Malware Analysis Report

2025-01-18 22:16

Sample ID 240430-yhqh8seg4s
Target VeryFun.exe
SHA256 8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387
Tags
upx adware discovery evasion persistence ransomware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387

Threat Level: Known bad

The file VeryFun.exe was found to be: Known bad.

Malicious Activity Summary

upx adware discovery evasion persistence ransomware stealer trojan

Modifies WinLogon for persistence

Adds autorun key to be loaded by Explorer.exe on startup

Sets file execution options in registry

Modifies AppInit DLL entries

Modifies Installed Components in the registry

Manipulates Digital Signatures

Checks computer location settings

UPX packed file

Checks whether UAC is enabled

Checks installed software on the system

Modifies WinLogon

Installs/modifies Browser Helper Object

Adds Run key to start application

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-30 19:47

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 19:47

Reported

2024-04-30 19:50

Platform

win10v2004-20240426-en

Max time kernel

23s

Max time network

167s

Command Line

C:\Windows\System32\spoolsv.exe

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "°\\¤+þ\x10ºÇ’8:ªÝH~ºé #\bÅž=\nÚºMØ" C:\Windows\SysWOW64\cmd.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\x01ô>Ên}É!Û\x10¼É%ª\x1dü©g©\x02`\rœl\x16\x13\x14™" C:\Windows\SysWOW64\cmd.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "FÁ\"\a*£\u008f‘2-€òÞ=TÑ|û\x0e\x15«\x04ô\x19‰JÙ»" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "Aå²W–?4°\x1f‡\x0fN”!Náó<¯Íú#@&\u00adI1u" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "é‘\x1fa7{\x117ÊóB¡¨¯Íf\x03ŒÐÝ‚\x14\x1d¤\u009dºôŠ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "í\x14Zfø\fT^Ñw¹,¶+iéqUØ*[ªþIÃT±E" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "îr•†¥¿«Ý'\x01»\u0090\x06p©Ðý" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "ÁðlË>E\x05j÷ZZ\tÖØ\nT\x11b§J…mÎUAj¾J" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = ",Y\x18©ºqEÝž¤¥œO<åh!zÁ\x03\x1a\a\x04‰ÛËA\v" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "sbŸ\x17\x06׿\x13\u009dJ'tÑÄV\x1b\x0e\x18\u008fã\b\x04\v\x13ß\x7f1\v" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = "*" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "ù¦\x12€\x19\x1f,ý{˜ÄçÊ6<T´†\f§)§|¡\x15¡" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "Qª^äè¼éøÊÂÂ\x1dëè0G\x06¥“\x1et?Æ\u00adR1Æ\u00a0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name = "(ÔTØ7³cO$&û¤XX]\u00a0¥Ö`žnj¢D÷+ŸM" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = ";Çhd»Éì̬^\x17Å¥*þ[½wÃr\u0090rÄä¿\x17\u0081ø" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "ZA\"J\x01#[\x1dÍ9\u008fÐ\txÖD”5p\x17{5\u00a0žõ\x02¿ï" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "®\vò“ц¼û\x0e\\ÍãÌÝ0Û5Ÿ¾R>Ìê?NX\nX" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "ã9\"äÓu¸f\x7f3ä\x0f¶žf\x1c\u008d1±ˆÉÿ¦Œ¦\x1a7\f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "¡\x13ñ”kë~èÐD\x03'.ó´ƒNºiaØÒ\að\\œ+\x1d" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WYhx_\u009dóüêàhšÏ\x04£?,‰ŒD\u00a0p°wî¡éŒ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "÷Jdf\x0e\b 5\u00a06\x06\x10b@/Ý'#w“\x02Ö«Ó\x11L¯=" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "ò]¯0Ü\vè´\u008dõÄt“„Æ6ƒ£¢Ñ”¬0\u0081è\u00a0Í)" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "\x7fÖ´µÅ•}\tÏ’" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "xоÕkP±\x15JøHŒœò[Ïϧc\x02\fšLz\x16Ÿyi" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046}\FuncName = "ÁqaH)¥ú\u008d\x1aúɹÁwЃ¶ý¾P\u008f\x06Å\x0eŒ¾\x11Ò" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "\x064\x15¾šÏ²ӟ*û†\"ï*,W››†²Ôکߺ\f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "Ê" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "(Bæ ‹bqüƒ‡Ö\x0f;´bQH\x19$K\x05ÚŠø+â\x03@" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "XåÆÍúÓ\x1cëÎ0™¸áhôжÉâï¡\"\nŸ_bÊb" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "\\ÀÝÈ6\u00a0F[®\x7f\u00ad[oé\u0081†LÇ„ÇÃ.\u0081½RFÈF" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "_åWÅÕô<G\x1eÓ\nœ¦6°é\x189of¢@0qWðÇ\\" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "úr\rí¿VŸ\rTi¬Rp[HX\x11À¨\aùôç³t¿Ü¡" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "{׎‰\\4\x1a:¢¾q/bJ¡D¥i\x19\x15ÂgÉ,ލ\x16B" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "jö毆ýóª¶\x18 \x14Ç%ï+5K¬\x1b¦KVW¿í†ß" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "-Aðé£a\x03\"àûѰ¥ÀRy¾{\x01óûðpô\x05a\r™" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\FuncName = "\x1e\x01\fŒ€j‰6\u008fr7\x0e{ßž¥Är.ÌA7+\x02\u00ad\x06\x18Ì" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "*ø<HºÐljÔ´áï‚|ä;³–HtãÏrVÉT" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "sìçU†eÏ&Q“\u008dX°\f‘}ã¡:.¿\x05“jïð+„" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "^欸1¢¤áôpÙq1œÃä\u0090Ìü}ðÐPd>ȦÓ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "\x7fÕ\x18¡žMÌZ/v‰Ãÿ\nÅ\u0081ÂgH61*Ä|’ ôz" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "c:{~‘\"ïâ32Ð3ežðµâ\x02%eO{Zæg(*›" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "©\u00a0rYZVFù¶\x06\u0090áñÆûþ\rúî§qqÞ²&ȉ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "^\u00a0¡ÄÑ\x7fa\x02\aÍ\x04E\x1c)Õ:Nô\\´1‰6ôåŒüë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "í“ð\rã7(\f(pàý$µGÊ}b»Ì\x15+˜Û\u0090ËÜš" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\v\x15ÊܕĞ!¯{{àòÚ„¼)fnQ2þ\x1b<p;á¡" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "¨BÆp%\x17ÈÙT(ã+Ø…4æî\"ßhÒ¢ºáü÷jT" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "†òϼBØ\x1b\x1b{Õ\tˆƒXL\x18»låT”+TŒa‰(™" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "V©Ó\u008d\x1fµ_žêoœÿ?®*JêXIá\n¸´QÍ\x13F¢" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "\"ßÓgª‚9¼gÒ-1}ÅÚÒ·\x12î\x1e\x046e+\x16!z÷" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "²ŽíÐA_µ|û²‘\u0090E\x13ˆV]\t´Ó7PÍžêŒ ž" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "ÌèÀœ\x15lp\x14fMÇ„&\x1378Ðl2\x13Ña—÷îð\x01®" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\Dll = "pQƒ\b¤‡ÞE\x18\nµ\x102\rW¯–ÇñfsáŸY%÷*º" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\Dll = "ËM\x13î(Â\u008fÞ>Þ\x1fï‰\x1aI*9¨vXÁc¯-\u00ad¬Ûç" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "\x1dD@d'ÍïJ\x17éÄ—ìgÝ&\u008f“\x19\x1eÂÝY¯ùh¡Ò" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\x01\x1aeÞw©)çý\x04\x1a½v\x1f\u00a0kGê\x1fqŠ*ƒ\x03¦ˆiÜ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "À«W¼Í" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "fWa<-2‘‡Ñ.R%Öi½¨VmX\x12TT–׎—ÄÓ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "—RÍ…œ\u00815Bc ö/?\u0081¹”ì$¯\u008dŽ\u00ad\x06D^&Sµ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "µ\x13òSƒìX\rø›ýÜÅ`nò\u009d\x7f–¯É\rÉüÂý<;" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "ÑÑ‘\\9.¢Þ_zœ ºn¥•g#¼<\u009dUì\a?PTÌ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "‰YpsZú?(tu\u00813nš\x17žŠ\x06.Ojª^\u008fZábÓ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "\vó\vd\n+¾ðy·ì5\a\x04\u008d²\a\r9/\u0090îO½£€i\x1d" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\FuncName = "å‹–õÇÏî…\x15Ø«íò\x1bÁ\x03»è¡â\x05´+Kˆ”Ím" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "´ÃspêØ{·PÀ’\u008daŸpv9¡êÊôå¬\u008dr\x1aÿk" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "©\x1d'<l\x0féë\x1cjùÝr™F\t\fí°Ö‹¯\x14¸°µ\x17\r" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "…Œ*æ\u00ad`¬\"\u009d9³EïÝÓ\u0081³l\u008dÏŽfuy\nÐeÉ" C:\Windows\SysWOW64\cmd.exe N/A

