Analysis Overview
SHA256
8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387
Threat Level: Known bad
The file VeryFun.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Adds autorun key to be loaded by Explorer.exe on startup
Sets file execution options in registry
Modifies AppInit DLL entries
Modifies Installed Components in the registry
Manipulates Digital Signatures
Checks computer location settings
UPX packed file
Checks whether UAC is enabled
Checks installed software on the system
Modifies WinLogon
Installs/modifies Browser Helper Object
Adds Run key to start application
Sets desktop wallpaper using registry
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Windows directory
Unsigned PE
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Modifies Control Panel
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer start page
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-30 19:47
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-30 19:47
Reported
2024-04-30 19:50
Platform
win10v2004-20240426-en
Max time kernel
23s
Max time network
167s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "°\\¤+þ\x10ºÇ’8:ªÝH~ºé #\bÅž=\nÚºMØ" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\x01ô>Ên}É!Û\x10¼É%ª\x1dü©g©\x02`\rœl\x16\x13\x14™" | C:\Windows\SysWOW64\cmd.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "FÁ\"\a*£\u008f‘2-€òÞ=TÑ|û\x0e\x15«\x04ô\x19‰JÙ»" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "Aå²W–?4°\x1f‡\x0fN”!Náó<¯Íú#@&\u00adI1u" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "é‘\x1fa7{\x117ÊóB¡¨¯Íf\x03ŒÐÝ‚\x14\x1d¤\u009dºôŠ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "í\x14Zfø\fT^Ñw¹,¶+iéqUØ*[ªþIÃT±E" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "îr•†¥¿«Ý'\x01»\u0090\x06p©Ðý" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "ÁðlË>E\x05j÷ZZ\tÖØ\nT\x11b§J…mÎUAj¾J" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = ",Y\x18©ºqEÝž¤¥œO<åh!zÁ\x03\x1a\a\x04‰ÛËA\v" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "sbŸ\x17\x06׿\x13\u009dJ'tÑÄV\x1b\x0e\x18\u008fã\b\x04\v\x13ß\x7f1\v" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = "*" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "ù¦\x12€\x19\x1f,ý{˜ÄçÊ6<T´†\f§)§|¡\x15¡" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "Qª^äè¼éøÊÂÂ\x1dëè0G\x06¥“\x1et?Æ\u00adR1Æ\u00a0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name = "(ÔTØ7³cO$&û¤XX]\u00a0¥Ö`žnj¢D÷+ŸM" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = ";Çhd»Éì̬^\x17Å¥*þ[½wÃr\u0090rÄä¿\x17\u0081ø" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "ZA\"J\x01#[\x1dÍ9\u008fÐ\txÖD”5p\x17{5\u00a0žõ\x02¿ï" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "®\vò“ц¼û\x0e\\ÍãÌÝ0Û5Ÿ¾R>Ìê?NX\nX" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "ã9\"äÓu¸f\x7f3ä\x0f¶žf\x1c\u008d1±ˆÉÿ¦Œ¦\x1a7\f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "¡\x13ñ”kë~èÐD\x03'.ó´ƒNºiaØÒ\að\\œ+\x1d" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WYhx_\u009dóüêàhšÏ\x04£?,‰ŒD\u00a0p°wî¡éŒ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "÷Jdf\x0e\b 5\u00a06\x06\x10b@/Ý'#w“\x02Ö«Ó\x11L¯=" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "ò]¯0Ü\vè´\u008dõÄt“„Æ6ƒ£¢Ñ”¬0\u0081è\u00a0Í)" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "\x7fÖ´µÅ•}\tÏ’" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "xоÕkP±\x15JøHŒœò[Ïϧc\x02\fšLz\x16Ÿyi" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046}\FuncName = "ÁqaH)¥ú\u008d\x1aúɹÁwЃ¶ý¾P\u008f\x06Å\x0eŒ¾\x11Ò" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "\x064\x15¾šÏ²ӟ*û†\"ï*,W››†²Ôکߺ\f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "Ê" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "(Bæ ‹bqüƒ‡Ö\x0f;´bQH\x19$K\x05ÚŠø+â\x03@" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "XåÆÍúÓ\x1cëÎ0™¸áhôжÉâï¡\"\nŸ_bÊb" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "\\ÀÝÈ6\u00a0F[®\x7f\u00ad[oé\u0081†LÇ„ÇÃ.