Analysis
-
max time kernel
19s -
max time network
110s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-04-2024 19:47
Behavioral task
behavioral1
Sample
VeryFun.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
VeryFun.exe
Resource
win11-20240426-en
General
-
Target
VeryFun.exe
-
Size
3.0MB
-
MD5
ef7b3c31bc127e64627edd8b89b2ae54
-
SHA1
310d606ec2f130013cc9d2f38a9cc13a2a34794a
-
SHA256
8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387
-
SHA512
a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5
-
SSDEEP
49152:wshda+bFz6dmTTfO0JBhybeUXzELz/RkxI6Zxkxur4E5IReTD5GKHmDVJPY8:Js/4ibecELz/RkO6LF4hRq5GKHmBBY
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "¶zvþÿq·9[™5Ø<j´›]\u0081„m\u00ad¸`Geª‹ó" cmd.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "k¹<\u009d\x7f…rì\x16«\bVΣáÎp\x12\x16‹\u00adtx9=\x03ÎB" cmd.exe -
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "I\tžpv>Ñ\x15°K\vx%¢ƒ\u0081lÀ\x14\x12m$…çý\u008fÅg" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "§•͹\u0090W%`\x142èTo\x12 ÎŒ\x10bT¢ÃS½«M¢ù" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "k»LÒ•ó\x18ÕàAªž6Û\u0090\x7fÚ4il~\u008d…†\\z\aø" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "²µ¶\f/•[ÍHŸ@/k\x1c˜" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "KÕôóß$ßbQÈbƒw‘eμä—\"nÞ\x1b›+‰…†" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "©\x13Íhä¦î¶IÞ‚×Ø.Ÿ\\cC<\x02ð.â\u0090\x03p\t\u008f" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ð\u0081>\x1dø@T÷Výæa/ï“r7œ‡™´]Dð8Ÿ·Í" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "ˆ®)P÷^\x19\x10\bÿR[ø£8¹òsš¥:„Úw4£-ã" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "#ñ‰6¢Ï\x01\x10\n&õzÑù\\\x1fµ)’Ügf\vÆs†\x17É" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "‘fÜ{ã§ûf›\t¶\x02‹€q{Â)w([•\x03&\x1d~¼Å" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "âòWÈ\x18Ý…bý\x0f˜åž\x01oCV\u0081\u00ad‹Ô\x0e©'•ãoÜ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "Š2N#åSs–N\x1bÒ†96œ\x0e\x1d\\\n»ì Ÿ™?ç—(" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ß#úÍZOúˆt›\u008dÂ.Âý[BÂ\x1bŠ\x05/\r»´YñS" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "\x1fIU\x05Zm\x1f\x18{ü „Hij\x02ï÷Z\u0081ë—¾½?\x1c±:" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$Function = "\x1a\x01¿%\u008f2\x19á‚ÜüRîñÙ©Ò\fÃûñÏê\x02¥\x10¢&" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$Function = "ª¾d°\u00a0¬îà\x1dJ”ñ”,ð°\x15Ÿƒ”_Û\x04ÝÁ\u008fõ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "c7Ja{–ñ˜`&`à¤'”ј€»\x02¶¢I^ÆrC@" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "?@‰±\u0081c#sÄ)frL\a\x1eR\u00a0@G^\u008f&rôŒ\\±Ü" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "C\bìæþ\x1eè\u00a0(]<a@\x19y3¯¨5—z¼þ\ttcŒ&" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "¥åƒì/Ô·“\\áÎeE@7ïó€+\\Í\x16d\x185„~9" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "Kx\x19Z\x1eÊð\x1d\u008dÌ\x13Œüž`{æP2hÛ³\x1cöD!nç" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "™\rt\fæÀ-HÿÌ/\x1b\x1e\x17â&[s¨i«ÔNEïo\vI" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\Dll = "÷t¬q\x18“qôLêU^ˆÍÅgf\x7fç¿\x17õ)¿x®˜¼" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "e›V·ôR¯ž" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "ĆùÚSˆ$geQ†ë™–9OÝS«‰Ã»½èª[òÑ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "ùã\u00adm³\x01Ð9w\x1eàv…f›úË(\x15¼»×\u0081ƒ“\x14‡Ã" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "CVR\f‹“\x04D;?¾ÁÉd\x11œ\x0f{—;" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "…\u0090¬ÎÛÓÿ.¶Ú|PV\n#B\x02\x1a‘ó\"ÐÅöT¬À\u008f" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "Ò–\u0081â:\x02kš%,§éן*\x7f´?\x1b‹!ÓP!Db&Ë" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "Ÿˆ»\u00adf“\aGÿ\t#°—µbI87_º\x1dB\x10nn¡ô&" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "ù™¯›\x11Fg\x19HS\x02–QJ;SX‰Ë”LËØ@/-BT" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "Qr·jX‚vXlÑ„»\\ÙôJ)¨Þl¥\x132„ï\x0e90" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "\x18Ü($_\a9ÅdOa\x7f/" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "D†YŠ!Ç¡t" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "4Ë\x01ã\x1bx„àí”»øKµŸe¶ƒ•\x16yÂXSãa…N" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{000C10F1-0000-0000-C000-000000000046}\Dll = "Ò¼H½ç-*\x16J œM•bz‚³¼?\u00a0áõPã\x1fï\x182" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ÃÿXk²>ÎÃ\x15ë\x1dŠcõ\x1aåñ¡œUïîp'Ú[\x1c\x13" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = ">Qh£s5ƒ¼\x11oô(9öÝ$eºoÆ-}ÎêÕýNÕ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "—oÿ\aä¨]Í“•ˆ\u008fâ\x10Ésž5\x05>\x02Ú%\v3Ù" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = ".mÀú&g&ö\u0090žå<g;´›\x02õ¡\x1e2‚eBY,îÊ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\Dll = "8\f/4+Ø!çáÀ¥¢\u00819\u009dº µ¸Í\u008fàC€€:¬\\" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "çH¡¡›O\a\x0ewÎVDÍ\tõÜJÈÉ¥¦ªÉ\x18\x0f8\x1f\v" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "¶\b4+®”n8xUtæ?(pÌdªÝŸ\x03ñ\x03Y\"sÎÈ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "ÖXN¿¡Ý\x17ÊŒöióBE6\x7fôOÓ™\x1eÒk\x1b:õ@é" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "8€x¼‰aD\vç'+¿ûó\v»À©:¶ö›w Þˆ(þ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "\x0eJ¬ä·†CûEkÔ´¤\x1aµ\u00ad…ŸÑ¼×ª¹X‚6Æ\x14" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "\x18¨:n³yJÅ?