Modifies AppInit DLL entries

persistence

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "\\;zgÒM¹êeZÅKøh ™¹*„²ð‘•\x1bP\a+U" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "•\u008dXX¢%Ò\x1a\x05°²öOáËIî*ùõ(\u00a0½Z·Y¡Ù" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Version = "Bc`Úháf;”‚wÌ ŠûFR\x19ÖÎïZ. —î\r—" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Locale = "^\x0fѦMÇ\x03Í;)6àâv\x14äÑš\x04X\føcbô×g." C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "yº9±”îINnëW\u008dÑqÊ\x01ë€Û–$í\bjÃ)" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "”YÂòé’Õa\x0eÛa£öD<˜÷?ÅeK\x7f„\x05F›œT" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "\x02Œqô$é–iæq˜2>dºƒÐ³˜\x03ä4÷ú‰\x16å(" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "\u009dîóI\x1cIòôXµ€pmd\x10I>~\x10[îŠðÅ`¯KŠ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "×åü›»·»]É\x19¤\x02Õ6c2¸àfóäé:ö˦HÈ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Version = "«y~Ô™R{3wË\x11S//þvêwR6ì—݈\u0081\u00ad\x1c¹" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ComponentID = "唘1½Åþ¼Gï[¸_°¨ÞAkÌy\tyúu¤aÆ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "R!—ñÑÊcÃQ2©NQ\u00ad\x0f%[åô" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "\v:%\x05>\x10oŃÈö\x18·Ùw³\"\v\x1b·ù²Å·1/" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "åÒ\nÊ\x156I\x1ay-€\x0e\x0f\x0f—ÏÓBݘ”y\u0090£Ïñ„Ç" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "B¥õÛê\x10ÁSÇ_íU8{eB)\u00ad–g‘û-×äkv\t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "¬ÃÃäe/=FÃ\x15\veéiýë ©4‚Dú¤vé=%" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Locale = "ȇ\x1biQk\u008dÓ±\x1eCè®)™$D패Ç\x01\x1e]\x11VML" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "™œˆb7•KÈYEœÕaL$_\u0081ˆNÎqótŸÁ„ƒ9" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "\t\x1cßÖ0¥êÖÞÜåÑ^:´hÉP\x7f¬Öv\u00a0ð÷ï\n\a" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "´“„°±´ñ=.û\x03M\\gç»k1'\x0fØï2\x05?û1¤" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ComponentID = "ö\x0e\x7fÚ\u008d\b,ý^\u009d|Û\x06÷\x13Ù#½¤ô–ËÙä" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "šˆ¼‰éq\t`ƒô®\u009dÍ\x10”2ƒ¸û{¥¢Ö-¥Ž¿´" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "QÈÆÀ\x18»ª\x12…µô‚\x16Ú¶O\x06\rWËv¾Í\bÜchÜ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "©\x1f¼\x03´\aÝW~ƒ \u008fœ5ዾzÓÿé±€\x1föè³¼" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "]¥~g\u00a0@\x1fN.p\x14,\x17³Ê{'^\r–\u008dƒ\x1eE76Ô]" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "\fN6\x15ª4ŠÁ5\u00adü\u008dä{\u0081;+…&级«9u«rÚ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "ï\x19.íARî/¾Ê\u00a0\u008fäŠ\t´¢)¸|i–RÒ\x06D\x1fk" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Locale = "L±\n$p1Ì@\x1c‹7ÙÌ\b\x1c\t\x12çô3µ”ò\x18KËãr" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ComponentID = "bòG’|\x1el\u008d\x12Öy>\x15ÑŒ\x06œ\x19ÓmÌXJ|\vŠ\x10*" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "\u008d?0\b\a¡\x11Stsç²jL\x1aØP\x10·zfÑ162†¡O" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ = "\fR\x17\x15KIPEÔ\x03ü\u008f\b\tÑe\x17f<¨Dp…³%ä\x1d“" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Locale = "÷$îA\x06˜6¿\u009dšî\tuÊQ=B»žÜ*·\f’?p\r\t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "Þ¿]m¿ieì;tl6a\x1eÈ®é§\f" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Version = "œ\\ÿOï;²ó_I¥ô&Xg¢\fk\x1c?Æ\u00ad¦)è\vµE" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "\u00a0´\"Q²" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "\x01’ûN•ª±\x1eGT“òM@¬ÛLLúwhã\"M\x19\bëX" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "ÕÔ‹×ã/“\v„µ*N«Aƃ_ÒEírÇŒ\"ÒÖ\v‡" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "ºwù{¶À\x17|R\f8p¾AåwÕûõcj\fJ›\x0et<”" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "“{ÆûÞW\u00a0¸\x0e1Hò¬á\x14\aâü5–BÔUИ\x16ìÒ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ = "wÑÓRm1Ù^à0ÜÒöá\x14§\v=a\x10E\x1cñ¯×\boŽ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "ÏÁ\u0081ÿ¼KQÊݼÂ\u0090ï”Fœ¦$ˆ†ÈÖAÜ/[" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ComponentID = "\x1bܨȹ¦nÑÎ\vˆÂµ\x18\x1a™´3| œ«¦6%ÏØà" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "×Fcc\aï3\x03\bã[5\u0090>¹\x13I2\x166x:\x06L‘\x05\x18Ç" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "I\aW»\u009dÓ÷ùV*S@I„¹7”ëe»µi¢îóK§•" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "”ñE3•n\x10°*‰¬Îôø¨¦|:v–²" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ComponentID = "D |<ºM—Œu5&\f\u0081„ÕYÆ)›ïá_Í”\nŸÀÑ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "&¯ŠÒŒqÇÜöÃ¥×ÂÑ\bþWÊ\x19Î#œYB´ã\x1e." C:\Windows\SysWOW64\cmd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation = ")\vùuz˜\x1e;×tí×9téóþ" C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "Ǻ\x1a€´±<'õÏ\fÅ\x05Œt¦Ë—½7u¯èÈÈh\x02W" C:\Windows\SysWOW64\cmd.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "UÛ3ãþÇä×u0\x03ô_åV²%ÿ6›6+9\u00a0Þeóâ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "\x1c\u0081»/\x03\x17ö¡EjIäÖ%Nã BMsé½a\x10D† å" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "ø\\Áäe\x17è?\x1ca\u008dò4\x198™1c›ÔûL¸äé*\x14\x04" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "IÞ¦\x11ï" C:\Windows\SysWOW64\cmd.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DisplayName = "\x1b”‹\x11§ègŠmR`Ë\bÛê¦\u008d<—¥[\x0f8·\x7fSs\x14" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "\u008d/?ÕåÙƒ}&‹5öü\u008fœùüS\x13ËPäžðº«s\t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "\u009d\u008d¸«>®c\v4" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DllName = "Ú\x0f¨ƒÃàˆ§ô:Ái~\aÀÿ\x10\x04A\x7f~&%ù§!dH" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DisplayName = "¡:éQ¼Q*JDsXæ_\bó«¦ÈW¹™Â·îÕdî_" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ = "\x1b°öÒ/·LcgOyVEYõ¡wVP¥ù¿Œ\x18‰\x04'—" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ProcessGroupPolicyEx = "„\x02\u0081\x10-i\n\vÞ?V4®åÁpWi©°ƒÛÁŸ&\x7f7Ä" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "l‡ê™gÄy\x04¯\"*Û|\x04DÔñØ\x04Ä첎³\x11¶îG" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "¶ò÷\x13{\x18{ñÄV\x13Û\x10–ë\rþÖS@\u0090ro¨^:ÐÕ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicy = "í¡Õ\u00ad“$û:PèŽ\n\x17åW–\x02Âg\vì#P“Ú×\x15±" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DisplayName = "Y\x0fž¹ã¯\x1bräçäÜ2klžÕ^\x19\t XÝ‹ö`ˆ\x1d" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "”À[£»àa\x1dïÉgôiIwëß7\x12\u00a0]" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "GðM‘ƒ;›¹)Ý\x0f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicy = "Û¼\x03~ös_†Á»th:Êñ5F>\x13\x1a”¸\x1d3ú[v›" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicyEx = "\x1f¯Òé\x11" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "`(`żc»Ò\x1c¿dæO/©dÍt³µD…5Ö\x1d—†" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\DllName = "\x1f\x1e™\x02\x0fE‚\nWHä\rw°˜øþˆ\x1d|ˆ0ƒzmª¬\r" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DisplayName = "ˆö\u00adXA™" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "k«\bÊA&k$§Ü#JY–¤¤q\ré\x0e°fl…×f\x1c]" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4B7C3B0F-E993-4E06-A241-3FBE06943684} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\DllName = "\x10î\x1c“ÈöúòE\x01\x10c/ð\x13\vŒ\x05\x1ef\u00ad1m\u008f\x1d$\x06ð" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DllName = "Q²]5/ZŸÌ‹1bãU…ÜÎsY\tŒ¡\u0090‚‰Wxh#" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\GenerateGroupPolicy = "r\x17‚OѦ‡ô_÷=\u0081òPof)z–úÜ[uÅ\"\u009dV\x1c" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "\x19…vï\x0eXtVÿ°¼1H‰°M}Wp\x06\x10‰\u008dÑ\x19\x1d\x15‰" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7909AD9E-09EE-4247-BAB9-7029D5F0A278} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ = "£³|Ì\u0081/ã)«p7XkÚs–\rÝBˆžÑ¥…\x06ù’d" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DisplayName = "†Ù'.\x11ª#\x178¬³$¹O;ÝíÆ2©Ž\x06ÿÙ¤§$\x15" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "\að£þ¢‰~\u0090Å\x19Ÿ*B—\u009dö\x13\x1d6ÇÓÚÙS]öº(" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2A8FDC61-2347-4C87-92F6-B05EB91A201A} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\GenerateGroupPolicy = "\x1cC³¬Ë“\u0081)bŠFB8Ô\x16M¡!Û\x15I’]iQŒ˜1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DisplayName = "\aÑUe!ÑŒí\x17K~(iÊÄ\tK\u008dßp,Ðb»&׋í" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "¸\x7f\u0081—Ï5ÅŽ…ûQí©áT\x1dþ²'\x12ˆ¦]^·š\x1a³" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = d2000100f200af0014002b005000e000ea001c001f004200ba004500b900b7007e017400e400ac209000bd0018001d00fb0009002500780100000000 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ = "\x1f;\x1e&ö€Ù\x03ÆÎùÅ\aÎðó$ûÁ\x17$hh]\x15\x11ô™" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "‚¸Z¡\x0fßòÁ\x1eý!•©~ú6[á\x0e\u0090|•¢4V’ÞÉ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} C:\Windows\SysWOW64\cmd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\WallPaper = "á\x16NS\x06í\u0081Õû´0Qj\u009d\x14XEmíü«k\x02%\x12æw\x0f" C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\System.ini C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ButtonAlternateFace = "X@" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\AppStarting = "'}N¶\f:«L\x11ôÖ\x18öbìùJlå~†y½ü+³Ú" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iNegNumber = "0\x17_\x1eµô\x11§°m\n*€F\x15s•žs=OÂo”oú©©" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseSpeed = "\x1e®\x1f¬D÷s\u00ad5Öâgæ¦Cìjž\u0090ƒ\x125é6·öœù" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "Éu\\\x1bòh.¤Ã²—xq{ïëòàj8¿„áÒ¥\x16Bë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\TimeOut\TimeToWait = "pÇ:Z¿(rZF°½>\x10óƒ0gFS¡£?ó‡¸" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ButtonLight = "\r\x16" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\WindowText = "\x16F•\x18Áúðc!çúÜ\x10¤¨\"<—Ò,1\x15ú¤5hi;" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\Wait = "¬µ'º+uá\x17\x0f)n\x01Ù¸2\"CËVÓ(\x10Ÿ\x05á\u0081\b~" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\AppWorkSpace = "E\u008fì\x1bGÇúB5W@+”¯ÐNjP\x11¾¤¦=[2P.\x0e" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\ShowSounds C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\InactiveTitle = "<z¾ˆy¡\\̲›#pÞr{¶î³8Gh¹K’Æq\u0081" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\RightOverlapChars = "½gÞ\x02^~åì…\x036½s˜È¸[\x02Dp·`?ÎÂ>)ó" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iTLZero = "¹\x17÷\x16Ch\b¥2\x1bµ³í¼&'Zé‘\u009dÁª‹ž\x12" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ButtonDkShadow = "Ñ9Rt\frH›Êu•cRál”í…se;¡‘¨¹âü{" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\HilightText = "u`ºÓŠGªºCZ›ÐèÒ7kí|ÿÛÖd몗—àð" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\CursorBlinkRate = "põ³…Õs&5n¨¯p×hÔ6ø\x1bÈáSÚ^\x04{õÉ%" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sDecimal = "fê.¬?á‘rß\x01@\a]ô‘\x12³M\u0090ê¥)Ê0·v£\a" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\ButtonDkShadow = "\u008dâÄ!\\㊩\x19CȈL\x1a.ö=Õ\x0eDa\x0e¡¶q–'ÿ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\WindowMetrics\IconSpacing = "—5\x12ö;¾PŽIû;ñ¹P†úýZ6¯Dø\x06@]z£ " C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sShortTime = "/$:pñLÅ/ˆ`:À-=&\u008dyiÀ\u008d\x10t+ù‹îÏw" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\UpArrow = "G®€þÒn|:Þ\x02<\x0e+kàÆÆc&È\b}‚·ü\adÎ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\TitleText = "\x1eH&~NóU؆Ómj?