ä\x1d“" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Locale = "÷$îA\x06˜6¿\u009dšî\tuÊQ=B»žÜ*·\f’?p\r\t" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "Þ¿]m¿ieì;tl6a\x1eÈ®é§\f" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Version = "œ\\ÿOï;²ó_I¥ô&Xg¢\fk\x1c?Æ\u00ad¦)è\vµE" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "\u00a0´\"Q²" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "\x01’ûN•ª±\x1eGT“òM@¬ÛLLúwhã\"M\x19\bëX" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "ÕÔ‹×ã/“\v„µ*N«Aƃ_ÒEírÇŒ\"ÒÖ\v‡" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "ºwù{¶À\x17|R\f8p¾AåwÕûõcj\fJ›\x0et<”" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "“{ÆûÞW\u00a0¸\x0e1Hò¬á\x14\aâü5–BÔUИ\x16ìÒ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ = "wÑÓRm1Ù^à0ÜÒöá\x14§\v=a\x10E\x1cñ¯×\boŽ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "ÏÁ\u0081ÿ¼KQÊݼÂ\u0090ï”Fœ¦$ˆ†ÈÖAÜ/[" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ComponentID = "\x1bܨȹ¦nÑÎ\vˆÂµ\x18\x1a™´3| œ«¦6%ÏØà" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "×Fcc\aï3\x03\bã[5\u0090>¹\x13I2\x166x:\x06L‘\x05\x18Ç" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "I\aW»\u009dÓ÷ùV*S@I„¹7”ëe»µi¢îóK§•" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "”ñE3•n\x10°*‰¬Îôø¨¦|:v–²" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ComponentID = "D |<ºM—Œu5&\f\u0081„ÕYÆ)›ïá_Í”\nŸÀÑ" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "&¯ŠÒŒqÇÜöÃ¥×ÂÑ\bþWÊ\x19Î#œYB´ã\x1e." cmd.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation = ")\vùuz˜\x1e;×tí×9téóþ" cmd.exe -
resource yara_rule behavioral1/memory/608-0-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/464-3-0x0000000000780000-0x000000000091C000-memory.dmp upx behavioral1/memory/464-5-0x0000000000780000-0x000000000091C000-memory.dmp upx behavioral1/memory/464-7-0x0000000000780000-0x000000000091C000-memory.dmp upx behavioral1/memory/464-6-0x0000000000780000-0x000000000091C000-memory.dmp upx behavioral1/memory/924-10-0x0000000000F20000-0x0000000001014000-memory.dmp upx behavioral1/memory/924-11-0x0000000000F20000-0x0000000001014000-memory.dmp upx behavioral1/memory/924-12-0x0000000000F20000-0x0000000001014000-memory.dmp upx behavioral1/memory/924-8-0x0000000000F20000-0x0000000001014000-memory.dmp upx behavioral1/memory/3992-21-0x0000000001300000-0x000000000140C000-memory.dmp upx behavioral1/memory/3992-22-0x0000000001300000-0x000000000140C000-memory.dmp upx behavioral1/memory/3992-23-0x0000000001300000-0x000000000140C000-memory.dmp upx behavioral1/memory/608-24-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/2188-25-0x0000000000600000-0x000000000070C000-memory.dmp upx behavioral1/memory/2188-26-0x0000000000600000-0x000000000070C000-memory.dmp upx behavioral1/memory/2188-27-0x0000000000600000-0x000000000070C000-memory.dmp upx behavioral1/memory/608-31-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/712-32-0x0000000000F00000-0x000000000100C000-memory.dmp upx behavioral1/memory/712-34-0x0000000000F00000-0x000000000100C000-memory.dmp upx behavioral1/memory/712-33-0x0000000000F00000-0x000000000100C000-memory.dmp upx behavioral1/memory/608-35-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/464-36-0x0000000000780000-0x000000000091C000-memory.dmp upx behavioral1/memory/924-37-0x0000000000F20000-0x0000000001014000-memory.dmp upx behavioral1/memory/2180-38-0x0000000001020000-0x000000000112C000-memory.dmp upx behavioral1/memory/2180-39-0x0000000001020000-0x000000000112C000-memory.dmp upx behavioral1/memory/2180-40-0x0000000001020000-0x000000000112C000-memory.dmp upx behavioral1/memory/608-42-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/924-43-0x0000000000F20000-0x0000000001014000-memory.dmp upx