\u0081½RFÈF" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "_åWÅÕô<G\x1eÓ\nœ¦6°é\x189of¢@0qWðÇ\\" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "úr\rí¿VŸ\rTi¬Rp[HX\x11À¨\aùôç³t¿Ü¡" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "{׎‰\\4\x1a:¢¾q/bJ¡D¥i\x19\x15ÂgÉ,ލ\x16B" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "jö毆ýóª¶\x18 \x14Ç%ï+5K¬\x1b¦KVW¿í†ß" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "-Aðé£a\x03\"àûѰ¥ÀRy¾{\x01óûðpô\x05a\r™" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\FuncName = "\x1e\x01\fŒ€j‰6\u008fr7\x0e{ßž¥Är.ÌA7+\x02\u00ad\x06\x18Ì" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "*ø<HºÐljÔ´áï‚|ä;³–HtãÏrVÉT" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "sìçU†eÏ&Q“\u008dX°\f‘}ã¡:.¿\x05“jïð+„" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "^欸1¢¤áôpÙq1œÃä\u0090Ìü}ðÐPd>ȦÓ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "\x7fÕ\x18¡žMÌZ/v‰Ãÿ\nÅ\u0081ÂgH61*Ä|’ ôz" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "c:{~‘\"ïâ32Ð3ežðµâ\x02%eO{Zæg(*›" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "©\u00a0rYZVFù¶\x06\u0090áñÆûþ\rúî§qqÞ²&ȉ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "^\u00a0¡ÄÑ\x7fa\x02\aÍ\x04E\x1c)Õ:Nô\\´1‰6ôåŒüë" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "í“ð\rã7(\f(pàý$µGÊ}b»Ì\x15+˜Û\u0090ËÜš" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\v\x15ÊܕĞ!¯{{àòÚ„¼)fnQ2þ\x1b<p;á¡" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "¨BÆp%\x17ÈÙT(ã+Ø…4æî\"ßhÒ¢ºáü÷jT" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "†òϼBØ\x1b\x1b{Õ\tˆƒXL\x18»låT”+TŒa‰(™" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "V©Ó\u008d\x1fµ_žêoœÿ?®*JêXIá\n¸´QÍ\x13F¢" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "\"ßÓgª‚9¼gÒ-1}ÅÚÒ·\x12î\x1e\x046e+\x16!z÷" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "²ŽíÐA_µ|û²‘\u0090E\x13ˆV]\t´Ó7PÍžêŒ ž" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "ÌèÀœ\x15lp\x14fMÇ„&\x1378Ðl2\x13Ña—÷îð\x01®" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\Dll = "pQƒ\b¤‡ÞE\x18\nµ\x102\rW¯–ÇñfsáŸY%÷*º" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\Dll = "ËM\x13î(Â\u008fÞ>Þ\x1fï‰\x1aI*9¨vXÁc¯-\u00ad¬Ûç" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "\x1dD@d'ÍïJ\x17éÄ—ìgÝ&\u008f“\x19\x1eÂÝY¯ùh¡Ò" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\x01\x1aeÞw©)çý\x04\x1a½v\x1f\u00a0kGê\x1fqŠ*ƒ\x03¦ˆiÜ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "À«W¼Í" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "fWa<-2‘‡Ñ.R%Öi½¨VmX\x12TT–׎—ÄÓ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "—RÍ…œ\u00815Bc ö/?\u0081¹”ì$¯\u008dŽ\u00ad\x06D^&Sµ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "µ\x13òSƒìX\rø›ýÜÅ`nò\u009d\x7f–¯É\rÉüÂý<;" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "ÑÑ‘\\9.¢Þ_zœ ºn¥•g#¼<\u009dUì\a?PTÌ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "‰YpsZú?(tu\u00813nš\x17žŠ\x06.Ojª^\u008fZábÓ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "\vó\vd\n+¾ðy·ì5\a\x04\u008d²\a\r9/\u0090îO½£€i\x1d" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\FuncName = "å‹–õÇÏî…\x15Ø«íò\x1bÁ\x03»è¡â\x05´+Kˆ”Ím" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "´ÃspêØ{·PÀ’\u008daŸpv9¡êÊôå¬\u008dr\x1aÿk" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "©\x1d'<l\x0féë\x1cjùÝr™F\t\fí°Ö‹¯\x14¸°µ\x17\r" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "…Œ*æ\u00ad`¬\"\u009d9³EïÝÓ\u0081³l\u008dÏŽfuy\nÐeÉ" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies AppInit DLL entries
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "\\;zgÒM¹êeZÅKøh ™¹*„²ð‘•\x1bP\a+U" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "•\u008dXX¢%Ò\x1a\x05°²öOáËIî*ùõ(\u00a0½Z·Y¡Ù" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Version = "Bc`Úháf;”‚wÌ ŠûFR\x19ÖÎïZ. —î\r—" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Locale = "^\x0fѦMÇ\x03Í;)6àâv\x14äÑš\x04X\føcbô×g." | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "yº9±”îINnëW\u008dÑqÊ\x01ë€Û–$í\bjÃ)" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "”YÂòé’Õa\x0eÛa£öD<˜÷?ÅeK\x7f„\x05F›œT" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "\x02Œqô$é–iæq˜2>dºƒÐ³˜\x03ä4÷ú‰\x16å(" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "\u009dîóI\x1cIòôXµ€pmd\x10I>~\x10[îŠðÅ`¯KŠ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "×åü›»·»]É\x19¤\x02Õ6c2¸àfóäé:ö˦HÈ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Version = "«y~Ô™R{3wË\x11S//þvêwR6ì—݈\u0081\u00ad\x1c¹" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ComponentID = "唘1½Åþ¼Gï[¸_°¨ÞAkÌy\tyúu¤aÆ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "R!