Ó*=GÜkþ¬B\x10\u008dšÊèf" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\WindowText = "ÿ\x14‡â\x01\x1d\x02³ŒòUù\nRº¯|íí\x13ŒeÊà\x01P*K" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseSensitivity = "'®" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseTrails = "\x19•§èÆ»¡”\x013ª<" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "È\x14ÊÒ-Ðâ™ÄˆóÃŽ¼>ÂŒøÞ¥\u00ad\x15±¯öÆ¡T" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Appearance\NewCurrent = "D\u008fÓ\r¯zà8b" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\HotTrackingColor = "?B\x13ykþæ˜ê\u00a0a+×$þ‚s~,P\r`;ì(Oú@" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\2 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\Keyboard Response\AutoRepeatRate = "\x0eµ\x1eŒoÔ‚£\"ñ‡…§}¸7ŽF²KÆ\x1aYݺëKl" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\ActiveTitle = "\x10Pv{îó/kM€\x17Ã\x01àõQ\x06~ÕÕ·M\"ÖLoó|" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iCountry = "ØÙBbkd#‰«O'â¾¶%\\\x1a$àr\x1bÑ9óôõ´I" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\5 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\GradientInactiveTitle = "clù>t6Gí@ØøÂp÷KX\\¢õ8E\x18Æêl‰PÅ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\LeftOverlapChars = "Wf¤S\x1c9\x01?ކ“÷t2\u0090ckô„\x12b®¶T°ÑÃw" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sDate = "Ö\u00ad\x7f\x02UVoPiÏÌóLʦ«\x16lôkeW6¡¥\x1eö‰" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iTime = "ÞéÑÌ?ò\x15lf@\x01„oŠÃ®Bx…SÌ\v¡`ä\x0e2«" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\DragFullWindows = "¬A2jÃ\x1aÉlxÏ¿5IÞ‹®oçPŒ_›ÇÖ7fd´" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\Hilight = "§Q•\u009dÀ-Hȸ\x06ÇH\r\u0081îXÙ\aŽ4þ¿[¥\u00a0\x1e›\u008f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ActiveBorder = "£i\x14hVoø\x04²ø¦‹XB¾‰É©\x1cñŽë)lO¬ø×" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\SizeNS = "ogéþEí´ÄRÝ̺ó<îð(Àñdý0í—«‰\x1a" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iCalendarType = "ïpßw’Ú\a·\u0081¦í³°Lr-nãì®–˜î}‘¤§\u0090" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\ButtonFace = "¶d\u008f1ƒ1ºÆ#Œ¡yAØYä¬k\x02ªö\x1e®‡ª®Þø" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\Window = "t\x06°æAºpdøîeÍýìÁÏøŒ\x16vyÄ“ßÞ\u0090IÆ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\1\Description = "Fp…)=š\x1f\x06\r C\a\vp\x0fV€\f$C\x18>]²Âny…" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\Keyboard Response\Flags = "\x11b\",ËPÂø9”\x01Às\x01É¡Ú1ÇD“–)ÛØ\x17„Å" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\s1159 = "ÙNõÀWc\u0081MYÔ\x05€ˆæ½\x14ÞQä\x1b2&þÕ\u00a0=8Q" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\DragWidth = "Û!ï«lM.{p¦ŽQPoÿdmmI\x03\\\\\x02ÿœ[éw" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iFirstDayOfWeek = "îéc\fœMœ;b×\u008d0XbSm\x17±z+S‰\x1e¿A\u008f\x14ˆ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\GradientActiveTitle = "Ð\x0eNÕ{”öÕ\u0090géÚI+\n;\n]'sÝûY\x14)2\x1a…" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\WheelScrollChars = "\fôX3¬2C\x1eÎgq1Êæ\x11mADq©bô\tÊÚ]sv" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sGrouping = "‘Âæ{IÌ6G\u008d\aÒb2\vƒ\x02¬š\x7fÒ\b\x12\x15˜Æ\x1bãÝ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\0\Name = "»•6\x1a<Ô*\x13åðrbPjpׂ•ëÀ’3ç\x03á׸Ú" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\InfoWindow = "áh\x17|®1áX\x1eËÿÄ<Ž\x06N\x7fW£àQé6\x11†\x0f\x7f)" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\HotTrackingColor = "\x0e\x01\x1e—T¦¤âAU—ëü‹Ÿ¹\x14™ú\x041\r\x1c\x15×ì}\u008f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sCurrency = "©\x14B\x18“€÷€º&}ÕÕrCÓy\r\u00a0”§•TS„gV\x1a" C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\User Profile System Backup\Languages = 3c00e4004c00220015008f006000d200c8002620c800240066003e007f00aa00f7009d0039200d0035003900440022210d00a6008f004e0000000000 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Name = "ƒ\x1a¹X~”Z|ÙÞʵ¼†ç\x01l\u008f“\x1d\u00ad•\x10ïÙâ°\x1c" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseHoverTime = "©¿?\"¾Ïù?\u00901ž@W$[Á:>—ö\bÝ·Ú°\x10ÐB" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\StickyKeys C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\MenuText = "“\f_\x05kÕF°bñoº\u0081>“\t³E°þow\u008d`=·Å9" C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\International\Scripts\10 C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\International\Scripts\34 C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\Bitmap = "j€\x1a\x1cÅ'óç\fæ\b(\x01\u0081ö‡v›áqb¬î\u00ad¨û£Ü" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ALTERNATIVECODEC\UncheckedValue = "éZ熈&»€“!+Î5Ýwör\x02¢‚£xê\x06\u0090†ªQ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7}\DllName = "LXþø\x02ãâë*á¶?ÑíÊâi›l‹¾d|£T½t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{186e0934-aee9-11da-961b-0014223d2a70}\AppPath = "$V2\u008dÙ\x19õ‹lí\a\\\x1cí\u008d\rG„ÕÖ^o&äÅ–¬t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A3BC75A2-1F87-4686-AA43-5347D756017C}\FWLink = "å¡>´ï6ýœç\x14“04šiÄã»OïߘOZ c×z" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9}\BlockType = "½Ç…#@¼®þ‹\a\"g&\x11;\aŸç`\x05Áå¹}\tzv%" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "@\n\x18Aã¾P[±\a$ÆòEý†år´ÜÌE/öà¿Ç\x02" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C451C08A-EC37-45DF-AAAD-18B51AB5E837}\FWLink = "iç9T¾8M\x02 ;Ñ—`\u008f\x16¯n=Ã\x12¹©ÿ³e£LU" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "'cí&#b«V¾€Y+h˜›b¨¢\x19:W\x1c[Ñ?'(\x0f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PLACEHOLDERS\ValueName = "‹c¸\x0ew™™ªÈ`\aÝFc\n\u008ff˜$g\\Õ>°+.ÞÆ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00021a13-0000-0000-c000-000000000046}\BlockType = "wTcݽ\u00a0Ü1ÂÌ“5ƒ˜eÛ-\a¦™\x0f\x1b„¡ûP;ê" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{1A8AC5E1-7AAC-47E9-8D8F-1D4B499F83CE}\BlockType = "\u00a0\x02˜.HE¦•Ô<k\x17½\x15/̓T$¶4^i.¶‚r»" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B21-F830-49DE-A31B-5BB9D7F6B407} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPEND\ValueName = "»ßIã“\nòß\n\u00812çç†l+:¤Ö…•yÿ\x12¸uF\u0081" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{29CF293A-1E7D-4069-9E11-E39698D0AF95}\BlockType = "B®F¤RµôEéãùT‚{HN\x02\u00a0¿'æŒJ(\r·\x12¶" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\Text = "½" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\SOUNDS\RegPoliciesPath = "b\u0090\"•q{Hp\x1ep0Ilhbª\x04úeýÆ1B\u008fÒq׬" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7}\CompatibilityFlags = "` ”•²\x17“³w]™Îï”Ì\x0f¶ûêmßma8úne±" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\DesktopItemNavigationFailure = "A]e\"›¹\x05˜M6ÓR\x14dAØ\u00a0`" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\INTRANETFIRST\Text = "häöä‘uf\f#U\x10fµj\x11”qhŠa!aê\x14¢nÒ\x7f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{812954F9-FAA2-4aee-A9E7-3C4FDE2166A6}\CLSID = "_‰¿A#¿EŠ·)N³\x12ïö1[é\x15½(|}hãÇ|ý" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore\Text = "†\x01c®Hë\vôv\u008f•~ÑN|\x0el¾Ô¯s÷}׳–nÄ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\HelpID = "\x01ðDΨn™>Ðò/Á\x1a¦Sˆ²]ØÐÐ#dn°u\x05ø" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e5f90a07-7db7-4dcb-bd6d-d3fecd376ca3}\AppName = "ÜãH‘\u00a0\x1b®Ú½(\x11¸”#\u00a0·ñ2Œ’\n\x17þ³<Q=\x05" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable_Disk_Cache = "Ѧ\u008dR+Ô\x06Â\x15PY\bO7Ò>ØÌ³Š¬)%sxù޹" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\HIDENEWEDGEBUTTON\RegPoliciesPath = "±\\\x15>{í>$/PP\x7fDÙo@ø:œŸ*ô–ì<\x1dä²" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{179E4A98-A3C4-407D-8C66-E63B67BB6F4A}\Version = "|\fm“\x03¹\x17\x1c#—\x11´\u00a02µ½Q!P1ê¬Òºl´è|" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\DllName = "\x1cú›+ƈn¯³\x15ÜÁÙ.Ãi¹\x1cÝj©ñYøuN(W" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{21FA44EF-376D-4D53-9B0F-8A89D3229068} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\CompatibilityFlags = "l\f'ÈËÉéÃðL•ÿÐó²\x0eOÞ.œSÆ×$ÿ\u00adr…" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BF09613A-4564-4936-B6BB-B23B1D3D4FD7}\FWLink = "\x1a^\u008dÅùQ!Bô\x1e\u00ad\nÛÆÒwÚy^T~àîÁHÜ?ù" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\DllName = "Ÿ\x05‡‘¬wF-8ß{‹Àç\x7fê~\x18î7Â)©ÙWÓÄÒ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{11359F4A-B191-42D7-905A-594F8CF0387B} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\BlockType = "\x11Z\"’÷W”\x12ÿËè\x1eA\u008d\x17\t\u0081h\x0e–º‘X¼àN_s" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\PREFETCH_PRERENDER\ValueName = "9\"É\"àém\x0f¼x쬻(ù˜\x7f]ÏÀ\x15!|iÏ~\u00adv" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore\Type = "\x146s ó”ML¹\a\bó•‚Ál²v§\x16•ÙË;\x15»`" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\Text = "\u008fÎ,Àäýq¨\x04\tÒ¦¸ã6qró\x14,È\x12´öÀ}áM" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Settings\Text Color = "Š|ÍÌ>È›(•ÝmX’â~\x0eÁj`\u0090í{¦”" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "g\b¯…:¾\x06:Š2Á]_ÃÎX\x18·ò€\u008d5\x02\x04\x17?«\b" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{65104D73-BA60-4160-A95A-4B4782E7AA62} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4E7BD74F-2B8D-469E-99FF-FD60BB9AAE2D}\Version = "ÖÜ%\x19!E³Î\aŒúÔàë\u008f\u00a02~ÇàX\x1c}\x04\x145Ã\x04" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4D256DB0-6C34-4EC1-9704-02182D6503A6}\CLSID = "uo\x1d†Å´IR'®Í\x13”®¤¢Ìa\x13î϶®%Ôzdü" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "îâåi\x04†÷\x1d¥uTTæ£ìù\x11\x1bh=GŒ”†¦=\x12â" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "”f\x0fkË~r\x1eä7\x1cÿŒÍú<’•Êð\x1f®$Y@HW¬" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSL3.0\Type = "ôªÐ×Ñ\x1e¹Î5#Q‹Á4ú\n\b\x12\x19Kf\x16tÎ\x13´\x13·" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8B4F961F-0B84-4201-BBB1-34E45368F39E}\Version = "ËS!&\x0fƯzÙþŒR|ÃI8ñ.\u00ad\x17\x1c…ç†\x12÷$" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A3BC75A2-1F87-4686-AA43-5347D756017C}\Version = "^V-\tð&Nco]ÂÎ<\x0f±Œ2×-Ë5WïS©Û:" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Show_FullURL = "·âš\x1bj:9•W&<ahƒ%Î\u008d\x14«\u0090¡¡³cŠÆ§[" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\HelpID = "Á?â\x13)\x1e1¬\vP¹Lò\x02A\x16ÊêæøgÎzZÕ\u009d1A" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SECURE\Text = "8Ã?\x14{Œ÷ŽÇ\x06\u009dX€R\x1dÚÎÂ\x13Òp!~\tã/–[" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\PROXY\HelpID = "o4¨JßìPaE\x05w\x1d¶Í9º¦ÆØˆ¯˜]!î\t”‘" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggestAskUser\RegistryRoot = "ö©=Pû;›g\\€…ɬ-é" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ServicePoweredQSA\RegistryRoot = "x¢j~•S–ÍþÂ2\u0090‘èк@ëˆÁ˜KS€äsa" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8B4F961F-0B84-4201-BBB1-34E45368F39E}\CompatibilityFlags = "ð£'¢f_iJŒT?\x1ak\x17\x11c䧺vËc€Ã=\toG" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\FWLink = "mÀ\x1b,Ÿ£8'\x02ÿ\u009dº±åIØ\x13\u0090Á¯>Z~1+ãÉ\"" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26fe7361-bd5a-4dcb-b309-c6f42dde661c} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26fe7361-bd5a-4dcb-b309-c6f42dde661c}\AppPath = "8æ+O%(Õ1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\Window_Title_CN\Window_Title_CN = "~RU&\x1e‘ü°WD'¾0Iû³áâh\u008fŽ\x01ÞŠÅó%\x0e" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "ê(þ)©L©p\u0090" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "åþo\aÙ·›5|\x1a\x15GÃòx@kâÕŒPõI,Þ\x12Æ\x11" C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 608 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 608 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 608 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe
PID 608 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "M\x0eÞƒ³Ÿ‚χu7\x06j\x06|ÊYŸ”\bË\u00a0wIœRZª" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = "Y‚\x16¯,‘T¬J&\x16•/˜\"bº5\nsq\x17†\x01ò<æ:" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "\x11Dº[ôWç6Ä\"\x15‡<Ž?ƒÄD%Ю‘Ë)ÏgN®" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "\x04\u0081ûVdÜJÉøú†Àþ-:N\x15X=½Þë%†ª]N\x19" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SettingsPageVisibility = "µ÷4·\x1eãÄ\tÓ¹\x04\x19¿‹Â\x01\u00a0\u009drwêÅ×9ü\x05>\x19" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "ûÀxGì눵£å\x12\x0e´Î¥Êo\fpp“š©\x1b/4]g" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\VeryFun.exe