²\tõÖÆæ\u0081±Èç¬íS\x19˜øË&9" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "\x14WM–ÚøZº×ŒU7áëÀ\x02\x18\x02–µÿÇ\x15â\x06é‰?" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "S\x12\x02\u008dÌ z\x0fÇÔÕÍ\u00adâû+O^önÐòz!¦¨ÊÓ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "Ûj̳úAqüL=J(\n\x03\aF¾“«Žœ\x1dTd\x16î_ž" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "‡³Ä_+÷£m…Ù6~\x03‡ææÛÞÌïà}þ\x0f\x1dþ]…" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "üJ0ã£\x01—€GIgg¸—j<¦\x7f9\x0f좷¥ËöŠ\x01" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "Ç´~\x0f¯}(\u009dV+\r\x10¤á³hÆ,¯‘ vt-\x14·Òn" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = ":ºêA\x11È´7Yß\f\x16\x04™H\x0e\x15¾\x05\u008d\n´\x04\bé\x1a)ˆ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "¹Ê32œ-\x17ê½ð\x13\x10Q‚›\x1bnGT2AÊ\x1e¡úz»" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "\x18b3¬\x16ÔW–«»”ЇÈ2=‰ˆØ‡\u00a0ä¢1b" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "dQÃÑÄ.L»A¤\x16ôÁÿ\x02)×\b\bÛLÄ5æp;rF" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "\r‘I.¨wO\x03™vßöѨYj,€{‡ÌD\x06Q\x16)—´" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "…~\x1bxº:q\fû´\x1a‚\x03½\x18Á¾Ã-ú_4œ\x15·Ðþ\x0e" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "I\x1aA‰¤Ú\u009dG‘\u008f=\u0081‹§]ÌB7RUúWhRyÏÓP" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "Ýh\x16ü<>ò¯¹o4÷çÝó£\u009dö–'‘\x18\u008f©Aîþí" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = "%Vˆ\x11ü»ú:Š›\x06Îwì\x11¡\"Óp¹7l`\u0090º¹\x02þ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "\x01î{Ùåû+\u00adOY?|¤¡Ì\x19f\x05æÚœU\x1e5ºàRç" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "»E?'ø[â¥SG2\u009d-K\x1aeú\u0090òüÛ^\x16»¦eDÚ" cmd.exe -
Modifies AppInit DLL entries 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "[f\x13vHŸéV·=œmÜ\x1cK\u009d˜‘³ÁR´ÃU¯çÓ”" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "@¯}siÈò=Oh\u00a0\\¸÷|<¶:Šâ˜šÌôŲy\u008f" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Locale = "3‰ç:\x05§gçu .°ðÿÞßÌž«áDùÀ¸ÞóuQ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ = ")XúÊ@ô‡\ve½è|¢°\u008fÂ+A\u009dqG+Å\u008d¬õ¢'" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = "\x16Lá'Ç%2ï>Un&Ü\fnT~ÓÍÀ‘é9¦\x1añlœ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Version = "…ô8¸4‘+\x1a b0»E˜y\x12\x1f\rñÑ\x06ê„×t" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "\x19þjýJjÇ\añš\fÂŽà4\n~Nx#ü¤Sz”˜0^" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\KeyFileName = "2iWµŽ\x19Ñ: iÿ@?’@]ï¡—Ö#+\aHjœ0\a" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "&ø²ø]\u00a08ùŒˆmMè\u009d‡oŽ\x1d€³Ä¸Ä·3=ÔÎ" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ComponentID = "¨\u0090ùÇ\\“§\vºØŽàPÏP@\x17e»\n\u0090\u00ad§; \x1f¿l" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "Bv9`rZ&†\u009d_r" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "0j˜ª)‚s±`Ô:èRø(\x10}ÓvrÐEU\x14»Eì¾" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "R9q%#Ä’O\x13" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "ñ‹Ž\x1bÙU’3±p»‡\u00817\fDg…‘ù\u008f¡:Åœ\x05ʨ" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\StubPath = "\x7f\u00a0a\rfÒ²ôïý(\x0eþ\x0ft\x03E\bJ\x16¢)†\u009dòUd§" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "\a<ý¶êk6£ôʨ*\\\x11êá\x106\x02%Ñ'éPмv?" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "ë}¸*µ>=ˆió\x1a.¹Z1·®ç\x16+'û^’1¦\fõ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "ñ¨bK\x1cH‰R\x17y:ÕÆ\bäÍ£3ÃØ!äh°¦–‹»" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "\f3›\u0081ckªF\x19€\x03\x17%¢ËÙS‰Ó¼\x1cnÚù‚îî×" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "\x1b\u008f`Á~ŒÌÇì¢,=@|\\Dd½·\x03\x10Å©ýúÃ\n¸" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "\x0e¿[!vójÀP4ÔßΆÃ\x7f\x1av$\\úå$÷é|\u00adË" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\StubPath = "-\x18ÖǤ]" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ = "\x13¥þê\x1bg‰\x01PWÍŽ\u00a0‘\x1bºâîèÞuªÁ-©¡‘ÿ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "†\u0090êÄ\u008f“T4\x1dÒÀ+¥¬\vt¯wždDVÁÑxÔô³" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Version = "\r\x7f\x1d\x13¨µosn99áq§û‡Ç\u00a0óã\x06íqÂH\u00ad}\u00a0" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ComponentID = "\x1a°ÍÙIŽ\fzQ\u008fJî’;2\x1aìØ`m#É>6D{®." cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "FJr\x1cÝ\u0090¸Ü»aØÑ\x1eå\t¼J¥àS:V—\x1e\bz\x19\x0f" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "zñºVò86¬9g\x0f5ÿÕÍ1X§ìA9¶6Å«\x7f[H" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "¡æud4ßS4eÌ\x01^\nMDOQ¥\x17b\f{Q¾Q°Pá" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "!ɆOÉ‚LS7¢î%!³d\x16Tïw\x1cÃg4¬°lúw" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "\x1c¹û~#NÓb~oÒn¾1™èÌ&„0\x1c_\x03H\x19\x18+œ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "‰ùñBà\t;YÐTø\x03q\x12u¼Õ?M\x142˜G®fòa\u00ad" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\ = "Tàënsó±®8G‡¡)‹\u00a0Þˆ\u0090ù6÷’õ0mœlÈ" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Version = "‘EÕ\x0ep…·NGä€Yĵ“\x1e]}\x05$\\bb\u0090Ùäh\x11" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "\x16¶2Ð46ÍÐ\bëÏų²©[0.