—ñÑÊcÃQ2©NQ\u00ad\x0f%[åô" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "\v:%\x05>\x10oŃÈö\x18·Ùw³\"\v\x1b·ù²Å·1/" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "åÒ\nÊ\x156I\x1ay-€\x0e\x0f\x0f—ÏÓBݘ”y\u0090£Ïñ„Ç" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "B¥õÛê\x10ÁSÇ_íU8{eB)\u00ad–g‘û-×äkv\t" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "¬ÃÃäe/=FÃ\x15\veéiýë ©4‚Dú¤vé=%" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Locale = "ȇ\x1biQk\u008dÓ±\x1eCè®)™$D패Ç\x01\x1e]\x11VML" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "™œˆb7•KÈYEœÕaL$_\u0081ˆNÎqótŸÁ„ƒ9" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "\t\x1cßÖ0¥êÖÞÜåÑ^:´hÉP\x7f¬Öv\u00a0ð÷ï\n\a" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "´“„°±´ñ=.û\x03M\\gç»k1'\x0fØï2\x05?û1¤" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ComponentID = "ö\x0e\x7fÚ\u008d\b,ý^\u009d|Û\x06÷\x13Ù#½¤ô–ËÙä" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "šˆ¼‰éq\t`ƒô®\u009dÍ\x10”2ƒ¸û{¥¢Ö-¥Ž¿´" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "QÈÆÀ\x18»ª\x12…µô‚\x16Ú¶O\x06\rWËv¾Í\bÜchÜ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "©\x1f¼\x03´\aÝW~ƒ \u008fœ5ዾzÓÿé±€\x1föè³¼" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "]¥~g\u00a0@\x1fN.p\x14,\x17³Ê{'^\r–\u008dƒ\x1eE76Ô]" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "\fN6\x15ª4ŠÁ5\u00adü\u008dä{\u0081;+…&级«9u«rÚ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "ï\x19.íARî/¾Ê\u00a0\u008fäŠ\t´¢)¸|i–RÒ\x06D\x1fk" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Locale = "L±\n$p1Ì@\x1c‹7ÙÌ\b\x1c\t\x12çô3µ”ò\x18KËãr" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ComponentID = "bòG’|\x1el\u008d\x12Öy>\x15ÑŒ\x06œ\x19ÓmÌXJ|\vŠ\x10*" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "\u008d?0\b\a¡\x11Stsç²jL\x1aØP\x10·zfÑ162†¡O" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ = "\fR\x17\x15KIPEÔ\x03ü\u008f\b\tÑe\x17f<¨Dp…³%ä\x1d“" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Locale = "÷$îA\x06˜6¿\u009dšî\tuÊQ=B»žÜ*·\f’?p\r\t" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "Þ¿]m¿ieì;tl6a\x1eÈ®é§\f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Version = "œ\\ÿOï;²ó_I¥ô&Xg¢\fk\x1c?Æ\u00ad¦)è\vµE" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "\u00a0´\"Q²" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "\x01’ûN•ª±\x1eGT“òM@¬ÛLLúwhã\"M\x19\bëX" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "ÕÔ‹×ã/“\v„µ*N«Aƃ_ÒEírÇŒ\"ÒÖ\v‡" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "ºwù{¶À\x17|R\f8p¾AåwÕûõcj\fJ›\x0et<”" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "“{ÆûÞW\u00a0¸\x0e1Hò¬á\x14\aâü5–BÔUИ\x16ìÒ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ = "wÑÓRm1Ù^à0ÜÒöá\x14§\v=a\x10E\x1cñ¯×\boŽ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "ÏÁ\u0081ÿ¼KQÊݼÂ\u0090ï”Fœ¦$ˆ†ÈÖAÜ/[" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ComponentID = "\x1bܨȹ¦nÑÎ\vˆÂµ\x18\x1a™´3| œ«¦6%ÏØà" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "×Fcc\aï3\x03\bã[5\u0090>¹\x13I2\x166x:\x06L‘\x05\x18Ç" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "I\aW»\u009dÓ÷ùV*S@I„¹7”ëe»µi¢îóK§•" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "”ñE3•n\x10°*‰¬Îôø¨¦|:v–²" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ComponentID = "D |<ºM—Œu5&\f\u0081„ÕYÆ)›ïá_Í”\nŸÀÑ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "&¯ŠÒŒqÇÜöÃ¥×ÂÑ\bþWÊ\x19Î#œYB´ã\x1e." | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation = ")\vùuz˜\x1e;×tí×9téóþ" | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "Ǻ\x1a€´±<'õÏ\fÅ\x05Œt¦Ë—½7u¯èÈÈh\x02W" | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "UÛ3ãþÇä×u0\x03ô_åV²%ÿ6›6+9\u00a0Þeóâ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "\x1c\u0081»/\x03\x17ö¡EjIäÖ%Nã BMsé½a\x10D† å" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "ø\\Áäe\x17è?