"C:\Users\Admin\AppData\Local\Temp\VeryFun.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x524 0x51c

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -UserConfig

C:\Windows\System32\ie4uinit.exe

C:\Windows\System32\ie4uinit.exe -ClearIconCache

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff79753ae48,0x7ff79753ae58,0x7ff79753ae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=2 --install-level=0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x224,0x248,0x24c,0x78,0x250,0x7ff79753ae48,0x7ff79753ae58,0x7ff79753ae68

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff679325460,0x7ff679325470,0x7ff679325480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeaddd46f8,0x7ffeaddd4708,0x7ffeaddd4718

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp

Files

memory/608-0-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-1-0x0000000004450000-0x0000000004451000-memory.dmp

memory/608-2-0x0000000004460000-0x000000000446B000-memory.dmp

memory/464-3-0x0000000000780000-0x000000000091C000-memory.dmp

memory/464-5-0x0000000000780000-0x000000000091C000-memory.dmp

memory/464-7-0x0000000000780000-0x000000000091C000-memory.dmp

memory/464-6-0x0000000000780000-0x000000000091C000-memory.dmp

memory/924-10-0x0000000000F20000-0x0000000001014000-memory.dmp

memory/924-11-0x0000000000F20000-0x0000000001014000-memory.dmp

memory/924-12-0x0000000000F20000-0x0000000001014000-memory.dmp

memory/464-18-0x0000000010000000-0x0000000010013000-memory.dmp

memory/464-17-0x0000000002F40000-0x0000000002F41000-memory.dmp

memory/464-16-0x0000000010000000-0x0000000010013000-memory.dmp

memory/464-15-0x0000000010000000-0x0000000010013000-memory.dmp

memory/464-13-0x0000000010000000-0x0000000010013000-memory.dmp

memory/924-8-0x0000000000F20000-0x0000000001014000-memory.dmp

memory/3992-21-0x0000000001300000-0x000000000140C000-memory.dmp

memory/3992-22-0x0000000001300000-0x000000000140C000-memory.dmp

memory/3992-23-0x0000000001300000-0x000000000140C000-memory.dmp

memory/608-24-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/2188-25-0x0000000000600000-0x000000000070C000-memory.dmp

memory/2188-26-0x0000000000600000-0x000000000070C000-memory.dmp

memory/2188-27-0x0000000000600000-0x000000000070C000-memory.dmp

memory/608-31-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/712-32-0x0000000000F00000-0x000000000100C000-memory.dmp

memory/712-34-0x0000000000F00000-0x000000000100C000-memory.dmp

memory/712-33-0x0000000000F00000-0x000000000100C000-memory.dmp

memory/608-35-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/464-36-0x0000000000780000-0x000000000091C000-memory.dmp

memory/924-37-0x0000000000F20000-0x0000000001014000-memory.dmp

memory/2180-38-0x0000000001020000-0x000000000112C000-memory.dmp

memory/2180-39-0x0000000001020000-0x000000000112C000-memory.dmp

memory/2180-40-0x0000000001020000-0x000000000112C000-memory.dmp

memory/464-41-0x0000000010000000-0x0000000010013000-memory.dmp

memory/608-42-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/924-43-0x0000000000F20000-0x0000000001014000-memory.dmp

memory/608-44-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-45-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-46-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-47-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-48-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-49-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-50-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-51-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-52-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-53-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-54-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/608-55-0x00000000004A0000-0x0000000000ADD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RGI99C5.tmp

MD5 dd4f5026aa316d4aec4a9d789e63e67b
SHA1 fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153
SHA256 8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737
SHA512 3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568

C:\Users\Admin\AppData\Local\Temp\RGI99E9.tmp

MD5 a828b8c496779bdb61fce06ba0d57c39
SHA1 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256 c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512 effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

C:\Windows\TEMP\Crashpad\settings.dat

MD5 295c35172675c56d85b3271fc5adbaf7
SHA1 fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0
SHA256 f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0
SHA512 15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 0aa22364f7b837652afb323504680abd
SHA1 ac806b580a795cbaa32e33131980145bf18282cd
SHA256 48434bf87dd82ecd09ccf48d1a2f6b6e3357cb0c5b37dc1a80a7903ea570d91a
SHA512 ccd50fc8a6a99a74a8a6f0fd33c917e217335c22d621d9689771561d06fe3d6cdc9a67c8c03dc9b7a3d97561d32f7e377604013bf00732be5e90a3ae5a4a53a6

C:\Program Files\Google\Chrome\Application\SetupMetrics\25285606-14a6-48a3-bb51-0a675a3e0f14.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ea98e583ad99df195d29aa066204ab56
SHA1 f89398664af0179641aa0138b337097b617cb2db
SHA256 a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512 e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

memory/608-118-0x00000000004A0000-0x0000000000ADD000-memory.dmp

memory/548-119-0x0000000002A30000-0x0000000002A31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 19:47