behavioral1/memory/608-44-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-45-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-46-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-47-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-48-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-49-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-50-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-51-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-52-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-53-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-54-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-55-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx behavioral1/memory/608-118-0x00000000004A0000-0x0000000000ADD000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "Ǻ\x1a€´±<'õÏ\fÅ\x05Œt¦Ë—½7u¯èÈÈh\x02W" cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Installs/modifies Browser Helper Object 2 TTPs 6 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "UÛ3ãþÇä×u0\x03ô_åV²%ÿ6›6+9\u00a0Þeóâ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "\x1c\u0081»/\x03\x17ö¡EjIäÖ%Nã BMsé½a\x10D† å" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "ø\\Áäe\x17è?\x1ca\u008dò4\x198™1c›ÔûL¸äé*\x14\x04" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "IÞ¦\x11ï" cmd.exe -
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DisplayName = "\x1b”‹\x11§ègŠmR`Ë\bÛê¦\u008d<—¥[\x0f8·\x7fSs\x14" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "\u008d/?ÕåÙƒ}&‹5öü\u008fœùüS\x13ËPäžðº«s\t" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "\u009d\u008d¸«>®c\v4" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DllName = "Ú\x0f¨ƒÃàˆ§ô:Ái~\aÀÿ\x10\x04A\x7f~&%ù§!dH" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DisplayName = "¡:éQ¼Q*JDsXæ_\bó«¦ÈW¹™Â·îÕdî_" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ = "\x1b°öÒ/·LcgOyVEYõ¡wVP¥ù¿Œ\x18‰\x04'—" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ProcessGroupPolicyEx = "„\x02\u0081\x10-i\n\vÞ?V4®åÁpWi©°ƒÛÁŸ&\x7f7Ä" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "l‡ê™gÄy\x04¯\"*Û|\x04DÔñØ\x04Ä첎³\x11¶îG" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "¶ò÷\x13{\x18{ñÄV\x13Û\x10–ë\rþÖS@\u0090ro¨^:ÐÕ" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicy = "í¡Õ\u00ad“$û:PèŽ\n\x17åW–\x02Âg\vì#P“Ú×\x15±" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DisplayName = "Y\x0fž¹ã¯\x1bräçäÜ2klžÕ^\x19\t XÝ‹ö`ˆ\x1d" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "”À[£»àa\x1dïÉgôiIwëß7\x12\u00a0]" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "GðM‘ƒ;›¹)Ý\x0f" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicy = "Û¼\x03~ös_†Á»th:Êñ5F>\x13\x1a”¸\x1d3ú[v›" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicyEx = "\x1f¯Òé\x11" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "`(`żc»Ò\x1c¿dæO/©dÍt³µD…5Ö\x1d—†" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\DllName = "\x1f\x1e™\x02\x0fE‚\nWHä\rw°˜øþˆ\x1d|ˆ0ƒzmª¬\r" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DisplayName = "ˆö\u00adXA™" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "k«\bÊA&k$§Ü#JY–¤¤q\ré\x0e°fl…×f\x1c]" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4B7C3B0F-E993-4E06-A241-3FBE06943684} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\DllName = "\x10î\x1c“ÈöúòE\x01\x10c/ð\x13\vŒ\x05\x1ef\u00ad1m\u008f\x1d$\x06ð" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DllName = "Q²]5/ZŸÌ‹1bãU…ÜÎsY\tŒ¡\u0090‚‰Wxh#" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\GenerateGroupPolicy = "r\x17‚OѦ‡ô_÷=\u0081òPof)z–úÜ[uÅ\"\u009dV\x1c" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "\x19…vï\x0eXtVÿ°¼1H‰°M}Wp\x06\x10‰\u008dÑ\x19\x1d\x15‰" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7909AD9E-09EE-4247-BAB9-7029D5F0A278} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ = "£³|Ì\u0081/ã)«p7XkÚs–\rÝBˆžÑ¥…\x06ù’d" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DisplayName = "†Ù'.