\x1ca\u008dò4\x198™1c›ÔûL¸äé*\x14\x04" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "IÞ¦\x11ï" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DisplayName = "\x1b”‹\x11§ègŠmR`Ë\bÛê¦\u008d<—¥[\x0f8·\x7fSs\x14" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "\u008d/?ÕåÙƒ}&‹5öü\u008fœùüS\x13ËPäžðº«s\t" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "\u009d\u008d¸«>®c\v4" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DllName = "Ú\x0f¨ƒÃàˆ§ô:Ái~\aÀÿ\x10\x04A\x7f~&%ù§!dH" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DisplayName = "¡:éQ¼Q*JDsXæ_\bó«¦ÈW¹™Â·îÕdî_" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ = "\x1b°öÒ/·LcgOyVEYõ¡wVP¥ù¿Œ\x18‰\x04'—" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ProcessGroupPolicyEx = "„\x02\u0081\x10-i\n\vÞ?V4®åÁpWi©°ƒÛÁŸ&\x7f7Ä" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "l‡ê™gÄy\x04¯\"*Û|\x04DÔñØ\x04Ä첎³\x11¶îG" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "¶ò÷\x13{\x18{ñÄV\x13Û\x10–ë\rþÖS@\u0090ro¨^:ÐÕ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicy = "í¡Õ\u00ad“$û:PèŽ\n\x17åW–\x02Âg\vì#P“Ú×\x15±" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DisplayName = "Y\x0fž¹ã¯\x1bräçäÜ2klžÕ^\x19\t XÝ‹ö`ˆ\x1d" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "”À[£»àa\x1dïÉgôiIwëß7\x12\u00a0]" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "GðM‘ƒ;›¹)Ý\x0f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicy = "Û¼\x03~ös_†Á»th:Êñ5F>\x13\x1a”¸\x1d3ú[v›" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicyEx = "\x1f¯Òé\x11" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "`(`żc»Ò\x1c¿dæO/©dÍt³µD…5Ö\x1d—†" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\DllName = "\x1f\x1e™\x02\x0fE‚\nWHä\rw°˜øþˆ\x1d|ˆ0ƒzmª¬\r" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DisplayName = "ˆö\u00adXA™" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "k«\bÊA&k$§Ü#JY–¤¤q\ré\x0e°fl…×f\x1c]" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4B7C3B0F-E993-4E06-A241-3FBE06943684} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\DllName = "\x10î\x1c“ÈöúòE\x01\x10c/ð\x13\vŒ\x05\x1ef\u00ad1m\u008f\x1d$\x06ð" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DllName = "Q²]5/ZŸÌ‹1bãU…ÜÎsY\tŒ¡\u0090‚‰Wxh#" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\GenerateGroupPolicy = "r\x17‚OѦ‡ô_÷=\u0081òPof)z–úÜ[uÅ\"\u009dV\x1c" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "\x19…vï\x0eXtVÿ°¼1H‰°M}Wp\x06\x10‰\u008dÑ\x19\x1d\x15‰" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7909AD9E-09EE-4247-BAB9-7029D5F0A278} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ = "£³|Ì\u0081/ã)«p7XkÚs–\rÝBˆžÑ¥…\x06ù’d" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DisplayName = "†Ù'.\x11ª#\x178¬³$¹O;ÝíÆ2©Ž\x06ÿÙ¤§$\x15" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "\að£þ¢‰~\u0090Å\x19Ÿ*B—\u009dö\x13\x1d6ÇÓÚÙS]öº(" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2A8FDC61-2347-4C87-92F6-B05EB91A201A} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\GenerateGroupPolicy = "\x1cC³¬Ë“\u0081)bŠFB8Ô\x16M¡!Û\x15I’]iQŒ˜1" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DisplayName = "\aÑUe!ÑŒí\x17K~(iÊÄ\tK\u008dßp,Ðb»&׋í" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "¸\x7f\u0081—Ï5ÅŽ…ûQí©áT\x1dþ²'\x12ˆ¦]^·š\x1a³" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = d2000100f200af0014002b005000e000ea001c001f004200ba004500b900b7007e017400e400ac209000bd0018001d00fb0009002500780100000000 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ = "\x1f;\x1e&ö€Ù\x03ÆÎùÅ\aÎðó$ûÁ\x17$hh]\x15\x11ô™" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "‚¸Z¡\x0fßòÁ\x1eý!•©~ú6[á\x0e\u0090|•¢4V’ÞÉ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} | C:\Windows\SysWOW64\cmd.