Reported

2024-04-30 19:50

Platform

win11-20240426-en

Max time kernel

19s

Max time network

110s

Command Line

C:\Windows\System32\spoolsv.exe

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "¶zvþÿq·9[™5Ø<j´›]\u0081„m\u00ad¸`Geª‹ó" C:\Windows\SysWOW64\cmd.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "k¹<\u009d\x7f…rì\x16«\bVΣáÎp\x12\x16‹\u00adtx9=\x03ÎB" C:\Windows\SysWOW64\cmd.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "I\tžpv>Ñ\x15°K\vx%¢ƒ\u0081lÀ\x14\x12m$…çý\u008fÅg" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "§•͹\u0090W%`\x142èTo\x12 ÎŒ\x10bT¢ÃS½«M¢ù" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "k»LÒ•ó\x18ÕàAªž6Û\u0090\x7fÚ4il~\u008d…†\\z\aø" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "²µ¶\f/•[ÍHŸ@/k\x1c˜" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "KÕôóß$ßbQÈbƒw‘eμä—\"nÞ\x1b›+‰…†" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "©\x13Íhä¦î¶IÞ‚×Ø.Ÿ\\cC<\x02ð.â\u0090\x03p\t\u008f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ð\u0081>\x1dø@T÷Výæa/ï“r7œ‡™´]Dð8Ÿ·Í" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "ˆ®)P÷^\x19\x10\bÿR[ø£8¹òsš¥:„Úw4£-ã" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "#ñ‰6¢Ï\x01\x10\n&õzÑù\\\x1fµ)’Ügf\vÆs†\x17É" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "‘fÜ{ã§ûf›\t¶\x02‹€q{Â)w([•\x03&\x1d~¼Å" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "âòWÈ\x18Ý…bý\x0f˜åž\x01oCV\u0081\u00ad‹Ô\x0e©'•ãoÜ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "Š2N#åSs–N\x1bÒ†96œ\x0e\x1d\\\n»ì Ÿ™?ç—(" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ß#úÍZOúˆt›\u008dÂ.Âý[BÂ\x1bŠ\x05/\r»´YñS" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "\x1fIU\x05Zm\x1f\x18{ü „Hij\x02ï÷Z\u0081ë—¾½?\x1c±:" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$Function = "\x1a\x01¿%\u008f2\x19á‚ÜüRîñÙ©Ò\fÃûñÏê\x02¥\x10¢&" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$Function = "ª¾d°\u00a0¬îà\x1dJ”ñ”,ð°\x15Ÿƒ”_Û\x04ÝÁ\u008fõ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "c7Ja{–ñ˜`&`à¤'”ј€»\x02¶¢I^ÆrC@" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "?@‰±\u0081c#sÄ)frL\a\x1eR\u00a0@G^\u008f&rôŒ\\±Ü" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "C\bìæþ\x1eè\u00a0(]<a@\x19y3¯¨5—z¼þ\ttcŒ&" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "¥åƒì/Ô·“\\áÎeE@7ïó€+\\Í\x16d\x185„~9" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "Kx\x19Z\x1eÊð\x1d\u008dÌ\x13Œüž`{æP2hÛ³\x1cöD!nç" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "™\rt\fæÀ-HÿÌ/\x1b\x1e\x17â&[s¨i«ÔNEïo\vI" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\Dll = "÷t¬q\x18“qôLêU^ˆÍÅgf\x7fç¿\x17õ)¿x®˜¼" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "e›V·ôR¯ž" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "ĆùÚSˆ$geQ†ë™–9OÝS«‰Ã»½èª[òÑ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "ùã\u00adm³\x01Ð9w\x1eàv…f›úË(\x15¼»×\u0081ƒ“\x14‡Ã" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "CVR\f‹“\x04D;?¾ÁÉd\x11œ\x0f{—;" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "…\u0090¬ÎÛÓÿ.¶Ú|PV\n#B\x02\x1a‘ó\"ÐÅöT¬À\u008f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "Ò–\u0081â:\x02kš%,§éן*\x7f´?\x1b‹!ÓP!Db&Ë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "Ÿˆ»\u00adf“\aGÿ\t#°—µbI87_º\x1dB\x10nn¡ô&" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "ù™¯›\x11Fg\x19HS\x02–QJ;SX‰Ë”LËØ@/-BT" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "Qr·jX‚vXlÑ„»\\ÙôJ)¨Þl¥\x132„ï\x0e90" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "\x18Ü($_\a9ÅdOa\x7f/" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "D†YŠ!Ç¡t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "4Ë\x01ã\x1bx„àí”»øKµŸe¶ƒ•\x16yÂXSãa…N" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{000C10F1-0000-0000-C000-000000000046}\Dll = "Ò¼H½ç-*\x16J œM•bz‚³¼?\u00a0áõPã\x1fï\x182" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ÃÿXk²>ÎÃ\x15ë\x1dŠcõ\x1aåñ¡œUïîp'Ú[\x1c\x13" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = ">Qh£s5ƒ¼\x11oô(9öÝ$eºoÆ-}ÎêÕýNÕ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "—oÿ\aä¨]Í“•ˆ\u008fâ\x10Ésž5\x05>\x02Ú%\v3Ù" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = ".mÀú&g&ö\u0090žå<g;´›\x02õ¡\x1e2‚eBY,îÊ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\Dll = "8\f/4+Ø!çáÀ¥¢\u00819\u009dº µ¸Í\u008fàC€€:¬\\" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "çH¡¡›O\a\x0ewÎVDÍ\tõÜJÈÉ¥¦ªÉ\x18\x0f8\x1f\v" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "¶\b4+®”n8xUtæ?(pÌdªÝŸ\x03ñ\x03Y\"sÎÈ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "ÖXN¿¡Ý\x17ÊŒöióBE6\x7fôOÓ™\x1eÒk\x1b:õ@é" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "8€x¼‰aD\vç'+¿ûó\v»À©:¶ö›w Þˆ(þ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "\x0eJ¬ä·†CûEkÔ´¤\x1aµ\u00ad…ŸÑ¼×ª¹X‚6Æ\x14" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "\x18¨:n³yJÅ?²\tõÖÆæ\u0081±Èç¬íS\x19˜øË&9" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "\x14WM–ÚøZº×ŒU7áëÀ\x02\x18\x02–µÿÇ\x15â\x06é‰?" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "S\x12\x02\u008dÌ z\x0fÇÔÕÍ\u00adâû+O^önÐòz!¦¨ÊÓ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "Ûj̳úAqüL=J(\n\x03\aF¾“«Žœ\x1dTd\x16î_ž" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "‡³Ä_+÷£m…Ù6~\x03‡ææÛÞÌïà}þ\x0f\x1dþ]…" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "üJ0ã£\x01—€GIgg¸—j<¦\x7f9\x0f좷¥ËöŠ\x01" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "Ç´~\x0f¯}(\u009dV+\r\x10¤á³hÆ,¯‘ vt-\x14·Òn" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = ":ºêA\x11È´7Yß\f\x16\x04™H\x0e\x15¾\x05\u008d\n´\x04\bé\x1a)ˆ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "¹Ê32œ-\x17ê½ð\x13\x10Q‚›\x1bnGT2AÊ\x1e¡úz»" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "\x18b3¬\x16ÔW–«»”ЇÈ2=‰ˆØ‡\u00a0ä¢1b" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "dQÃÑÄ.L»A¤\x16ôÁÿ\x02)×\b\bÛLÄ5æp;rF" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "\r‘I.¨wO\x03™vßöѨYj,€{‡ÌD\x06Q\x16)—´" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "…~\x1bxº:q\fû´\x1a‚\x03½\x18Á¾Ã-ú_4œ\x15·Ðþ\x0e" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "I\x1aA‰¤Ú\u009dG‘\u008f=\u0081‹§]ÌB7RUúWhRyÏÓP" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "Ýh\x16ü<>ò¯¹o4÷çÝó£\u009dö–'‘\x18\u008f©Aîþí" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = "%Vˆ\x11ü»ú:Š›\x06Îwì\x11¡\"Óp¹7l`\u0090º¹\x02þ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "\x01î{Ùåû+\u00adOY?|¤¡Ì\x19f\x05æÚœU\x1e5ºàRç" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "»E?'ø[â¥SG2\u009d-K\x1aeú\u0090òüÛ^\x16»¦eDÚ" C:\Windows\SysWOW64\cmd.exe N/A