¼U¹\x0f”;Žÿò)" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ComponentID = "¿Kþ\u009d¥æ[W4\u00a0X1÷û—Ú|Mæ,\x04rjeÅØ•¿" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Locale = "à/ÃÑËîó‰üNay,ß\t‹É_¶!^Hᢎ’Tk" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "\t•Õ\x19º\u00ad³0n¿È#†Ø/ð<Õr«ŽŒ ‘ñ¡Gµ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Version = "@Ã\x10®ÙLìE\u0081Ë m®\b©‡}½" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "ò#ýò\x03•…\x125áåi\vªTŹù2þN#gu¤.K«" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = ">\bvFŒ[\x06Kþn›¬\x10\x1cÚ\x15\"Ÿp“\aüÉ?·=\u0090x" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\Version = "TbyrL\"jùÏ&æ½éàç\x01\x02M\x17æ>#D^\x15Ì1Í" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "æs\x05„%ü{5:,\x1aç\bSûg¨¤½ì“Õs(ÎH\x1b0" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "\tJž`\";a&\x11\aµ2õÿ>Ó\að<\x1e…À€z\x11ˆ,\x7f" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "÷oo+°=––á'NòÛƒ\x1cNk|°\u009dB˜ò`ï7}¸" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "š\x02t?ýƒp8o\x04qÇd-‘ð™\x18á\x7f\x0eLK\x17\u00ad\x13»¬" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "¯‹§MÍ\x1cÙ\x0fË5ÀÐ\x19½\x17Úð€±uþñ\"„C5\x13c" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "Y´•\x05QA¢\rœù\u00a0“\x13Û+ºYÅK\u0090Ñ" cmd.exe -
Sets file execution options in registry 2 TTPs 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0 cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\FilterFullPath = "«(«’ÿZµ£´\x14haQ.\r\x0f]\b,õ¡a}\u008dYöcÏ" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2 cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\FilterFullPath = "™\vðm6'ºÛº£‚çA®]Uä\x11ªõû\u008f‰Ëè5\x15\\" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\AppExecutionAliasRedirectPackages = "ÝÒh¡p!)\tÕT>›Ã=‡\x11pǃ%Bcö\x01x@ì1" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1 cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\AppExecutionAliasRedirectPackages = "þ¶äw¨=\u008flölËh‰\bʬÛv¹d\x176šð%7Ü\x19" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\FilterFullPath = "‚v\x18¡\u0090B¢(¢\u009dg\u00901ì_ñH?üEWi*Ç\x0e\x15ç" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\AppExecutionAliasRedirectPackages = "¢L+¹”™\n3\x1e\x14‹Yª0-(X—¡è\u0090\x1a˜ê¡_H\x14" cmd.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\Geo\Nation cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\Geo\Nation = "j‡m¢On\x19c[\x0fd\x13ø&g9\u0081\u0090¥\x1f\nK\x1cΞ£ÍÖ" cmd.exe -
resource yara_rule behavioral2/memory/4684-0-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/3596-3-0x0000000000E00000-0x0000000000F9C000-memory.dmp upx behavioral2/memory/3596-4-0x0000000000E00000-0x0000000000F9C000-memory.dmp upx behavioral2/memory/3596-5-0x0000000000E00000-0x0000000000F9C000-memory.dmp upx behavioral2/memory/3596-6-0x0000000000E00000-0x0000000000F9C000-memory.dmp upx behavioral2/memory/3744-11-0x0000000000700000-0x00000000007F4000-memory.dmp upx behavioral2/memory/3744-13-0x0000000000700000-0x00000000007F4000-memory.dmp upx behavioral2/memory/3744-12-0x0000000000700000-0x00000000007F4000-memory.dmp upx behavioral2/memory/3744-7-0x0000000000700000-0x00000000007F4000-memory.dmp upx behavioral2/memory/1156-20-0x0000000001100000-0x000000000120C000-memory.dmp upx behavioral2/memory/1156-21-0x0000000001100000-0x000000000120C000-memory.dmp upx behavioral2/memory/1156-22-0x0000000001100000-0x000000000120C000-memory.dmp upx behavioral2/memory/4684-23-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/1952-24-0x0000000000960000-0x0000000000A6C000-memory.dmp upx behavioral2/memory/1952-25-0x0000000000960000-0x0000000000A6C000-memory.dmp upx behavioral2/memory/1952-26-0x0000000000960000-0x0000000000A6C000-memory.dmp upx behavioral2/memory/4684-27-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/3340-28-0x0000000001310000-0x000000000141C000-memory.dmp upx behavioral2/memory/3340-29-0x0000000001310000-0x000000000141C000-memory.dmp upx behavioral2/memory/3340-30-0x0000000001310000-0x000000000141C000-memory.dmp upx behavioral2/memory/3596-32-0x0000000000E00000-0x0000000000F9C000-memory.dmp upx behavioral2/memory/4684-31-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/3744-36-0x0000000000700000-0x00000000007F4000-memory.dmp upx behavioral2/memory/3744-37-0x0000000000700000-0x00000000007F4000-memory.dmp upx behavioral2/memory/1300-39-0x0000000001380000-0x000000000148C000-memory.dmp upx behavioral2/memory/1300-41-0x0000000001380000-0x000000000148C000-memory.dmp upx behavioral2/memory/1300-40-0x0000000001380000-0x000000000148C000-memory.dmp upx behavioral2/memory/4684-42-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-44-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-45-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-47-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-49-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-53-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-55-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-57-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-139-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-140-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-141-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-142-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-143-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx behavioral2/memory/4684-144-0x00000000004F0000-0x0000000000B2D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "ÈŽ&w8Ro\r¦N*\x0f\u0090È’zœ\u00a0\\\u00a0R[\x0fS;%;h" cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "j¥œÉ—\x11oßÇ–Õ\x10u\u008dÖ×\x11ÂÃpðt\x150XÀAë" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "<Jå\u009d3${!\f\r·Û(A¥œŠ\x10çv\x04\x0e$txN†\x06" cmd.exe -