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\WallPaper = "á\x16NS\x06í\u0081Õû´0Qj\u009d\x14XEmíü«k\x02%\x12æw\x0f" | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 608 set thread context of 464 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 608 set thread context of 924 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 608 set thread context of 3992 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 608 set thread context of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 608 set thread context of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 608 set thread context of 712 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System.ini | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ButtonAlternateFace = "X@" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\AppStarting = "'}N¶\f:«L\x11ôÖ\x18öbìùJlå~†y½ü+³Ú" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iNegNumber = "0\x17_\x1eµô\x11§°m\n*€F\x15s•žs=OÂo”oú©©" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseSpeed = "\x1e®\x1f¬D÷s\u00ad5Öâgæ¦Cìjž\u0090ƒ\x125é6·öœù" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "Éu\\\x1bòh.¤Ã²—xq{ïëòàj8¿„áÒ¥\x16Bë" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\TimeOut\TimeToWait = "pÇ:Z¿(rZF°½>\x10óƒ0gFS¡£?ó‡¸" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ButtonLight = "\r\x16" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\WindowText = "\x16F•\x18Áúðc!çúÜ\x10¤¨\"<—Ò,1\x15ú¤5hi;" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\Wait = "¬µ'º+uá\x17\x0f)n\x01Ù¸2\"CËVÓ(\x10Ÿ\x05á\u0081\b~" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\AppWorkSpace = "E\u008fì\x1bGÇúB5W@+”¯ÐNjP\x11¾¤¦=[2P.\x0e" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\ShowSounds | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\InactiveTitle = "<z¾ˆy¡\\̲›#pÞr{¶î³8Gh¹K’Æq\u0081" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\RightOverlapChars = "½gÞ\x02^~åì…\x036½s˜È¸[\x02Dp·`?ÎÂ>)ó" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iTLZero = "¹\x17÷\x16Ch\b¥2\x1bµ³í¼&'Zé‘\u009dÁª‹ž\x12" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ButtonDkShadow = "Ñ9Rt\frH›Êu•cRál”í…se;¡‘¨¹âü{" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\HilightText = "u`ºÓŠGªºCZ›ÐèÒ7kí|ÿÛÖd몗—àð" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\CursorBlinkRate = "põ³…Õs&5n¨¯p×hÔ6ø\x1bÈáSÚ^\x04{õÉ%" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sDecimal = "fê.¬?á‘rß\x01@\a]ô‘\x12³M\u0090ê¥)Ê0·v£\a" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\ButtonDkShadow = "\u008dâÄ!\\㊩\x19CȈL\x1a.ö=Õ\x0eDa\x0e¡¶q–'ÿ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\WindowMetrics\IconSpacing = "—5\x12ö;¾PŽIû;ñ¹P†úýZ6¯Dø\x06@]z£ " | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sShortTime = "/$:pñLÅ/ˆ`:À-=&\u008dyiÀ\u008d\x10t+ù‹îÏw" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\UpArrow = "G®€þÒn|:Þ\x02<\x0e+kàÆÆc&È\b}‚·ü\adÎ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\TitleText = "\x1eH&~NóU؆Ómj?Ó*=GÜkþ¬B\x10\u008dšÊèf" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\WindowText = "ÿ\x14‡â\x01\x1d\x02³ŒòUù\nRº¯|íí\x13ŒeÊà\x01P*K" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseSensitivity = "'®" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseTrails = "\x19•§èÆ»¡”\x013ª<" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "È\x14ÊÒ-Ðâ™ÄˆóÃŽ¼>ÂŒøÞ¥\u00ad\x15±¯öÆ¡T" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Appearance\NewCurrent = "D\u008fÓ\r¯zà8b" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\HotTrackingColor = "?B\x13ykþæ˜ê\u00a0a+×$þ‚s~,P\r`;ì(Oú@" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\2 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\Keyboard Response\AutoRepeatRate = "\x0eµ\x1eŒoÔ‚£\"ñ‡…§}¸7ŽF²KÆ\x1aYݺëKl" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\ActiveTitle = "\x10Pv{îó/kM€\x17Ã\x01àõQ\x06~ÕÕ·M\"ÖLoó|" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iCountry = "ØÙBbkd#‰«O'â¾¶%\\\x1a$àr\x1bÑ9óôõ´I" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\5 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\GradientInactiveTitle = "clù>t6Gí@ØøÂp÷KX\\¢õ8E\x18Æêl‰PÅ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\LeftOverlapChars = "Wf¤S\x1c9\x01?ކ“÷t2\u0090ckô„\x12b®¶T°ÑÃw" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sDate = "Ö\u00ad\x7f\x02UVoPiÏÌóLʦ«\x16lôkeW6¡¥\x1eö‰" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iTime = "ÞéÑÌ?