Modifies AppInit DLL entries

persistence

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "[f\x13vHŸéV·=œmÜ\x1cK\u009d˜‘³ÁR´ÃU¯çÓ”" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "@¯}siÈò=Oh\u00a0\\¸÷|<¶:Šâ˜šÌôŲy\u008f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Locale = "3‰ç:\x05§gçu .°ðÿÞßÌž«áDùÀ¸ÞóuQ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ = ")XúÊ@ô‡\ve½è|¢°\u008fÂ+A\u009dqG+Å\u008d¬õ¢'" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = "\x16Lá'Ç%2ï>Un&Ü\fnT~ÓÍÀ‘é9¦\x1añlœ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Version = "…ô8¸4‘+\x1a b0»E˜y\x12\x1f\rñÑ\x06ê„×t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "\x19þjýJjÇ\añš\fÂŽà4\n~Nx#ü¤Sz”˜0^" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\KeyFileName = "2iWµŽ\x19Ñ: iÿ@?’@]ï¡—Ö#+\aHjœ0\a" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "&ø²ø]\u00a08ùŒˆmMè\u009d‡oŽ\x1d€³Ä¸Ä·3=ÔÎ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ComponentID = "¨\u0090ùÇ\\“§\vºØŽàPÏP@\x17e»\n\u0090\u00ad§; \x1f¿l" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "Bv9`rZ&†\u009d_r" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "0j˜ª)‚s±`Ô:èRø(\x10}ÓvrÐEU\x14»Eì¾" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "R9q%#Ä’O\x13" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "ñ‹Ž\x1bÙU’3±p»‡\u00817\fDg…‘ù\u008f¡:Åœ\x05ʨ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\StubPath = "\x7f\u00a0a\rfÒ²ôïý(\x0eþ\x0ft\x03E\bJ\x16¢)†\u009dòUd§" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "\a<ý¶êk6£ôʨ*\\\x11êá\x106\x02%Ñ'éPмv?" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "ë}¸*µ>=ˆió\x1a.¹Z1·®ç\x16+'û^’1¦\fõ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "ñ¨bK\x1cH‰R\x17y:ÕÆ\bäÍ£3ÃØ!äh°¦–‹»" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "\f3›\u0081ckªF\x19€\x03\x17%¢ËÙS‰Ó¼\x1cnÚù‚îî×" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "\x1b\u008f`Á~ŒÌÇì¢,=@|\\Dd½·\x03\x10Å©ýúÃ\n¸" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "\x0e¿[!vójÀP4ÔßΆÃ\x7f\x1av$\\úå$÷é|\u00adË" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\StubPath = "-\x18ÖǤ]" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ = "\x13¥þê\x1bg‰\x01PWÍŽ\u00a0‘\x1bºâîèÞuªÁ-©¡‘ÿ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "†\u0090êÄ\u008f“T4\x1dÒÀ+¥¬\vt¯wždDVÁÑxÔô³" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Version = "\r\x7f\x1d\x13¨µosn99áq§û‡Ç\u00a0óã\x06íqÂH\u00ad}\u00a0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ComponentID = "\x1a°ÍÙIŽ\fzQ\u008fJî’;2\x1aìØ`m#É>6D{®." C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "FJr\x1cÝ\u0090¸Ü»aØÑ\x1eå\t¼J¥àS:V—\x1e\bz\x19\x0f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "zñºVò86¬9g\x0f5ÿÕÍ1X§ìA9¶6Å«\x7f[H" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "¡æud4ßS4eÌ\x01^\nMDOQ¥\x17b\f{Q¾Q°Pá" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "!ɆOÉ‚LS7¢î%!³d\x16Tïw\x1cÃg4¬°lúw" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "\x1c¹û~#NÓb~oÒn¾1™èÌ&„0\x1c_\x03H\x19\x18+œ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "‰ùñBà\t;YÐTø\x03q\x12u¼Õ?M\x142˜G®fòa\u00ad" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\ = "Tàënsó±®8G‡¡)‹\u00a0Þˆ\u0090ù6÷’õ0mœlÈ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Version = "‘EÕ\x0ep…·NGä€Yĵ“\x1e]}\x05$\\bb\u0090Ùäh\x11" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "\x16¶2Ð46ÍÐ\bëÏų²©[0.¼U¹\x0f”;Žÿò)" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ComponentID = "¿Kþ\u009d¥æ[W4\u00a0X1÷û—Ú|Mæ,\x04rjeÅØ•¿" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Locale = "à/ÃÑËîó‰üNay,ß\t‹É_¶!^Hᢎ’Tk" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "\t•Õ\x19º\u00ad³0n¿È#†Ø/ð<Õr«ŽŒ ‘ñ¡Gµ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Version = "@Ã\x10®ÙLìE\u0081Ë m®\b©‡}½" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "ò#ýò\x03•…\x125áåi\vªTŹù2þN#gu¤.K«" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = ">\bvFŒ[\x06Kþn›¬\x10\x1cÚ\x15\"Ÿp“\aüÉ?·=\u0090x" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\Version = "TbyrL\"jùÏ&æ½éàç\x01\x02M\x17æ>#D^\x15Ì1Í" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "æs\x05„%ü{5:,\x1aç\bSûg¨¤½ì“Õs(ÎH\x1b0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "\tJž`\";a&\x11\aµ2õÿ>Ó\að<\x1e…À€z\x11ˆ,\x7f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "÷oo+°=––á'NòÛƒ\x1cNk|°\u009dB˜ò`ï7}¸" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "š\x02t?ýƒp8o\x04qÇd-‘ð™\x18á\x7f\x0eLK\x17\u00ad\x13»¬" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "¯‹§MÍ\x1cÙ\x0fË5ÀÐ\x19½\x17Úð€±uþñ\"„C5\x13c" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "Y´•\x05QA¢\rœù\u00a0“\x13Û+ºYÅK\u0090Ñ" C:\Windows\SysWOW64\cmd.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\FilterFullPath = "«(«’ÿZµ£´\x14haQ.\r\x0f]\b,õ¡a}\u008dYöcÏ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\FilterFullPath = "™\vðm6'ºÛº£‚çA®]Uä\x11ªõû\u008f‰Ëè5\x15\\" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\AppExecutionAliasRedirectPackages = "ÝÒh¡p!)\tÕT>›Ã=‡\x11pǃ%Bcö\x01x@ì1" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\AppExecutionAliasRedirectPackages = "þ¶äw¨=\u008flölËh‰\bʬÛv¹d\x176šð%7Ü\x19" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\FilterFullPath = "‚v\x18¡\u0090B¢(¢\u009dg\u00901ì_ñH?üEWi*Ç\x0e\x15ç" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\AppExecutionAliasRedirectPackages = "¢L+¹”™\n3\x1e\x14‹Yª0-(X—¡è\u0090\x1a˜ê¡_H\x14" C:\Windows\SysWOW64\cmd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\Geo\Nation = "j‡m¢On\x19c[\x0fd\x13ø&g9\u0081\u0090¥\x1f\nK\x1cΞ£ÍÖ" C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "ÈŽ&w8Ro\r¦N*\x0f\u0090È’zœ\u00a0\\\u00a0R[\x0fS;%;h" C:\Windows\SysWOW64\cmd.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "j¥œÉ—\x11oßÇ–Õ\x10u\u008dÖ×\x11ÂÃpðt\x150XÀAë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "<Jå\u009d3${!\f\r·Û(A¥œŠ\x10çv\x04\x0e$txN†\x06" C:\Windows\SysWOW64\cmd.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicy = "aç’8Ù”¡Š2JˆLÆ@KÃÒa ”\x16ç*ÐéÍy_" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\PreCreateKnownFolders = "œ\x19ǰIpse\x10RŽ«\x1dþ\x10Ý:¿›ç¤2m\u008f\x1b€Ù·" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "/We»\x1b†\x04¾¤9îÿ¡\\XÓ‘\x1c—³\x1e\x1eá¨V\u0081\x03\x06" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\ = "1µuiE%”\x03'ôé\x17\nÂÈ1È\x05u\x1e€(hÚZ,\b‘" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "\u00ad.ürj*lçÕ\u008d\x0f_€Ã0RBt\x1dó²\bØ\x030†òë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "[\x1bKk¬À\rš\x19œs\x19\u009d™EJöØ-$ÃCpÓ}\x04\x18\a" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "sgÓ‰ãVÿS0yù[\u00a0\x01Ã'ÔÒh”°`Ê\x02\x06Â\a1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "•ú\u00901BS£Œ—dŽóM‚”¾" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "µO\x18ûGXÅÁ1 %¶³¢·ÿ\tü\\D*…\x11ÒÁ‹ˆW" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ = "ó\x0f|ÍD\u008dwža1Rõ\x1b„0ÎçQ\x1fôl<\x16T·!{ƒ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DllName = "\x05€þE庆Ë}7\x05”søAÛ\x15Ä\x02u¥¯“ŽT\x7fLK" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "þÍÊo¾‰÷INµšh$\açÆäSe¸™×kG`¶]ž" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\DllName = "ÿ2\x7fª\x1ad”JZk" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ = "#q\x13—vîVE¢$˜†P¤oVöxÚ›,@®\x12Ù" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DisplayName = "\bÝeõ±+xÉ\ro\rù^\x15\x17ámkÄú\x1dsÄ ‰SdÌ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\GenerateGroupPolicy = "·³œB‚\x19\x14—\a¬¯B\x17'\x19ÛÆÉÄ\x1adƒï‰‘¯ S" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DllName = "iFÐ\x17\x1f¯4áÕzÞm`\u0081øn^¨ZÊÒq¯\x0f\x15!ž¶" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DisplayName = "\v\fˆo‰í[w¾ùÖÑ‘\x1f³\x1d\u008dåw¼}~\x02áHËü¥" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "ª…o•fè\u008f\x1a%\\\u008d7œgI&”a¹\x02L~èÍ\u008dv>Ø" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "\x18^\"q,ínk§Çä€\u00a0¢º¶\x1fÈâ(\x11ëâXgƒ“Ì" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\GenerateGroupPolicy = "Mê‹÷4Z\x10ߟ€0\x143\x11ª£Œ‹Ï.x¼Rå£B¸_" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "&\x12I?DM±\x05òe6\x0f\x19\x11)¤mŠ÷?¼´O||0'%" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "\fÉÄáÚ\x05(\x17èÅsŠO–×¾\x0fç–œº¼w\x06\x06 %ª" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\GenerateGroupPolicy = "„\x03Æ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ = "\x131‘ḭ’¿Çìóµ-@ê\n\u00a0þ‰ÇÅ’Å\u009dífþà" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = 5800ba00dc02010001005900bf009d00eb007800a30006002800770038007000ff001300fa001000d900142008003a00d200d8001a00420000000000 C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ = "½ƒ¨áã¦\x11xhj±ûvØÿ\x14ZÐ\x1dq\x05¦S•\x0e(W\x1b" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicy = "›]Íìbã9Ün¤+xEûžóå\b̯4®‡É1ù\\Ö" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "7“‚ät\n³Q\x0f\x03é(\x1bä¯ê\u008dý\x0f¯Ë¶h0šQzv" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2A8FDC61-2347-4C87-92F6-B05EB91A201A} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ProcessGroupPolicy = "\x05º0²\x14oØ¢\x0f¤®J‹qˆ¨q%þì0¹Ú0ؼ\x18õ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DisplayName = ";`7šîëý;ˆ¨‰I•-WÕ\rbô³Ù\x06ïŠ\x16Ÿ-·" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ProcessGroupPolicy = "q¤ðÇ^\u009d˜€ÌÄ\u009dZ\x17¶ÂÇ\f\x0eq'}@Ÿ.—p/B" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ = "\nöÐ@Øä®ƒÃãpŠ\x03ƒè\x19\\]W†\x06sÍ£Q¨p¤" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DllName = "\x10ãtÝ.˜Ú_¸È^NXzÆúO\x1c\vÅö\u00a0à€¯:†]" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DisplayName = "T¹\x1fO\u00a0\x044 Ù'\x1bL§.i4V;øF\rú²!ÿÕ$2" C:\Windows\SysWOW64\cmd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WallPaper = "y=ž(Û¾Ú›ÖŒLλíþ+Ï0/ÍKáÚÐTøŠ;" C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4684 set thread context of 3596 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 set thread context of 3744 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 set thread context of 1156 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 set thread context of 1952 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 set thread context of 3340 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\System.ini C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\StickyKeys C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\RightOverlapChars = "äKš\f¾ÙrîKj0Üó\u008d0½»à½‹“)J¿hô}\"" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WheelScrollLines = "\u00a0œ¯hð7š$ÅIâÛ`N3›\x7f¢Rÿ,z܈q‹6ý" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\InfoWindow = "Ž\x1e?Qz:\\Í„¦™\x06\x16òöѾœñ*ôloòxÙ\x17{" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sCurrency = "åsïA’–”Û!Y÷¶A€C|üèù\x1aHº~kŒÆfÎ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\DoubleClickWidth = "ƒ…餅\x11×7âµ\x17\x17èÖh\u00a0’Ô‹e=å!\vh•\x14\x1e" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\1 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Response\AutoRepeatRate = "7\u0090¶\x1ev‡ÏSÖ\x12z63îQ¤4)o³\nô+´Ž«¨!" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Appearance\Current = "àïÜ\x0e3\"žf\njÞÁ\u00905A\b\x01ŽIì±c\x1eØ·xMü" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\4 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\ActiveBorder = "“Úÿ]^\u009dB\bN®Ü\x05~z™[í|ËGàóýg+\x1cêŸ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Input Method\Show Status = "¾|<)IOdM\\\x03DKfÔ`pp\u00ad÷¼¦DÎpËÌØ\x1a" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sMonDecimalSep = "ÏÏ\u00a0VõÕ¾é|\x18’\x1d¡\u0081W\x1d@턜Je\x1ba¡ë€Š" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\InfoText = "}©£)Ë\x1b\v¦ý€Î\x06áLô\x13Cï\x01+Ì" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\MenuHeight = "Ñ‘ÂA0zM–Æ}yîs\x01„\u00a0;Ùâ\nûƒ»…×ç_Ö" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\ScrollHeight = "(Ê’KÛséR÷®_qÎ6€a°\roâïFÐ*Ú\x19\x060" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\TimeOut\Flags = "\u009d·7âÖЫèiÂE½aÃ9Qà@\x02ÛÃí–>;\u008dð" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\DragWidth = "Q\u009d+î\u0081ã\x14Äo‚b\x18qiˆ0•I7èúØ4¾:UX›" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iMeasure = "V…¼GK\x0e\x03ã\u0090\x1ež\x18HíEÐ\x05uÐh\x7fŸ{\u00a0V¿\x19—" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\2\Name = "ŽŠº\x15\x1a\x1f}P\tÿ9+R:\x12(7\aZ-êp‘àðSñÎ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Blind Access\On = "qi´íˆ\x1bIì\x1f‹oÕËL\u008f\x12\n\x19ÿ“×AºçeM…¥" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\CursorBlinkRate = "¾ÄÀR›L[)/âY¯ÒiždCøY/\x14ºj¼0¯\x01" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sList = "U\x7f$µõ£]š5Á\x06¼\x05Ô\x1fàÝÀþ®ËnzW¥O˜é" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\ActiveTitle = "@EØÏ±GÖ1¡ÇµAµÎ¸¯" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\MouseHoverHeight = "_Ž÷á¦H\x15%Þ:³¡º˜I.