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicy = "aç’8Ù”¡Š2JˆLÆ@KÃÒa ”\x16ç*ÐéÍy_" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\PreCreateKnownFolders = "œ\x19ǰIpse\x10RŽ«\x1dþ\x10Ý:¿›ç¤2m\u008f\x1b€Ù·" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "/We»\x1b†\x04¾¤9îÿ¡\\XÓ‘\x1c—³\x1e\x1eá¨V\u0081\x03\x06" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\ = "1µuiE%”\x03'ôé\x17\nÂÈ1È\x05u\x1e€(hÚZ,\b‘" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "\u00ad.ürj*lçÕ\u008d\x0f_€Ã0RBt\x1dó²\bØ\x030†òë" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "[\x1bKk¬À\rš\x19œs\x19\u009d™EJöØ-$ÃCpÓ}\x04\x18\a" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "sgÓ‰ãVÿS0yù[\u00a0\x01Ã'ÔÒh”°`Ê\x02\x06Â\a1" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "•ú\u00901BS£Œ—dŽóM‚”¾" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "µO\x18ûGXÅÁ1 %¶³¢·ÿ\tü\\D*…\x11ÒÁ‹ˆW" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ = "ó\x0f|ÍD\u008dwža1Rõ\x1b„0ÎçQ\x1fôl<\x16T·!{ƒ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DllName = "\x05€þE庆Ë}7\x05”søAÛ\x15Ä\x02u¥¯“ŽT\x7fLK" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "þÍÊo¾‰÷INµšh$\açÆäSe¸™×kG`¶]ž" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\DllName = "ÿ2\x7fª\x1ad”JZk" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ = "#q\x13—vîVE¢$˜†P¤oVöxÚ›,@®\x12Ù" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DisplayName = "\bÝeõ±+xÉ\ro\rù^\x15\x17ámkÄú\x1dsÄ ‰SdÌ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\GenerateGroupPolicy = "·³œB‚\x19\x14—\a¬¯B\x17'\x19ÛÆÉÄ\x1adƒï‰‘¯ S" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DllName = "iFÐ\x17\x1f¯4áÕzÞm`\u0081øn^¨ZÊÒq¯\x0f\x15!ž¶" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DisplayName = "\v\fˆo‰í[w¾ùÖÑ‘\x1f³\x1d\u008dåw¼}~\x02áHËü¥" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "ª…o•fè\u008f\x1a%\\\u008d7œgI&”a¹\x02L~èÍ\u008dv>Ø" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "\x18^\"q,ínk§Çä€\u00a0¢º¶\x1fÈâ(\x11ëâXgƒ“Ì" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\GenerateGroupPolicy = "Mê‹÷4Z\x10ߟ€0\x143\x11ª£Œ‹Ï.x¼Rå£B¸_" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "&\x12I?DM±\x05òe6\x0f\x19\x11)¤mŠ÷?¼´O||0'%" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "\fÉÄáÚ\x05(\x17èÅsŠO–×¾\x0fç–œº¼w\x06\x06 %ª" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\GenerateGroupPolicy = "„\x03Æ" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ = "\x131‘ḭ’¿Çìóµ-@ê\n\u00a0þ‰ÇÅ’Å\u009dífþà" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions cmd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = 5800ba00dc02010001005900bf009d00eb007800a30006002800770038007000ff001300fa001000d900142008003a00d200d8001a00420000000000 cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ = "½ƒ¨áã¦\x11xhj±ûvØÿ\x14ZÐ\x1dq\x05¦S•\x0e(W\x1b" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicy = "›]Íìbã9Ün¤+xEûžóå\b̯4®‡É1ù\\Ö" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "7“‚ät\n³Q\x0f\x03é(\x1bä¯ê\u008dý\x0f¯Ë¶h0šQzv" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2A8FDC61-2347-4C87-92F6-B05EB91A201A} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ProcessGroupPolicy = "\x05º0²\x14oØ¢\x0f¤®J‹qˆ¨q%þì0¹Ú0ؼ\x18õ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DisplayName = ";`7šîëý;ˆ¨‰I•-WÕ\rbô³Ù\x06ïŠ\x16Ÿ-·" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ProcessGroupPolicy = "q¤ðÇ^\u009d˜€ÌÄ\u009dZ\x17¶ÂÇ\f\x0eq'}@Ÿ.—p/B" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ = "\nöÐ@Øä®ƒÃãpŠ\x03ƒè\x19\\]W†\x06sÍ£Q¨p¤" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DllName = "\x10ãtÝ.˜Ú_¸È^NXzÆúO\x1c\vÅö\u00a0à€¯:†]" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DisplayName = "T¹\x1fO\u00a0\x044 Ù'\x1bL§.i4V;øF\rú²!ÿÕ$2" cmd.exe -
AutoIT Executable 29 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4684-0-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/3596-5-0x0000000000E00000-0x0000000000F9C000-memory.dmp autoit_exe behavioral2/memory/3596-6-0x0000000000E00000-0x0000000000F9C000-memory.dmp autoit_exe behavioral2/memory/3744-13-0x0000000000700000-0x00000000007F4000-memory.dmp autoit_exe behavioral2/memory/3744-12-0x0000000000700000-0x00000000007F4000-memory.dmp autoit_exe behavioral2/memory/1156-22-0x0000000001100000-0x000000000120C000-memory.dmp autoit_exe behavioral2/memory/4684-23-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/1952-26-0x0000000000960000-0x0000000000A6C000-memory.dmp autoit_exe behavioral2/memory/4684-27-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/3340-30-0x0000000001310000-0x000000000141C000-memory.dmp autoit_exe behavioral2/memory/3596-32-0x0000000000E00000-0x0000000000F9C000-memory.dmp autoit_exe