\x11ª#\x178¬³$¹O;ÝíÆ2©Ž\x06ÿÙ¤§$\x15" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "\að£þ¢‰~\u0090Å\x19Ÿ*B—\u009dö\x13\x1d6ÇÓÚÙS]öº(" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2A8FDC61-2347-4C87-92F6-B05EB91A201A} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\GenerateGroupPolicy = "\x1cC³¬Ë“\u0081)bŠFB8Ô\x16M¡!Û\x15I’]iQŒ˜1" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DisplayName = "\aÑUe!ÑŒí\x17K~(iÊÄ\tK\u008dßp,Ðb»&׋í" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "¸\x7f\u0081—Ï5ÅŽ…ûQí©áT\x1dþ²'\x12ˆ¦]^·š\x1a³" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} cmd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = d2000100f200af0014002b005000e000ea001c001f004200ba004500b900b7007e017400e400ac209000bd0018001d00fb0009002500780100000000 cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ = "\x1f;\x1e&ö€Ù\x03ÆÎùÅ\aÎðó$ûÁ\x17$hh]\x15\x11ô™" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "‚¸Z¡\x0fßòÁ\x1eý!•©~ú6[á\x0e\u0090|•¢4V’ÞÉ" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} cmd.exe -
AutoIT Executable 28 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/464-7-0x0000000000780000-0x000000000091C000-memory.dmp autoit_exe behavioral1/memory/464-6-0x0000000000780000-0x000000000091C000-memory.dmp autoit_exe behavioral1/memory/924-11-0x0000000000F20000-0x0000000001014000-memory.dmp autoit_exe behavioral1/memory/924-12-0x0000000000F20000-0x0000000001014000-memory.dmp autoit_exe behavioral1/memory/3992-23-0x0000000001300000-0x000000000140C000-memory.dmp autoit_exe behavioral1/memory/608-24-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/2188-27-0x0000000000600000-0x000000000070C000-memory.dmp autoit_exe behavioral1/memory/608-31-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/712-34-0x0000000000F00000-0x000000000100C000-memory.dmp autoit_exe behavioral1/memory/608-35-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/464-36-0x0000000000780000-0x000000000091C000-memory.dmp autoit_exe behavioral1/memory/924-37-0x0000000000F20000-0x0000000001014000-memory.dmp autoit_exe behavioral1/memory/2180-40-0x0000000001020000-0x000000000112C000-memory.dmp autoit_exe behavioral1/memory/608-42-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/924-43-0x0000000000F20000-0x0000000001014000-memory.dmp autoit_exe behavioral1/memory/608-44-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-45-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-46-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-47-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-48-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-49-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-50-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-51-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-52-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-53-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-54-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-55-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe behavioral1/memory/608-118-0x00000000004A0000-0x0000000000ADD000-memory.dmp autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\WallPaper = "á\x16NS\x06í\u0081Õû´0Qj\u009d\x14XEmíü«k\x02%\x12æw\x0f" cmd.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 608 set thread context of 464 608 VeryFun.exe 84 PID 608 set thread context of 924 608 VeryFun.exe 85 PID 608 set thread context of 3992 608 VeryFun.exe 87 PID 608 set thread context of 2188 608 VeryFun.exe 89 PID 608 set thread context of 3928 608 VeryFun.exe 90 PID 608 set thread context of 712 608 VeryFun.exe 100 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System.ini VeryFun.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ButtonAlternateFace = "X@" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\AppStarting = "'}N¶\f:«L\x11ôÖ\x18öbìùJlå~†y½ü+³Ú" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iNegNumber = "0\x17_\x1eµô\x11§°m\n*€F\x15s•žs=OÂo”oú©©" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseSpeed = "\x1e®\x1f¬D÷s\u00ad5Öâgæ¦Cìjž\u0090ƒ\x125é6·öœù" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "Éu\\\x1bòh.