î\x1c‚þ·ºå–^ë?S" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\MouseSensitivity = "¶$—\x05gsÝiØÃ\u0081\fu¹fRš4(\"5ê—ׂ…;¼" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\MouseKeys\MaximumSpeed = "r#ж;Èqž/\\î°Ü¼ÜÛ\x13tÍý[ìŒj\x1d%°À" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\SlateLaunch\ATapp = "<‚ƒŠ»hA=\x01^\x01\u00a0/ÍÔ9YrZ»`_3\x05ûôíã" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\4\Description = "Íw|1(\x14¸\aÙP`êl’šê‚»’\u009d\u00adlÍ\x1b\fKÃÁ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Preference C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Response C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\Menu = "cãóØ«\x189ÀW\x1eþ\u0081““Î\x01.\x1cêëýÍ\x04¦„MÍë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Cursors\UpArrow = "° \x06™\x19\x14‚›—OŸÔТT_ñ\vIµy¶\fôûrv1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sGrouping = "¦(Çÿ\v\x062~\nÒ·¨öÙ•›‚{Þâ³n\u009dQ:T%ë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sLanguage = "rÅWf[H\x1cÈ\x11Ka\x1bF\x1fè\\«ètKŽ<xCÙ\x0f+\x18" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sShortTime = "\x1a…sï\x10Sg8óæy¼J.ÕÝÛ\x1f›„c{þ\fñƒþÎ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iTime = "\x016È]\x12\x0e)¿2‘\x7f>*€–¨—\x05\x03)0M[†…ÕSÖ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\3 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\GrayText = "\b\n»Ž\bžON\u0090yNÂ4¦Z7l¶\x10g¤\x12õ&¤kŠ\u00ad" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\MouseKeys C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\MuiCached C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\MouseKeys\TimeToMaximumSpeed = "Ð\u0090µÃº¨\x19•ÌnMˆˆ„îÍRfYÆtͳ͚\"3Å" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\DockMoving = "A\x16£¡Ý\x06¶¦\anä`Z£\x12ò}oKã±Þ„Õ\u00a0UUt" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\SmCaptionHeight = "*v\u00ad4\x063xé<Ü^üÂ)H¾Ûb\x10½6]\n„\x1e·l„" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iTimePrefix = "ÖBx– ÂàÞ1‚©É\bãIïBÁ_\ræÞ†[›Ù\u008dù" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Sound\ExtendedSounds = "v«»\x1b—£ôu\x1c¾¾\x1apâ\x19\x17÷C–·Ðææè.ª\x05\x0e" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\SoundSentry\Flags = "\"aX\x06£\f\x1cÀ£.¢\"üzÑ´÷Wrò•\x06£Ç\r⸠" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\TimeOut C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\Hilight = "ˆ³¤{°õò\x15\x03Û\u0090#â'8ZÌôG×e¿\x1f£è\x11úb" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\ScrollWidth = "¥T\b'Æ2½Òä² `î\u00a0˜àlRö\aë\fdú\x18âS," C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sYearMonth = "\n¼Îz\x1cê*Q{Š}naøÆv«\x11\u0090XDw;š€+•ý" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iDigits = "\u0081ƒÊ\u00a0È,/ä±\u00a0Ú¸ØÉìЃÁ AÙÊãk\t\x02R\x16" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Blind Access C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "pâÌ\x16:I¥ÌGk}q<#ùD²¡@Þ2f\a\r\bFÆ\x02" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\GradientInactiveTitle = ".¦É$.LdÉp\x14ë(÷Šñ[n\tée4}WS åßJ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\ExtendedSounds = "ó§8/¿,«*¬ôžjñO³…ا71ö\x02ra\x7f'nÖ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\MouseTrails = "úâH@_AÔ\t¯Þâ\x14ø¨:û‘h¸ý{Në# ü‘Ä" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Cursors\No = "‡TƒD†oK”(Ú\x17K\x14®»\x17RK¿" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\Geo\Name = "[ÙÄ”ä\x1d.oN’5\u00a0·m\x18q¯éN%Ìâ\x17;¡\u009d\x15`" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Response\DelayBeforeAcceptance = "ü\x18\aæXÆ;@1Ò\u009d)ÿs¿\bm·\x1dô$>\x16÷mì¶\u0090" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\HilightText = "[L\x7f\u00a0\x18¹ÉÃ9†dpN£\x1e?ƒS\u008d÷4\x04N£õ\u00a0[Î" C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\HOVER C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}\BlockType = "\x05,5mÑ\u00adñœK\vdcŒgzc\x11\x17ë\x10\n-sáÆó\b†" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F41E8255-3897-4cf4-AEC7-4F85171A0B3C} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7}\Version = "ºåùái½Y¼ë@Ö\x01!\x15ÓçÈp¿cø/ÇDË\x14R·" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "\u0090›\x19H\x1e\u008f\x10\n\x19³\x19§´É5…ídv„Åš(\x19ËWNž" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08f24d68-9087-4b24-81ad-7b34af3e3ed5}\AppPath = "ß÷ Ö¼ááTݽËz\x13‰-\"ú¾ëåL’Œö©ð[›" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\JIT C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ThirdPartyCookies\WindowClassesToNotify = "ê-¿¹LS\x11鞎ÂMú\x1aU·Dµ5Ñs1\x18œ\x1b‡hÈ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1C}\Version = "Ÿ¼nÒ$\"\x1eÈŒ\x12é‰Ê0d\x0e€—¨\x06m\x18?\x0e\x06ö\x14†" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\USESWRENDER C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\Version = "‰£š(t\x14|sJd)?™\x10—íw»rî?.ƒÖ6\x18n›" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Suggested Sites C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\AlternateCLSID = "VïÁ¹\x13s…¡…\x1c\x02½iL#²å¿v\x01Ã}š\x18Hšaí" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\Type = "\x10LQ¾æ¿ƒæ\u00ad`¼\bA©\x0fQ$LÛ\n8S{~d\u009d½ö" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{7778AA60-698A-41D9-9BF0-7AB41045AA7F}\BlockType = "V\x7f)M\aP$åsçÒù†–K¾r’3Pð!NIÉ×Èy" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\MenuText = "ǧÆñ\u00a0|¢\u008d\x1c\u009d¶]Ú5¼\x1e/vcõ·fÿ\x15\"˜o“" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "ÛÜ\v\u00ad\x05¼éûEL;EŒ²p\x17•\x11>R\\òËŠ÷\a}\r" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\Version = "º}\x03Ò¾x¢ÁÖS±5°ÑÌn\x14î+Å7ä„L\x15ožÑ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\DllName = "\u008dÆ¡M9\x1b¡eë+<=˜Þ%\x036\u00a0Â…\\Q(\bÜR×ä" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MkEnabled = "ŽÇ\u00a0ÐÊÍŽ¿¥\x1cg.÷QŸè¤8a\x12þ6\"\x15\x16>æ\x12" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\RegPath = "Æ\x15ã<´E\x1dÅ4Ý2ªb\tØlT\x13Ø:õ™E‚=Ê`[" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\NEGOTIATE\RegPoliciesPath = "ÂCEóÙ)\x0eû!TËÛ7À$\x1eƒub\u009d\x1d[p\x1a\x02½çŒ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\RUN_INV_SIG\ValueName = "B\u008f3-ûi\u009dWÌ\bž\x1fÌû…€Hò\x05R¤ê©·„–^é" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\CompatibilityFlags = ">\u008fjÜ\"ãyäþ\x03+\x1cÚÄãw#\x1cÏB0A¸Â\x0f÷(\n" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}\AlternateCLSID = "¶ÔP³)ú\x12V¬¤?â\x12È\x01{x,4-\v\u00a0Á1(°„¦" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{70f641fd-9ffc-4d5b-a4dc-962af4ed7999}\AppPath = "FP\v\"ì}WœëùÑX\u009duaKæ‚V]=B«]¨¿ÚH" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{619C4601-855D-4004-819D-62EF5AC5FE50}\Version = "ÇÕ@K¾Á'¡t£.\x05\x1aNf9“Mÿ‹\x0eRV‡#¨‚¦" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AF949550-9094-4807-95EC-D1C317803333}\FWLink = "\x0eÄ3¤·q6Ðû”æ>\x14|`Ý\x17\x17‡ÂÇ¥m‰øéƒÄ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\CompatibilityFlags = "&p涯\u008f\x11Z" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSLREV\RegPoliciesPath = "5@®—hêºáôa§>ø,ÞÍYÊû§¦{+ÏØEGA" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\XMLHTTP\Type C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\PlugUIText = "k\u00a0\t\u008dW\vó\x01!þxJÚõ\u008f™ÇÂ\x14oxDJÀ—æ\u008dà" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{258C9770-1713-4021-8D7E-1F184A2BD754}\Version = ".š}›K\x1bÄ•ˆ\x11:,”úB$\x188\rÈ\x12\u00adšì7¡mN" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}\CompatibilityFlags = "…د½èQ\vxÀÛQsK\aýý;¶\x02\u009d/X¡Z3‹—Z" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash = "\b\x12±á/²1œ1ÔÔÇ™\u0081ÞlnìL\u009dTšæt×û$ü" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "¡UL3‚\x12¿†àL¸„\x1b\x13\fÝ\x1b\x1f“ä0ãë$¡\x15oŒ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\PlugUIText = "{!\x0f—˜_\x0f¤ž\x15hg¸†¡ØBÂx|œ³&\x16\"k/b" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\PrivacyAdvanced C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\StartPage C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7}\DllName = "ô°ì€&Uãsü\fËt\u008f<+r+6RzѺ\x1c-\f–D\x16" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Document Windows\Maximized = "{|ÈäÄ\x19dëløEK×¶%êù=\x04\x03xxù\a?\x19X3" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV\Text = "9ÍìC\x11ðMÌ\tœ¨í\x06ÌÄsç˜8™\x1a.<×è^ŒÂ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{09AF76DD-6988-4664-97D0-362F1011E311}\CompatibilityFlags = "\ag\x1d\rf\x18dþ^" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3EB9C349-7473-48AC-A59B-42F31751974B}\BlockType = "\x17\x1c'-\x03]abèo\n\x7f\x7fsò@kèÆ4ÙÍDb\x0e.DŽ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{92085AD4-F48A-450D-BD93-B28CC7DF67CE} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{F5BEA1B9-FEF6-4093-846D-753C42A1B00A}\DllName = "äR\x15é\x05\x1e7 âGÓ$ø{„@)v×?ýÞ?\"eAªý" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8DCB7100-DF86-4384-8842-8FA844297B3F}\BlockType = "kWMP\x01>§¶ƒoø¶W'Ü^þ!…Ëj{^½^\x12¶\b" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "C\x14\u0081v\x10wÜ\v™\u008dÐx\x03Ág’¸”è§Žé’\a¹†È\x12" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "~\u0090\u0081†£]¹\x0f\u0081B\x16Þ=zølÄ\x17\x1c¦aiÛ\x03l3â\x13" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPEND\UncheckedValue = "‘}“\x7fCè;ç\x15ø\x01\u00905{¨3k{çV:±å_‰%\x14'" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYNOTDEFAULTBROWSER\PlugUIText = "=$µo\x0e*,d˜\u00adg\x11ïoõtô?M\x7fµU¨m›Ñ\x03S" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER\CheckedValue = "Û™-òØÊy&`eÓ\b¬m\x14º¦S‹`áÚâ÷É\u008dB¨" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{01E198E3-24FF-4602-9944-65E7B323296D}\FWLink = "\u0090:Éç\u008d Ó™SK,Ìz\x17Ÿª\x1dõ\aqŸJ“x´Sår" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\URLSearchHooks C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{77BF5300-1474-4EC7-9980-D32B190E9B07}\FWLink = "@…\x1dðnL51Ì&:žÅ4;‡NóHBÙ8\x1fñà/\x03:" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "2@É4‹uñ\u00a0’»\x05¥pÀ\ay\f\u008f¾v\x13–8—%¶šr" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\NavigationCanceled = "Duœy\x14æ˜Þ\u00a0n*ô\x18Ó𣵳ä\x17\x17\x06ˆ\x03\x16Yž\r" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\Type = "®ö\x06¢¹ß®´FEA„\x03µ…dØ›aŽÉTS/8œÖ”" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\RUN_INV_SIG\PlugUIText = "¾G2®ó5vÖÔ\u009d\x1e\rç*\aðe9.³¢\x01m\u008fß521" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2\Text = "4£B\x14ÜÇ!b•\x1aò;yý#Y\x12úz;½ÈæJAÛ\x1cô" C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "˜©\u00ad>Ç]¾¹ïTÓ:Óo…¹`\u0090\x1bñòø\x14ká[“‰" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "ãÓz×\x059}ôëp5åà-¹HV\n5\u0090\x7f½! –õލ" C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4684 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\Explorer.EXE
PID 4684 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\VeryFun.exe C:\Windows\System32\spoolsv.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = "—º\u009dÀ…ÇyCûX©tøS\x1f„Ùg\u00a0˶·\n`ìôG0" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ÍÞÓª\u009d©4yÀ\nn\x16òt°dçDG‘vǹ@ÅM¹H" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "ÄÀ²\x18\x17KŒQ°I^*³a\x12BÏ¡ÁÃ\x0f\x15#Vz\x16ô[" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "–\x10Åt\x1a¼\x19;°\x10Z\x1dÔ\nˆq)U'Æ×\\‰¶L\x7f\"&" C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\VeryFun.exe