ò\x15lf@\x01„oŠÃ®Bx…SÌ\v¡`ä\x0e2«" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\DragFullWindows = "¬A2jÃ\x1aÉlxÏ¿5IÞ‹®oçPŒ_›ÇÖ7fd´" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\Hilight = "§Q•\u009dÀ-Hȸ\x06ÇH\r\u0081îXÙ\aŽ4þ¿[¥\u00a0\x1e›\u008f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\ActiveBorder = "£i\x14hVoø\x04²ø¦‹XB¾‰É©\x1cñŽë)lO¬ø×" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Cursors\SizeNS = "ogéþEí´ÄRÝ̺ó<îð(Àñdý0í—«‰\x1a" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iCalendarType = "ïpßw’Ú\a·\u0081¦í³°Lr-nãì®–˜î}‘¤§\u0090" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\ButtonFace = "¶d\u008f1ƒ1ºÆ#Œ¡yAØYä¬k\x02ªö\x1e®‡ª®Þø" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\Window = "t\x06°æAºpdøîeÍýìÁÏøŒ\x16vyÄ“ßÞ\u0090IÆ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\1\Description = "Fp…)=š\x1f\x06\r C\a\vp\x0fV€\f$C\x18>]²Âny…" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\Keyboard Response\Flags = "\x11b\",ËPÂø9”\x01Às\x01É¡Ú1ÇD“–)ÛØ\x17„Å" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\s1159 = "ÙNõÀWc\u0081MYÔ\x05€ˆæ½\x14ÞQä\x1b2&þÕ\u00a0=8Q" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\DragWidth = "Û!ï«lM.{p¦ŽQPoÿdmmI\x03\\\\\x02ÿœ[éw" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\iFirstDayOfWeek = "îéc\fœMœ;b×\u008d0XbSm\x17±z+S‰\x1e¿A\u008f\x14ˆ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\GradientActiveTitle = "Ð\x0eNÕ{”öÕ\u0090géÚI+\n;\n]'sÝûY\x14)2\x1a…" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\WheelScrollChars = "\fôX3¬2C\x1eÎgq1Êæ\x11mADq©bô\tÊÚ]sv" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sGrouping = "‘Âæ{IÌ6G\u008d\aÒb2\vƒ\x02¬š\x7fÒ\b\x12\x15˜Æ\x1bãÝ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg\PowerPolicies\0\Name = "»•6\x1a<Ô*\x13åðrbPjpׂ•ëÀ’3ç\x03á׸Ú" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\InfoWindow = "áh\x17|®1áX\x1eËÿÄ<Ž\x06N\x7fW£àQé6\x11†\x0f\x7f)" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Colors\HotTrackingColor = "\x0e\x01\x1e—T¦¤âAU—ëü‹Ÿ¹\x14™ú\x041\r\x1c\x15×ì}\u008f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\sCurrency = "©\x14B\x18“€÷€º&}ÕÕrCÓy\r\u00a0”§•TS„gV\x1a" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\User Profile System Backup\Languages = 3c00e4004c00220015008f006000d200c8002620c800240066003e007f00aa00f7009d0039200d0035003900440022210d00a6008f004e0000000000 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Name = "ƒ\x1a¹X~”Z|ÙÞʵ¼†ç\x01l\u008f“\x1d\u00ad•\x10ïÙâ°\x1c" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Mouse\MouseHoverTime = "©¿?\"¾Ïù?\u00901ž@W$[Á:>—ö\bÝ·Ú°\x10ÐB" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\StickyKeys | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Colors\MenuText = "“\f_\x05kÕF°bñoº\u0081>“\t³E°þow\u008d`=·Å9" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\International\Scripts\10 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\International\Scripts\34 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\Bitmap = "j€\x1a\x1cÅ'óç\fæ\b(\x01\u0081ö‡v›áqb¬î\u00ad¨û£Ü" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ALTERNATIVECODEC\UncheckedValue = "éZ熈&»€“!+Î5Ýwör\x02¢‚£xê\x06\u0090†ªQ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7}\DllName = "LXþø\x02ãâë*á¶?ÑíÊâi›l‹¾d|£T½t" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{186e0934-aee9-11da-961b-0014223d2a70}\AppPath = "$V2\u008dÙ\x19õ‹lí\a\\\x1cí\u008d\rG„ÕÖ^o&äÅ–¬t" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A3BC75A2-1F87-4686-AA43-5347D756017C}\FWLink = "å¡>´ï6ýœç\x14“04šiÄã»OïߘOZ c×z" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9}\BlockType = "½Ç…#@¼®þ‹\a\"g&\x11;\aŸç`\x05Áå¹}\tzv%" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "@\n\x18Aã¾P[±\a$ÆòEý†år´ÜÌE/öà¿Ç\x02" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C451C08A-EC37-45DF-AAAD-18B51AB5E837}\FWLink = "iç9T¾8M\x02 ;Ñ—`\u008f\x16¯n=Ã\x12¹©ÿ³e£LU" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "'cí&#b«V¾€Y+h˜›b¨¢\x19:W\x1c[Ñ?'(\x0f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PLACEHOLDERS\ValueName = "‹c¸\x0ew™™ªÈ`\aÝFc\n\u008ff˜$g\\Õ>°+.