¤Ã²—xq{ïëòàj8¿„áÒ¥\x16Bë" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\TimeOut\TimeToWait = "pÇ:Z¿(rZF°½>\x10óƒ0gFS¡£?ó‡¸" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ButtonLight = "\r\x16" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\WindowText = "\x16F•\x18Áúðc!çúÜ\x10¤¨\"<—Ò,1\x15ú¤5hi;" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\Wait = "¬µ'º+uá\x17\x0f)n\x01Ù¸2\"CËVÓ(\x10Ÿ\x05á\u0081\b~" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\AppWorkSpace = "E\u008fì\x1bGÇúB5W@+”¯ÐNjP\x11¾¤¦=[2P.\x0e" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\ShowSounds cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\InactiveTitle = "<z¾ˆy¡\\̲›#pÞr{¶î³8Gh¹K’Æq\u0081" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\RightOverlapChars = "½gÞ\x02^~åì…\x036½s˜È¸[\x02Dp·`?ÎÂ>)ó" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iTLZero = "¹\x17÷\x16Ch\b¥2\x1bµ³í¼&'Zé‘\u009dÁª‹ž\x12" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ButtonDkShadow = "Ñ9Rt\frH›Êu•cRál”í…se;¡‘¨¹âü{" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\HilightText = "u`ºÓŠGªºCZ›ÐèÒ7kí|ÿÛÖd몗—àð" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\CursorBlinkRate = "põ³…Õs&5n¨¯p×hÔ6ø\x1bÈáSÚ^\x04{õÉ%" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sDecimal = "fê.¬?á‘rß\x01@\a]ô‘\x12³M\u0090ê¥)Ê0·v£\a" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\ButtonDkShadow = "\u008dâÄ!\\㊩\x19CȈL\x1a.ö=Õ\x0eDa\x0e¡¶q–'ÿ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\WindowMetrics\IconSpacing = "—5\x12ö;¾PŽIû;ñ¹P†úýZ6¯Dø\x06@]z£ " cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sShortTime = "/$:pñLÅ/ˆ`:À-=&\u008dyiÀ\u008d\x10t+ù‹îÏw" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\UpArrow = "G®€þÒn|:Þ\x02<\x0e+kàÆÆc&È\b}‚·ü\adÎ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\TitleText = "\x1eH&~NóU؆Ómj?Ó*=GÜkþ¬B\x10\u008dšÊèf" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\WindowText = "ÿ\x14‡â\x01\x1d\x02³ŒòUù\nRº¯|íí\x13ŒeÊà\x01P*K" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseSensitivity = "'®" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseTrails = "\x19•§èÆ»¡”\x013ª<" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "È\x14ÊÒ-Ðâ™ÄˆóÃŽ¼>ÂŒøÞ¥\u00ad\x15±¯öÆ¡T" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Appearance\NewCurrent = "D\u008fÓ\r¯zà8b" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\HotTrackingColor = "?B\x13ykþæ˜ê\u00a0a+×$þ‚s~,P\r`;ì(Oú@" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\2 cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\Keyboard Response\AutoRepeatRate = "\x0eµ\x1eŒoÔ‚£\"ñ‡…§}¸7ŽF²KÆ\x1aYݺëKl" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\ActiveTitle = "\x10Pv{îó/kM€\x17Ã\x01àõQ\x06~ÕÕ·M\"ÖLoó|" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iCountry = "ØÙBbkd#‰«O'â¾¶%\\\x1a$àr\x1bÑ9óôõ´I" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\5 cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\GradientInactiveTitle = "clù>t6Gí@ØøÂp÷KX\\¢õ8E\x18Æêl‰PÅ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\LeftOverlapChars = "Wf¤S\x1c9\x01?ކ“÷t2\u0090ckô„\x12b®¶T°ÑÃw" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sDate = "Ö\u00ad\x7f\x02UVoPiÏÌóLʦ«\x16lôkeW6¡¥\x1eö‰" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iTime = "ÞéÑÌ?