behavioral2/memory/4684-31-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/3744-36-0x0000000000700000-0x00000000007F4000-memory.dmp autoit_exe behavioral2/memory/3744-37-0x0000000000700000-0x00000000007F4000-memory.dmp autoit_exe behavioral2/memory/1300-41-0x0000000001380000-0x000000000148C000-memory.dmp autoit_exe behavioral2/memory/4684-42-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-44-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-45-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-47-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-49-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-53-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-55-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-57-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-139-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-140-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-141-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-142-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-143-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe behavioral2/memory/4684-144-0x00000000004F0000-0x0000000000B2D000-memory.dmp autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WallPaper = "y=ž(Û¾Ú›ÖŒLλíþ+Ï0/ÍKáÚÐTøŠ;" cmd.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4684 set thread context of 3596 4684 VeryFun.exe 80 PID 4684 set thread context of 3744 4684 VeryFun.exe 81 PID 4684 set thread context of 1156 4684 VeryFun.exe 83 PID 4684 set thread context of 1952 4684 VeryFun.exe 84 PID 4684 set thread context of 3340 4684 VeryFun.exe 85 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System.ini VeryFun.exe -
Modifies Control Panel 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\StickyKeys cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\RightOverlapChars = "äKš\f¾ÙrîKj0Üó\u008d0½»à½‹“)J¿hô}\"" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WheelScrollLines = "\u00a0œ¯hð7š$ÅIâÛ`N3›\x7f¢Rÿ,z܈q‹6ý" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\InfoWindow = "Ž\x1e?Qz:\\Í„¦™\x06\x16òöѾœñ*ôloòxÙ\x17{" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sCurrency = "åsïA’–”Û!Y÷¶A€C|üèù\x1aHº~kŒÆfÎ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\DoubleClickWidth = "ƒ…餅\x11×7âµ\x17\x17èÖh\u00a0’Ô‹e=å!\vh•\x14\x1e" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\1 cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Response\AutoRepeatRate = "7\u0090¶\x1ev‡ÏSÖ\x12z63îQ¤4)o³\nô+´Ž«¨!" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Appearance\Current = "àïÜ\x0e3\"žf\njÞÁ\u00905A\b\x01ŽIì±c\x1eØ·xMü" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\4 cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\ActiveBorder = "“Úÿ]^\u009dB\bN®Ü\x05~z™[í|ËGàóýg+\x1cêŸ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Input Method\Show Status = "¾|<)IOdM\\\x03DKfÔ`pp\u00ad÷¼¦DÎpËÌØ\x1a" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sMonDecimalSep = "ÏÏ\u00a0VõÕ¾é|\x18’\x1d¡\u0081W\x1d@턜Je\x1ba¡ë€Š" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\InfoText = "}©£)Ë\x1b\v¦ý€Î\x06áLô\x13Cï\x01+Ì" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\MenuHeight = "Ñ‘ÂA0zM–Æ}yîs\x01„\u00a0;Ùâ\nûƒ»…×ç_Ö" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\ScrollHeight = "(Ê’KÛséR÷®_qÎ6€a°\roâïFÐ*Ú\x19\x060" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\TimeOut\Flags = "\u009d·7âÖЫèiÂE½aÃ9Qà@\x02ÛÃí–>;\u008dð" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\DragWidth = "Q\u009d+î\u0081ã\x14Äo‚b\x18qiˆ0•I7èúØ4¾:UX›" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iMeasure = "V…¼GK\x0e\x03ã\u0090\x1ež\x18HíEÐ\x05uÐh\x7fŸ{\u00a0V¿\x19—" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\2\Name = "ŽŠº\x15\x1a\x1f}P\tÿ9+R:\x12(7\aZ-êp‘àðSñÎ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Blind Access\On = "qi´íˆ\x1bIì\x1f‹oÕËL\u008f\x12\n\x19ÿ“×AºçeM…¥" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\CursorBlinkRate = "¾ÄÀR›L[)/âY¯ÒiždCøY/\x14ºj¼0¯\x01" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sList = "U\x7f$µõ£]š5Á\x06¼\x05Ô\x1fàÝÀþ®ËnzW¥O˜é" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\ActiveTitle = "@EØÏ±GÖ1¡ÇµAµÎ¸¯" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\MouseHoverHeight = "_Ž÷á¦H\x15%Þ:³¡º˜I.î\x1c‚þ·ºå–^ë?S" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\MouseSensitivity = "¶$—\x05gsÝiØÃ\u0081\fu¹fRš4(\"5ê—ׂ…;¼" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\MouseKeys\MaximumSpeed = "r#ж;Èqž/\\î°Ü¼ÜÛ\x13tÍý[ìŒj\x1d%°À" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\SlateLaunch\ATapp = "<‚ƒŠ»hA=\x01^\x01\u00a0/ÍÔ9YrZ»`_3\x05ûôíã" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\4\Description = "Íw|1(\x14¸\aÙP`êl’šê‚»’\u009d\u00adlÍ\x1b\fKÃÁ" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Preference cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Response cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\Menu = "cãóØ«\x189ÀW\x1eþ\u0081““Î\x01.\x1cêëýÍ\x04¦„MÍë" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Cursors\UpArrow = "° \x06™\x19\x14‚›—OŸÔТT_ñ\vIµy¶\fôûrv1" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sGrouping = "¦(Çÿ\v\x062~\nÒ·¨öÙ•›‚{Þâ³n\u009dQ:T%ë" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sLanguage = "rÅWf[H\x1cÈ\x11Ka\x1bF\x1fè\\«ètKŽ<xCÙ\x0f+\x18" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sShortTime = "\x1a…sï\x10Sg8óæy¼J.