"C:\Users\Admin\AppData\Local\Temp\VeryFun.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004B8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -UserConfig

C:\Windows\System32\ie4uinit.exe

C:\Windows\System32\ie4uinit.exe -ClearIconCache

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7cea5ae48,0x7ff7cea5ae58,0x7ff7cea5ae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=2 --install-level=0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7cea5ae48,0x7ff7cea5ae58,0x7ff7cea5ae68

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x248,0x24c,0x250,0x21c,0x254,0x7ff6dc9eeb10,0x7ff6dc9eeb20,0x7ff6dc9eeb30

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb94e23cb8,0x7ffb94e23cc8,0x7ffb94e23cd8

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp

Files

memory/4684-0-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/4684-1-0x0000000003D70000-0x0000000003D7B000-memory.dmp

memory/3596-3-0x0000000000E00000-0x0000000000F9C000-memory.dmp

memory/3596-4-0x0000000000E00000-0x0000000000F9C000-memory.dmp

memory/3596-5-0x0000000000E00000-0x0000000000F9C000-memory.dmp

memory/3596-6-0x0000000000E00000-0x0000000000F9C000-memory.dmp

memory/3744-11-0x0000000000700000-0x00000000007F4000-memory.dmp

memory/3744-13-0x0000000000700000-0x00000000007F4000-memory.dmp

memory/3744-12-0x0000000000700000-0x00000000007F4000-memory.dmp

memory/3596-19-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3596-18-0x0000000001C10000-0x0000000001C11000-memory.dmp

memory/3596-17-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3596-16-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3596-14-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3744-7-0x0000000000700000-0x00000000007F4000-memory.dmp

memory/1156-20-0x0000000001100000-0x000000000120C000-memory.dmp

memory/1156-21-0x0000000001100000-0x000000000120C000-memory.dmp

memory/1156-22-0x0000000001100000-0x000000000120C000-memory.dmp

memory/4684-23-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/1952-24-0x0000000000960000-0x0000000000A6C000-memory.dmp

memory/1952-25-0x0000000000960000-0x0000000000A6C000-memory.dmp

memory/1952-26-0x0000000000960000-0x0000000000A6C000-memory.dmp

memory/4684-27-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/3340-28-0x0000000001310000-0x000000000141C000-memory.dmp

memory/3340-29-0x0000000001310000-0x000000000141C000-memory.dmp

memory/3340-30-0x0000000001310000-0x000000000141C000-memory.dmp

memory/3596-32-0x0000000000E00000-0x0000000000F9C000-memory.dmp

memory/4684-31-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/3744-36-0x0000000000700000-0x00000000007F4000-memory.dmp

memory/3744-37-0x0000000000700000-0x00000000007F4000-memory.dmp

memory/3596-38-0x0000000010000000-0x0000000010013000-memory.dmp

memory/1300-39-0x0000000001380000-0x000000000148C000-memory.dmp

memory/1300-41-0x0000000001380000-0x000000000148C000-memory.dmp

memory/1300-40-0x0000000001380000-0x000000000148C000-memory.dmp

memory/4684-42-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/3300-43-0x0000000000E00000-0x0000000000E10000-memory.dmp

memory/4684-44-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/4684-45-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/3300-46-0x0000000000E00000-0x0000000000E10000-memory.dmp

memory/4684-47-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/3300-48-0x0000000000E00000-0x0000000000E10000-memory.dmp

memory/4684-49-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/3300-50-0x0000000000E00000-0x0000000000E10000-memory.dmp

memory/3300-51-0x0000000000E00000-0x0000000000E10000-memory.dmp

memory/3300-52-0x0000000000E00000-0x0000000000E10000-memory.dmp

memory/4684-53-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/3300-54-0x0000000000E00000-0x0000000000E10000-memory.dmp

memory/4684-55-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/3300-56-0x0000000000E00000-0x0000000000E10000-memory.dmp

memory/4684-57-0x00000000004F0000-0x0000000000B2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RGIEB17.tmp

MD5 dd4f5026aa316d4aec4a9d789e63e67b
SHA1 fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153
SHA256 8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737
SHA512 3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568

C:\Users\Admin\AppData\Local\Temp\RGIEB3A.tmp

MD5 a828b8c496779bdb61fce06ba0d57c39
SHA1 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256 c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512 effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 802a45170dfcd6f48c575c93902456cf
SHA1 b6d26ccbb32aee5c17f57103f7244fa1a4ad9111
SHA256 1b3172603138de664da041c2f3f4ee93b22e69155f66c8dd3b9eef1e1aa4b47a
SHA512 2968928dc36df6766acb7b26867682641fc51bd3a6f2a66d46e39d6c30fa5a20b32d870874c41fc6cf46a5210d55bcdc0dcf0a1db337fe00934ce06d0a453e93

C:\Windows\TEMP\Crashpad\settings.dat

MD5 f253896b9ddf47a15eb8932fdf7caf07
SHA1 1b52ed22b1d9a9838ae183eb982d7a4bfb8a1304
SHA256 046f7d44ec9ff7bd53a01226b5bb0425cd14ac6654028b1afebda035409082a2
SHA512 eb2e4bdebaa30d56de2ab5dd4eb21a4ba21b9047ccffc9455b5df3394b8cf7d661be2c1aede918a86225af961d05d8296a17832b06db48f410f73ba9fe696c3f

C:\Program Files\Google\Chrome\Application\SetupMetrics\27d6e799-a7fd-4369-847a-03995b7f42c2.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 704d4cabea796e63d81497ab24b05379
SHA1 b4d01216a6985559bd4b6d193ed1ec0f93b15ff8
SHA256 3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26
SHA512 0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\199606c1-1d0d-491f-9131-74bc9d165d48.dmp

MD5 d98c0c75c630599b6ccb3e6466ea0119
SHA1 22bdb39d42c036b5be1e994e5f4d6e342d35e4bf
SHA256 2a8e1bcddefb3929f5c97a5d37a830e37897273b7f8b88db790d9b5f0c372ac5
SHA512 d0747d96de7cfc7a9c4da41cf6e3ab17c71f85503c176a2f63af7ba8bc9b30bfb45ac76ea021d357fe0b165f776d3cc0bed12a52c5e7d3ee139a653f76a60655

memory/4684-139-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/4684-140-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/4684-141-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/4684-142-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/4684-143-0x00000000004F0000-0x0000000000B2D000-memory.dmp

memory/4684-144-0x00000000004F0000-0x0000000000B2D000-memory.dmp