ò\x15lf@\x01„oŠÃ®Bx…SÌ\v¡`ä\x0e2«" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\DragFullWindows = "¬A2jÃ\x1aÉlxÏ¿5IÞ‹®oçPŒ_›ÇÖ7fd´" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\Hilight = "§Q•\u009dÀ-Hȸ\x06ÇH\r\u0081îXÙ\aŽ4þ¿[¥\u00a0\x1e›\u008f" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ActiveBorder = "£i\x14hVoø\x04²ø¦‹XB¾‰É©\x1cñŽë)lO¬ø×" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\SizeNS = "ogéþEí´ÄRÝ̺ó<îð(Àñdý0í—«‰\x1a" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iCalendarType = "ïpßw’Ú\a·\u0081¦í³°Lr-nãì®–˜î}‘¤§\u0090" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\ButtonFace = "¶d\u008f1ƒ1ºÆ#Œ¡yAØYä¬k\x02ªö\x1e®‡ª®Þø" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\Window = "t\x06°æAºpdøîeÍýìÁÏøŒ\x16vyÄ“ßÞ\u0090IÆ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\1\Description = "Fp…)=š\x1f\x06\r C\a\vp\x0fV€\f$C\x18>]²Âny…" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\Keyboard Response\Flags = "\x11b\",ËPÂø9”\x01Às\x01É¡Ú1ÇD“–)ÛØ\x17„Å" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\s1159 = "ÙNõÀWc\u0081MYÔ\x05€ˆæ½\x14ÞQä\x1b2&þÕ\u00a0=8Q" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\DragWidth = "Û!ï«lM.{p¦ŽQPoÿdmmI\x03\\\\\x02ÿœ[éw" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iFirstDayOfWeek = "îéc\fœMœ;b×\u008d0XbSm\x17±z+S‰\x1e¿A\u008f\x14ˆ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\GradientActiveTitle = "Ð\x0eNÕ{”öÕ\u0090géÚI+\n;\n]'sÝûY\x14)2\x1a…" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\WheelScrollChars = "\fôX3¬2C\x1eÎgq1Êæ\x11mADq©bô\tÊÚ]sv" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sGrouping = "‘Âæ{IÌ6G\u008d\aÒb2\vƒ\x02¬š\x7fÒ\b\x12\x15˜Æ\x1bãÝ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\0\Name = "»•6\x1a<Ô*\x13åðrbPjpׂ•ëÀ’3ç\x03á׸Ú" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\InfoWindow = "áh\x17|®1áX\x1eËÿÄ<Ž\x06N\x7fW£àQé6\x11†\x0f\x7f)" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\HotTrackingColor = "\x0e\x01\x1e—T¦¤âAU—ëü‹Ÿ¹\x14™ú\x041\r\x1c\x15×ì}\u008f" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sCurrency = "©\x14B\x18“€÷€º&}ÕÕrCÓy\r\u00a0”§•TS„gV\x1a" cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\User Profile System Backup\Languages = 3c00e4004c00220015008f006000d200c8002620c800240066003e007f00aa00f7009d0039200d0035003900440022210d00a6008f004e0000000000 cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Name = "ƒ\x1a¹X~”Z|ÙÞʵ¼†ç\x01l\u008f“\x1d\u00ad•\x10ïÙâ°\x1c" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseHoverTime = "©¿?\"¾Ïù?\u00901ž@W$[Á:>—ö\bÝ·Ú°\x10ÐB" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\StickyKeys cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\MenuText = "“\f_\x05kÕF°bñoº\u0081>“\t³E°þow\u008d`=·Å9" cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\International\Scripts\10 cmd.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\International\Scripts\34 cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\Bitmap = "j€\x1a\x1cÅ'óç\fæ\b(\x01\u0081ö‡v›áqb¬î\u00ad¨û£Ü" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ALTERNATIVECODEC\UncheckedValue = "éZ熈&»€“!+Î5Ýwör\x02¢‚£xê\x06\u0090†ªQ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7}\DllName = "LXþø\x02ãâë*á¶?ÑíÊâi›l‹¾d|£T½t" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{186e0934-aee9-11da-961b-0014223d2a70}\AppPath = "$V2\u008dÙ\x19õ‹lí\a\\\x1cí\u008d\rG„ÕÖ^o&äÅ–¬t" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A3BC75A2-1F87-4686-AA43-5347D756017C}\FWLink = "å¡>´ï6ýœç\x14“04šiÄã»OïߘOZ c×z" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9}\BlockType = "½Ç…#@¼®þ‹\a\"g&\x11;\aŸç`\x05Áå¹}\tzv%" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "@\n\x18Aã¾P[±\a$ÆòEý†år´ÜÌE/öà¿Ç\x02" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C451C08A-EC37-45DF-AAAD-18B51AB5E837}\FWLink = "iç9T¾8M\x02 ;Ñ—`\u008f\x16¯n=Ã\x12¹©ÿ³e£LU" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "'cí&#b«V¾€Y+h˜›b¨¢\x19:W\x1c[Ñ?'(\x0f" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PLACEHOLDERS\ValueName = "‹c¸\x0ew™™ªÈ`\aÝFc\n\u008ff˜$g\\Õ>°+.ÞÆ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00021a13-0000-0000-c000-000000000046}\BlockType = "wTcݽ\u00a0Ü1ÂÌ“5ƒ˜eÛ-\a¦™\x0f\x1b„¡ûP;ê" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{1A8AC5E1-7AAC-47E9-8D8F-1D4B499F83CE}\BlockType = "\u00a0\x02˜.HE¦•Ô<k\x17½\x15/̓T$¶4^i.