ÕÝÛ\x1f›„c{þ\fñƒþÎ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iTime = "\x016È]\x12\x0e)¿2‘\x7f>*€–¨—\x05\x03)0M[†…ÕSÖ" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\3 cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\GrayText = "\b\n»Ž\bžON\u0090yNÂ4¦Z7l¶\x10g¤\x12õ&¤kŠ\u00ad" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\MouseKeys cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\MuiCached cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\MouseKeys\TimeToMaximumSpeed = "Ð\u0090µÃº¨\x19•ÌnMˆˆ„îÍRfYÆtͳ͚\"3Å" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\DockMoving = "A\x16£¡Ý\x06¶¦\anä`Z£\x12ò}oKã±Þ„Õ\u00a0UUt" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\SmCaptionHeight = "*v\u00ad4\x063xé<Ü^üÂ)H¾Ûb\x10½6]\n„\x1e·l„" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iTimePrefix = "ÖBx– ÂàÞ1‚©É\bãIïBÁ_\ræÞ†[›Ù\u008dù" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Sound\ExtendedSounds = "v«»\x1b—£ôu\x1c¾¾\x1apâ\x19\x17÷C–·Ðææè.ª\x05\x0e" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\SoundSentry\Flags = "\"aX\x06£\f\x1cÀ£.¢\"üzÑ´÷Wrò•\x06£Ç\r⸠" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\TimeOut cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\Hilight = "ˆ³¤{°õò\x15\x03Û\u0090#â'8ZÌôG×e¿\x1f£è\x11úb" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\ScrollWidth = "¥T\b'Æ2½Òä² `î\u00a0˜àlRö\aë\fdú\x18âS," cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sYearMonth = "\n¼Îz\x1cê*Q{Š}naøÆv«\x11\u0090XDw;š€+•ý" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iDigits = "\u0081ƒÊ\u00a0È,/ä±\u00a0Ú¸ØÉìЃÁ AÙÊãk\t\x02R\x16" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Blind Access cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "pâÌ\x16:I¥ÌGk}q<#ùD²¡@Þ2f\a\r\bFÆ\x02" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\GradientInactiveTitle = ".¦É$.LdÉp\x14ë(÷Šñ[n\tée4}WS åßJ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\ExtendedSounds = "ó§8/¿,«*¬ôžjñO³…ا71ö\x02ra\x7f'nÖ" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\MouseTrails = "úâH@_AÔ\t¯Þâ\x14ø¨:û‘h¸ý{Në# ü‘Ä" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Cursors\No = "‡TƒD†oK”(Ú\x17K\x14®»\x17RK¿" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\Geo\Name = "[ÙÄ”ä\x1d.oN’5\u00a0·m\x18q¯éN%Ìâ\x17;¡\u009d\x15`" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Response\DelayBeforeAcceptance = "ü\x18\aæXÆ;@1Ò\u009d)ÿs¿\bm·\x1dô$>\x16÷mì¶\u0090" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\HilightText = "[L\x7f\u00a0\x18¹ÉÃ9†dpN£\x1e?ƒS\u008d÷4\x04N£õ\u00a0[Î" cmd.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\HOVER cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}\BlockType = "\x05,5mÑ\u00adñœK\vdcŒgzc\x11\x17ë\x10\n-sáÆó\b†" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F41E8255-3897-4cf4-AEC7-4F85171A0B3C} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7}\Version = "ºåùái½Y¼ë@Ö\x01!\x15ÓçÈp¿cø/ÇDË\x14R·" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "\u0090›\x19H\x1e\u008f\x10\n\x19³\x19§´É5…ídv„Åš(\x19ËWNž" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08f24d68-9087-4b24-81ad-7b34af3e3ed5}\AppPath = "ß÷ Ö¼ááTݽËz\x13‰-\"ú¾ëåL’Œö©ð[›" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\JIT cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ThirdPartyCookies\WindowClassesToNotify = "ê-¿¹LS\x11鞎ÂMú\x1aU·Dµ5Ñs1\x18œ\x1b‡hÈ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1C}\Version = "Ÿ¼nÒ$\"\x1eÈŒ\x12é‰Ê0d\x0e€—¨\x06m\x18?\x0e\x06ö\x14†" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7} cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\USESWRENDER cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\Version = "‰£š(t\x14|sJd)?™\x10—íw»rî?.ƒÖ6\x18n›" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Suggested Sites cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\AlternateCLSID = "VïÁ¹\x13s…¡…\x1c\x02½iL#²å¿v\x01Ã}š\x18Hšaí" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\Type = "\x10LQ¾æ¿ƒæ\u00ad`¼\bA©\x0fQ$LÛ\n8S{~d\u009d½ö" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{7778AA60-698A-41D9-9BF0-7AB41045AA7F}\BlockType = "V\x7f)M\aP$åsçÒù†–K¾r’3Pð!NIÉ×Èy" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\MenuText = "ǧÆñ\u00a0|¢\u008d\x1c\u009d¶]Ú5¼\x1e/vcõ·fÿ\x15\"˜o“" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "ÛÜ\v\u00ad\x05¼éûEL;EŒ²p\x17•\x11>R\\òËŠ÷\a}\r" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\Version = "º}\x03Ò¾x¢ÁÖS±5°ÑÌn\x14î+Å7ä„L\x15ožÑ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\DllName = "\u008dÆ¡M9\x1b¡eë+<=˜Þ%\x036\u00a0Â…\\Q(\bÜR×ä" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MkEnabled = "ŽÇ\u00a0ÐÊÍŽ¿¥\x1cg.÷QŸè¤8a\x12þ6\"\x15\x16>æ\x12" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\RegPath = "Æ\x15ã<´E\x1dÅ4Ý2ªb\tØlT\x13Ø:õ™E‚=Ê`[" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\NEGOTIATE\RegPoliciesPath = "ÂCEóÙ)\x0eû!TËÛ7À$\x1eƒub\u009d\x1d[p\x1a\x02½çŒ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\RUN_INV_SIG\ValueName = "B\u008f3-ûi\u009dWÌ\bž\x1fÌû…€Hò\x05R¤ê©·„–^é" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\CompatibilityFlags = ">\u008fjÜ\"ãyäþ\x03+\x1cÚÄãw#\x1cÏB0A¸Â\x0f÷(\n" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}\AlternateCLSID = "¶ÔP³)ú\x12V¬¤?