ÞÆ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00021a13-0000-0000-c000-000000000046}\BlockType = "wTcݽ\u00a0Ü1ÂÌ“5ƒ˜eÛ-\a¦™\x0f\x1b„¡ûP;ê" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{1A8AC5E1-7AAC-47E9-8D8F-1D4B499F83CE}\BlockType = "\u00a0\x02˜.HE¦•Ô<k\x17½\x15/̓T$¶4^i.¶‚r»" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B21-F830-49DE-A31B-5BB9D7F6B407} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPEND\ValueName = "»ßIã“\nòß\n\u00812çç†l+:¤Ö…•yÿ\x12¸uF\u0081" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{29CF293A-1E7D-4069-9E11-E39698D0AF95}\BlockType = "B®F¤RµôEéãùT‚{HN\x02\u00a0¿'æŒJ(\r·\x12¶" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\Text = "½" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\SOUNDS\RegPoliciesPath = "b\u0090\"•q{Hp\x1ep0Ilhbª\x04úeýÆ1B\u008fÒq׬" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7}\CompatibilityFlags = "` ”•²\x17“³w]™Îï”Ì\x0f¶ûêmßma8úne±" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\DesktopItemNavigationFailure = "A]e\"›¹\x05˜M6ÓR\x14dAØ\u00a0`" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\INTRANETFIRST\Text = "häöä‘uf\f#U\x10fµj\x11”qhŠa!aê\x14¢nÒ\x7f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{812954F9-FAA2-4aee-A9E7-3C4FDE2166A6}\CLSID = "_‰¿A#¿EŠ·)N³\x12ïö1[é\x15½(|}hãÇ|ý" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore\Text = "†\x01c®Hë\vôv\u008f•~ÑN|\x0el¾Ô¯s÷}׳–nÄ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\HelpID = "\x01ðDΨn™>Ðò/Á\x1a¦Sˆ²]ØÐÐ#dn°u\x05ø" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e5f90a07-7db7-4dcb-bd6d-d3fecd376ca3}\AppName = "ÜãH‘\u00a0\x1b®Ú½(\x11¸”#\u00a0·ñ2Œ’\n\x17þ³<Q=\x05" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable_Disk_Cache = "Ѧ\u008dR+Ô\x06Â\x15PY\bO7Ò>ØÌ³Š¬)%sxù޹" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\HIDENEWEDGEBUTTON\RegPoliciesPath = "±\\\x15>{í>$/PP\x7fDÙo@ø:œŸ*ô–ì<\x1dä²" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{179E4A98-A3C4-407D-8C66-E63B67BB6F4A}\Version = "|\fm“\x03¹\x17\x1c#—\x11´\u00a02µ½Q!P1ê¬Òºl´è|" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\DllName = "\x1cú›+ƈn¯³\x15ÜÁÙ.Ãi¹\x1cÝj©ñYøuN(W" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{21FA44EF-376D-4D53-9B0F-8A89D3229068} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\CompatibilityFlags = "l\f'ÈËÉéÃðL•ÿÐó²\x0eOÞ.œSÆ×$ÿ\u00adr…" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BF09613A-4564-4936-B6BB-B23B1D3D4FD7}\FWLink = "\x1a^\u008dÅùQ!Bô\x1e\u00ad\nÛÆÒwÚy^T~àîÁHÜ?ù" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\DllName = "Ÿ\x05‡‘¬wF-8ß{‹Àç\x7fê~\x18î7Â)©ÙWÓÄÒ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{11359F4A-B191-42D7-905A-594F8CF0387B} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\BlockType = "\x11Z\"’÷W”\x12ÿËè\x1eA\u008d\x17\t\u0081h\x0e–º‘X¼àN_s" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\PREFETCH_PRERENDER\ValueName = "9\"É\"àém\x0f¼x쬻(ù˜\x7f]ÏÀ\x15!|iÏ~\u00adv" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore\Type = "\x146s ó”ML¹\a\bó•‚Ál²v§\x16•ÙË;\x15»`" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\Text = "\u008fÎ,Àäýq¨\x04\tÒ¦¸ã6qró\x14,È\x12´öÀ}áM" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Settings\Text Color = "Š|ÍÌ>È›(•ÝmX’â~\x0eÁj`\u0090í{¦”" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "g\b¯…:¾\x06:Š2Á]_ÃÎX\x18·ò€\u008d5\x02\x04\x17?«\b" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{65104D73-BA60-4160-A95A-4B4782E7AA62} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4E7BD74F-2B8D-469E-99FF-FD60BB9AAE2D}\Version = "ÖÜ%\x19!E³Î\aŒúÔàë\u008f\u00a02~ÇàX\x1c}\x04\x145Ã\x04" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4D256DB0-6C34-4EC1-9704-02182D6503A6}\CLSID = "uo\x1d†Å´IR'®Í\x13”®¤¢Ìa\x13î϶®%Ôzdü" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "îâåi\x04†÷\x1d¥uTTæ£ìù\x11\x1bh=GŒ”†¦=\x12â" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "”f\x0fkË~r\x1eä7\x1cÿŒÍú<’•Êð\x1f®$Y@HW¬" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSL3.0\Type = "ôªÐ×Ñ\x1e¹Î5#Q‹Á4ú\n\b\x12\x19Kf\x16tÎ\x13´\x13·" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8B4F961F-0B84-4201-BBB1-34E45368F39E}\Version = "ËS!&\x0fƯzÙþŒR|ÃI8ñ.