¶‚r»" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B21-F830-49DE-A31B-5BB9D7F6B407} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPEND\ValueName = "»ßIã“\nòß\n\u00812çç†l+:¤Ö…•yÿ\x12¸uF\u0081" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{29CF293A-1E7D-4069-9E11-E39698D0AF95}\BlockType = "B®F¤RµôEéãùT‚{HN\x02\u00a0¿'æŒJ(\r·\x12¶" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\Text = "½" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\SOUNDS\RegPoliciesPath = "b\u0090\"•q{Hp\x1ep0Ilhbª\x04úeýÆ1B\u008fÒq׬" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7}\CompatibilityFlags = "` ”•²\x17“³w]™Îï”Ì\x0f¶ûêmßma8úne±" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\DesktopItemNavigationFailure = "A]e\"›¹\x05˜M6ÓR\x14dAØ\u00a0`" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\INTRANETFIRST\Text = "häöä‘uf\f#U\x10fµj\x11”qhŠa!aê\x14¢nÒ\x7f" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{812954F9-FAA2-4aee-A9E7-3C4FDE2166A6}\CLSID = "_‰¿A#¿EŠ·)N³\x12ïö1[é\x15½(|}hãÇ|ý" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore\Text = "†\x01c®Hë\vôv\u008f•~ÑN|\x0el¾Ô¯s÷}׳–nÄ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\HelpID = "\x01ðDΨn™>Ðò/Á\x1a¦Sˆ²]ØÐÐ#dn°u\x05ø" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e5f90a07-7db7-4dcb-bd6d-d3fecd376ca3}\AppName = "ÜãH‘\u00a0\x1b®Ú½(\x11¸”#\u00a0·ñ2Œ’\n\x17þ³<Q=\x05" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable_Disk_Cache = "Ѧ\u008dR+Ô\x06Â\x15PY\bO7Ò>ØÌ³Š¬)%sxù޹" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\HIDENEWEDGEBUTTON\RegPoliciesPath = "±\\\x15>{í>$/PP\x7fDÙo@ø:œŸ*ô–ì<\x1dä²" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{179E4A98-A3C4-407D-8C66-E63B67BB6F4A}\Version = "|\fm“\x03¹\x17\x1c#—\x11´\u00a02µ½Q!P1ê¬Òºl´è|" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\DllName = "\x1cú›+ƈn¯³\x15ÜÁÙ.Ãi¹\x1cÝj©ñYøuN(W" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{21FA44EF-376D-4D53-9B0F-8A89D3229068} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\CompatibilityFlags = "l\f'ÈËÉéÃðL•ÿÐó²\x0eOÞ.œSÆ×$ÿ\u00adr…" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BF09613A-4564-4936-B6BB-B23B1D3D4FD7}\FWLink = "\x1a^\u008dÅùQ!Bô\x1e\u00ad\nÛÆÒwÚy^T~àîÁHÜ?ù" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\DllName = "Ÿ\x05‡‘¬wF-8ß{‹Àç\x7fê~\x18î7Â)©ÙWÓÄÒ" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{11359F4A-B191-42D7-905A-594F8CF0387B} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\BlockType = "\x11Z\"’÷W”\x12ÿËè\x1eA\u008d\x17\t\u0081h\x0e–º‘X¼àN_s" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\PREFETCH_PRERENDER\ValueName = "9\"É\"àém\x0f¼x쬻(ù˜\x7f]ÏÀ\x15!|iÏ~\u00adv" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore\Type = "\x146s ó”ML¹\a\bó•‚Ál²v§\x16•ÙË;\x15»`" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\Text = "\u008fÎ,Àäýq¨\x04\tÒ¦¸ã6qró\x14,È\x12´öÀ}áM" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Settings\Text Color = "Š|ÍÌ>È›(•ÝmX’â~\x0eÁj`\u0090í{¦”" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "g\b¯…:¾\x06:Š2Á]_ÃÎX\x18·ò€\u008d5\x02\x04\x17?«\b" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{65104D73-BA60-4160-A95A-4B4782E7AA62} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4E7BD74F-2B8D-469E-99FF-FD60BB9AAE2D}\Version = "ÖÜ%\x19!E³Î\aŒúÔàë\u008f\u00a02~ÇàX\x1c}\x04\x145Ã\x04" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4D256DB0-6C34-4EC1-9704-02182D6503A6}\CLSID = "uo\x1d†Å´IR'®Í\x13”®¤¢Ìa\x13î϶®%Ôzdü" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "îâåi\x04†÷\x1d¥uTTæ£ìù\x11\x1bh=GŒ”†¦=\x12â" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "”f\x0fkË~r\x1eä7\x1cÿŒÍú<’•Êð\x1f®$Y@HW¬" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSL3.0\Type = "ôªÐ×Ñ\x1e¹Î5#Q‹Á4ú\n\b\x12\x19Kf\x16tÎ\x13´\x13·" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8B4F961F-0B84-4201-BBB1-34E45368F39E}\Version = "ËS!