â\x12È\x01{x,4-\v\u00a0Á1(°„¦" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{70f641fd-9ffc-4d5b-a4dc-962af4ed7999}\AppPath = "FP\v\"ì}WœëùÑX\u009duaKæ‚V]=B«]¨¿ÚH" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{619C4601-855D-4004-819D-62EF5AC5FE50}\Version = "ÇÕ@K¾Á'¡t£.\x05\x1aNf9“Mÿ‹\x0eRV‡#¨‚¦" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AF949550-9094-4807-95EC-D1C317803333}\FWLink = "\x0eÄ3¤·q6Ðû”æ>\x14|`Ý\x17\x17‡ÂÇ¥m‰øéƒÄ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\CompatibilityFlags = "&p涯\u008f\x11Z" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSLREV\RegPoliciesPath = "5@®—hêºáôa§>ø,ÞÍYÊû§¦{+ÏØEGA" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\XMLHTTP\Type cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\PlugUIText = "k\u00a0\t\u008dW\vó\x01!þxJÚõ\u008f™ÇÂ\x14oxDJÀ—æ\u008dà" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{258C9770-1713-4021-8D7E-1F184A2BD754}\Version = ".š}›K\x1bÄ•ˆ\x11:,”úB$\x188\rÈ\x12\u00adšì7¡mN" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}\CompatibilityFlags = "…د½èQ\vxÀÛQsK\aýý;¶\x02\u009d/X¡Z3‹—Z" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash = "\b\x12±á/²1œ1ÔÔÇ™\u0081ÞlnìL\u009dTšæt×û$ü" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "¡UL3‚\x12¿†àL¸„\x1b\x13\fÝ\x1b\x1f“ä0ãë$¡\x15oŒ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\PlugUIText = "{!\x0f—˜_\x0f¤ž\x15hg¸†¡ØBÂx|œ³&\x16\"k/b" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\PrivacyAdvanced cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\StartPage cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7}\DllName = "ô°ì€&Uãsü\fËt\u008f<+r+6RzѺ\x1c-\f–D\x16" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Document Windows\Maximized = "{|ÈäÄ\x19dëløEK×¶%êù=\x04\x03xxù\a?\x19X3" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV\Text = "9ÍìC\x11ðMÌ\tœ¨í\x06ÌÄsç˜8™\x1a.<×è^ŒÂ" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{09AF76DD-6988-4664-97D0-362F1011E311}\CompatibilityFlags = "\ag\x1d\rf\x18dþ^" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3EB9C349-7473-48AC-A59B-42F31751974B}\BlockType = "\x17\x1c'-\x03]abèo\n\x7f\x7fsò@kèÆ4ÙÍDb\x0e.DŽ" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{92085AD4-F48A-450D-BD93-B28CC7DF67CE} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{F5BEA1B9-FEF6-4093-846D-753C42A1B00A}\DllName = "äR\x15é\x05\x1e7 âGÓ$ø{„@)v×?ýÞ?\"eAªý" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8DCB7100-DF86-4384-8842-8FA844297B3F}\BlockType = "kWMP\x01>§¶ƒoø¶W'Ü^þ!…Ëj{^½^\x12¶\b" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "C\x14\u0081v\x10wÜ\v™\u008dÐx\x03Ág’¸”è§Žé’\a¹†È\x12" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "~\u0090\u0081†£]¹\x0f\u0081B\x16Þ=zølÄ\x17\x1c¦aiÛ\x03l3â\x13" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPEND\UncheckedValue = "‘}“\x7fCè;ç\x15ø\x01\u00905{¨3k{çV:±å_‰%\x14'" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYNOTDEFAULTBROWSER\PlugUIText = "=$µo\x0e*,d˜\u00adg\x11ïoõtô?M\x7fµU¨m›Ñ\x03S" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER\CheckedValue = "Û™-òØÊy&`eÓ\b¬m\x14º¦S‹`áÚâ÷É\u008dB¨" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{01E198E3-24FF-4602-9944-65E7B323296D}\FWLink = "\u0090:Éç\u008d Ó™SK,Ìz\x17Ÿª\x1dõ\aqŸJ“x´Sår" cmd.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\URLSearchHooks cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{77BF5300-1474-4EC7-9980-D32B190E9B07}\FWLink = "@…\x1dðnL51Ì&:žÅ4;‡NóHBÙ8\x1fñà/\x03:" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "2@É4‹uñ\u00a0’»\x05¥pÀ\ay\f\u008f¾v\x13–8—%¶šr" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\NavigationCanceled = "Duœy\x14æ˜Þ\u00a0n*ô\x18Ó𣵳ä\x17\x17\x06ˆ\x03\x16Yž\r" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\Type = "®ö\x06¢¹ß®´FEA„\x03µ…dØ›aŽÉTS/8œÖ”" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\RUN_INV_SIG\PlugUIText = "¾G2®ó5vÖÔ\u009d\x1e\rç*\aðe9.³¢\x01m\u008fß521" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2\Text = "4£B\x14ÜÇ!b•\x1aò;yý#Y\x12úz;½ÈæJAÛ\x1cô" cmd.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "˜©\u00ad>Ç]¾¹ïTÓ:Óo…¹`\u0090\x1bñòø\x14ká[“‰" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "ãÓz×\x059}ôëp5åà-¹HV\n5\u0090\x7f½! –õލ" cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe 4684 VeryFun.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1156 cmd.exe 1952 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4684 VeryFun.exe Token: 33 1288 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1288 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe 3744 cmd.