&\x0fƯzÙþŒR|ÃI8ñ.\u00ad\x17\x1c…ç†\x12÷$" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A3BC75A2-1F87-4686-AA43-5347D756017C}\Version = "^V-\tð&Nco]ÂÎ<\x0f±Œ2×-Ë5WïS©Û:" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Show_FullURL = "·âš\x1bj:9•W&<ahƒ%Î\u008d\x14«\u0090¡¡³cŠÆ§[" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\HelpID = "Á?â\x13)\x1e1¬\vP¹Lò\x02A\x16ÊêæøgÎzZÕ\u009d1A" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SECURE\Text = "8Ã?\x14{Œ÷ŽÇ\x06\u009dX€R\x1dÚÎÂ\x13Òp!~\tã/–[" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\PROXY\HelpID = "o4¨JßìPaE\x05w\x1d¶Í9º¦ÆØˆ¯˜]!î\t”‘" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggestAskUser\RegistryRoot = "ö©=Pû;›g\\€…ɬ-é" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ServicePoweredQSA\RegistryRoot = "x¢j~•S–ÍþÂ2\u0090‘èк@ëˆÁ˜KS€äsa" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8B4F961F-0B84-4201-BBB1-34E45368F39E}\CompatibilityFlags = "ð£'¢f_iJŒT?\x1ak\x17\x11c䧺vËc€Ã=\toG" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\FWLink = "mÀ\x1b,Ÿ£8'\x02ÿ\u009dº±åIØ\x13\u0090Á¯>Z~1+ãÉ\"" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26fe7361-bd5a-4dcb-b309-c6f42dde661c} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26fe7361-bd5a-4dcb-b309-c6f42dde661c}\AppPath = "8æ+O%(Õ1" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\Window_Title_CN\Window_Title_CN = "~RU&\x1e‘ü°WD'¾0Iû³áâh\u008fŽ\x01ÞŠÅó%\x0e" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL cmd.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "ê(þ)©L©p\u0090" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "åþo\aÙ·›5|\x1a\x15GÃòx@kâÕŒPõI,Þ\x12Æ\x11" cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe 608 VeryFun.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3992 cmd.exe 2188 cmd.exe 3928 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 608 VeryFun.exe Token: 33 3024 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3024 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe 924 cmd.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 608 wrote to memory of 464 608 VeryFun.exe 84 PID 608 wrote to memory of 464 608 VeryFun.exe 84 PID 608 wrote to memory of 464 608 VeryFun.exe 84 PID 608 wrote to memory of 464 608 VeryFun.exe 84 PID 608 wrote to memory of 464 608 VeryFun.exe 84 PID 608 wrote to memory of 924 608 VeryFun.exe 85 PID 608 wrote to memory of 924 608 VeryFun.exe 85 PID 608 wrote to memory of 924 608 VeryFun.exe 85 PID 608 wrote to memory of 924 608 VeryFun.exe 85 PID 608 wrote to memory of 924 608 VeryFun.exe 85 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 3552 608 VeryFun.exe 56 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 3552 608 VeryFun.exe 56 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 3552 608 VeryFun.exe 56 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 3992 608 VeryFun.exe 87 PID 608 wrote to memory of 3992 608 VeryFun.exe 87 PID 608 wrote to memory of 3992 608 VeryFun.exe 87 PID 608 wrote to memory of 3992 608 VeryFun.exe 87 PID 608 wrote to memory of 3992 608 VeryFun.exe 87 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 3552 608 VeryFun.exe 56 PID 608 wrote to memory of 3552 608 VeryFun.exe 56 PID 608 wrote to memory of 2188 608 VeryFun.exe 89 PID 608 wrote to memory of 2188 608 VeryFun.exe 89 PID 608 wrote to memory of 2188 608 VeryFun.exe 89 PID 608 wrote to memory of 2188 608 VeryFun.exe 89 PID 608 wrote to memory of 2188 608 VeryFun.exe 89 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 3928 608 VeryFun.exe 90 PID 608 wrote to memory of 3928 608 VeryFun.exe 90 PID 608 wrote to memory of 3928 608 VeryFun.exe 90 PID 608 wrote to memory of 3928 608 VeryFun.exe 90 PID 608 wrote to memory of 3928 608 VeryFun.exe 90 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 PID 608 wrote to memory of 712 608 VeryFun.exe 100 PID 608 wrote to memory of 712 608 VeryFun.exe 100 PID 608 wrote to memory of 712 608 VeryFun.exe 100 PID 608 wrote to memory of 712 608 VeryFun.exe 100 PID 608 wrote to memory of 712 608 VeryFun.exe 100 PID 608 wrote to memory of 2052 608 VeryFun.exe 37 -
System policy modification 1 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "M\x0eÞƒ³Ÿ‚χu7\x06j\x06|ÊYŸ”\bË\u00a0wIœRZª" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = "Y‚\x16¯,‘T¬J&\x16•/˜\"bº5\nsq\x17†\x01ò<æ:" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "\x11Dº[ôWç6Ä\"\x15‡<Ž?ƒÄD%Ю‘Ë)ÏgN®" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "\x04\u0081ûVdÜJÉøú†Àþ-:N\x15X=½Þë%†ª]N\x19" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SettingsPageVisibility = "µ÷4·\x1eãÄ\tÓ¹\x04\x19¿‹Â\x01\u00a0\u009drwêÅ×9ü\x05>\x19" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "ûÀxGì눵£å\x12\x0e´Î¥Êo\fpp“š©\x1b/4]g" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI cmd.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2052
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\VeryFun.exe"C:\Users\Admin\AppData\Local\Temp\VeryFun.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:464
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies WinLogon for persistence
- Manipulates Digital Signatures
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3992
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2188
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3928
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:712
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2180
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x524 0x51c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:548
-
C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig2⤵PID:3404
-
C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache3⤵PID:4496
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /04⤵PID:1176
-
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /04⤵PID:956
-
-
-
-
C:\Windows\System32\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogon2⤵PID:2264
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level2⤵PID:1476
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff79753ae48,0x7ff79753ae58,0x7ff79753ae683⤵PID:2260
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=2 --install-level=03⤵PID:4620
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x224,0x248,0x24c,0x78,0x250,0x7ff79753ae48,0x7ff79753ae58,0x7ff79753ae684⤵PID:3168
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge2⤵PID:4900
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff679325460,0x7ff679325470,0x7ff6793254803⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut3⤵PID:4948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeaddd46f8,0x7ffeaddd4708,0x7ffeaddd47184⤵PID:1360
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
4Winlogon Helper DLL
2Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
4Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
Filesize
24KB
MD5dd4f5026aa316d4aec4a9d789e63e67b
SHA1fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153
SHA2568d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737
SHA5123f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568
-
Filesize
3KB
MD5a828b8c496779bdb61fce06ba0d57c39
SHA12c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea
-
Filesize
8KB
MD50aa22364f7b837652afb323504680abd
SHA1ac806b580a795cbaa32e33131980145bf18282cd
SHA25648434bf87dd82ecd09ccf48d1a2f6b6e3357cb0c5b37dc1a80a7903ea570d91a
SHA512ccd50fc8a6a99a74a8a6f0fd33c917e217335c22d621d9689771561d06fe3d6cdc9a67c8c03dc9b7a3d97561d32f7e377604013bf00732be5e90a3ae5a4a53a6
-
Filesize
40B
MD5295c35172675c56d85b3271fc5adbaf7
SHA1fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0
SHA256f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0
SHA51215813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a