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 4684 wrote to memory of 3596 4684 VeryFun.exe 80 PID 4684 wrote to memory of 3596 4684 VeryFun.exe 80 PID 4684 wrote to memory of 3596 4684 VeryFun.exe 80 PID 4684 wrote to memory of 3596 4684 VeryFun.exe 80 PID 4684 wrote to memory of 3596 4684 VeryFun.exe 80 PID 4684 wrote to memory of 3744 4684 VeryFun.exe 81 PID 4684 wrote to memory of 3744 4684 VeryFun.exe 81 PID 4684 wrote to memory of 3744 4684 VeryFun.exe 81 PID 4684 wrote to memory of 3744 4684 VeryFun.exe 81 PID 4684 wrote to memory of 3744 4684 VeryFun.exe 81 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 1156 4684 VeryFun.exe 83 PID 4684 wrote to memory of 1156 4684 VeryFun.exe 83 PID 4684 wrote to memory of 1156 4684 VeryFun.exe 83 PID 4684 wrote to memory of 1156 4684 VeryFun.exe 83 PID 4684 wrote to memory of 1156 4684 VeryFun.exe 83 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 1952 4684 VeryFun.exe 84 PID 4684 wrote to memory of 1952 4684 VeryFun.exe 84 PID 4684 wrote to memory of 1952 4684 VeryFun.exe 84 PID 4684 wrote to memory of 1952 4684 VeryFun.exe 84 PID 4684 wrote to memory of 1952 4684 VeryFun.exe 84 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3340 4684 VeryFun.exe 85 PID 4684 wrote to memory of 3340 4684 VeryFun.exe 85 PID 4684 wrote to memory of 3340 4684 VeryFun.exe 85 PID 4684 wrote to memory of 3340 4684 VeryFun.exe 85 PID 4684 wrote to memory of 3340 4684 VeryFun.exe 85 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 3300 4684 VeryFun.exe 53 PID 4684 wrote to memory of 2128 4684 VeryFun.exe 37 -
System policy modification 1 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = "—º\u009dÀ…ÇyCûX©tøS\x1f„Ùg\u00a0˶·\n`ìôG0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ÍÞÓª\u009d©4yÀ\nn\x16òt°dçDG‘vǹ@ÅM¹H" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "ÄÀ²\x18\x17KŒQ°I^*³a\x12BÏ¡ÁÃ\x0f\x15#Vz\x16ô[" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "–\x10Åt\x1a¼\x19;°\x10Z\x1dÔ\nˆq)U'Æ×\\‰¶L\x7f\"&" cmd.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2128
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\VeryFun.exe"C:\Users\Admin\AppData\Local\Temp\VeryFun.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:3596
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies WinLogon for persistence
- Manipulates Digital Signatures
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:3744
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1156
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1952
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:3340
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:4072
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:1300
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004B81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4928
-
C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig2⤵PID:3460
-
C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache3⤵PID:1104
-
-
-
C:\Windows\System32\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogon2⤵PID:2784
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level2⤵PID:772
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7cea5ae48,0x7ff7cea5ae58,0x7ff7cea5ae683⤵PID:2152
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=2 --install-level=03⤵PID:1908
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7cea5ae48,0x7ff7cea5ae58,0x7ff7cea5ae684⤵PID:3344
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level2⤵PID:1544
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x248,0x24c,0x250,0x21c,0x254,0x7ff6dc9eeb10,0x7ff6dc9eeb20,0x7ff6dc9eeb303⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut3⤵PID:5020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb94e23cb8,0x7ffb94e23cc8,0x7ffb94e23cd84⤵PID:5016
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
7Registry Run Keys / Startup Folder
5Winlogon Helper DLL
2Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
7Registry Run Keys / Startup Folder
5Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\199606c1-1d0d-491f-9131-74bc9d165d48.dmp
Filesize4.8MB
MD5d98c0c75c630599b6ccb3e6466ea0119
SHA122bdb39d42c036b5be1e994e5f4d6e342d35e4bf
SHA2562a8e1bcddefb3929f5c97a5d37a830e37897273b7f8b88db790d9b5f0c372ac5
SHA512d0747d96de7cfc7a9c4da41cf6e3ab17c71f85503c176a2f63af7ba8bc9b30bfb45ac76ea021d357fe0b165f776d3cc0bed12a52c5e7d3ee139a653f76a60655
-
Filesize
152B
MD5704d4cabea796e63d81497ab24b05379
SHA1b4d01216a6985559bd4b6d193ed1ec0f93b15ff8
SHA2563db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26
SHA5120f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d
-
Filesize
24KB
MD5dd4f5026aa316d4aec4a9d789e63e67b
SHA1fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153
SHA2568d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737
SHA5123f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568
-
Filesize
3KB
MD5a828b8c496779bdb61fce06ba0d57c39
SHA12c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea
-
Filesize
8KB
MD5802a45170dfcd6f48c575c93902456cf
SHA1b6d26ccbb32aee5c17f57103f7244fa1a4ad9111
SHA2561b3172603138de664da041c2f3f4ee93b22e69155f66c8dd3b9eef1e1aa4b47a
SHA5122968928dc36df6766acb7b26867682641fc51bd3a6f2a66d46e39d6c30fa5a20b32d870874c41fc6cf46a5210d55bcdc0dcf0a1db337fe00934ce06d0a453e93
-
Filesize
40B
MD5f253896b9ddf47a15eb8932fdf7caf07
SHA11b52ed22b1d9a9838ae183eb982d7a4bfb8a1304
SHA256046f7d44ec9ff7bd53a01226b5bb0425cd14ac6654028b1afebda035409082a2
SHA512eb2e4bdebaa30d56de2ab5dd4eb21a4ba21b9047ccffc9455b5df3394b8cf7d661be2c1aede918a86225af961d05d8296a17832b06db48f410f73ba9fe696c3f