\u00ad\x17\x1c…ç†\x12÷$" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A3BC75A2-1F87-4686-AA43-5347D756017C}\Version = "^V-\tð&Nco]ÂÎ<\x0f±Œ2×-Ë5WïS©Û:" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Show_FullURL = "·âš\x1bj:9•W&<ahƒ%Î\u008d\x14«\u0090¡¡³cŠÆ§[" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\HelpID = "Á?â\x13)\x1e1¬\vP¹Lò\x02A\x16ÊêæøgÎzZÕ\u009d1A" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SECURE\Text = "8Ã?\x14{Œ÷ŽÇ\x06\u009dX€R\x1dÚÎÂ\x13Òp!~\tã/–[" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\PROXY\HelpID = "o4¨JßìPaE\x05w\x1d¶Í9º¦ÆØˆ¯˜]!î\t”‘" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggestAskUser\RegistryRoot = "ö©=Pû;›g\\€…ɬ-é" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ServicePoweredQSA\RegistryRoot = "x¢j~•S–ÍþÂ2\u0090‘èк@ëˆÁ˜KS€äsa" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8B4F961F-0B84-4201-BBB1-34E45368F39E}\CompatibilityFlags = "ð£'¢f_iJŒT?\x1ak\x17\x11c䧺vËc€Ã=\toG" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\FWLink = "mÀ\x1b,Ÿ£8'\x02ÿ\u009dº±åIØ\x13\u0090Á¯>Z~1+ãÉ\"" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26fe7361-bd5a-4dcb-b309-c6f42dde661c} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26fe7361-bd5a-4dcb-b309-c6f42dde661c}\AppPath = "8æ+O%(Õ1" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\Window_Title_CN\Window_Title_CN = "~RU&\x1e‘ü°WD'¾0Iû³áâh\u008fŽ\x01ÞŠÅó%\x0e" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "ê(þ)©L©p\u0090" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "åþo\aÙ·›5|\x1a\x15GÃòx@kâÕŒPõI,Þ\x12Æ\x11" | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "M\x0eÞƒ³Ÿ‚χu7\x06j\x06|ÊYŸ”\bË\u00a0wIœRZª" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = "Y‚\x16¯,‘T¬J&\x16•/˜\"bº5\nsq\x17†\x01ò<æ:" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "\x11Dº[ôWç6Ä\"\x15‡<Ž?ƒÄD%Ю‘Ë)ÏgN®" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "\x04\u0081ûVdÜJÉøú†Àþ-:N\x15X=½Þë%†ª]N\x19" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SettingsPageVisibility = "µ÷4·\x1eãÄ\tÓ¹\x04\x19¿‹Â\x01\u00a0\u009drwêÅ×9ü\x05>\x19" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "ûÀxGì눵£å\x12\x0e´Î¥Êo\fpp“š©\x1b/4]g" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI | C:\Windows\SysWOW64\cmd.exe | N/A |
Processes
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\VeryFun.exe
"C:\Users\Admin\AppData\Local\Temp\VeryFun.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524 0x51c
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -UserConfig
C:\Windows\System32\ie4uinit.exe
C:\Windows\System32\ie4uinit.exe -ClearIconCache
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff79753ae48,0x7ff79753ae58,0x7ff79753ae68
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=2 --install-level=0
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x224,0x248,0x24c,0x78,0x250,0x7ff79753ae48,0x7ff79753ae58,0x7ff79753ae68
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff679325460,0x7ff679325470,0x7ff679325480
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeaddd46f8,0x7ffeaddd4708,0x7ffeaddd4718
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
Files
memory/608-0-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-1-0x0000000004450000-0x0000000004451000-memory.dmp
memory/608-2-0x0000000004460000-0x000000000446B000-memory.dmp
memory/464-3-0x0000000000780000-0x000000000091C000-memory.dmp
memory/464-5-0x0000000000780000-0x000000000091C000-memory.dmp
memory/464-7-0x0000000000780000-0x000000000091C000-memory.dmp
memory/464-6-0x0000000000780000-0x000000000091C000-memory.dmp
memory/924-10-0x0000000000F20000-0x0000000001014000-memory.dmp
memory/924-11-0x0000000000F20000-0x0000000001014000-memory.dmp
memory/924-12-0x0000000000F20000-0x0000000001014000-memory.dmp
memory/464-18-0x0000000010000000-0x0000000010013000-memory.dmp
memory/464-17-0x0000000002F40000-0x0000000002F41000-memory.dmp
memory/464-16-0x0000000010000000-0x0000000010013000-memory.dmp
memory/464-15-0x0000000010000000-0x0000000010013000-memory.dmp
memory/464-13-0x0000000010000000-0x0000000010013000-memory.dmp
memory/924-8-0x0000000000F20000-0x0000000001014000-memory.dmp
memory/3992-21-0x0000000001300000-0x000000000140C000-memory.dmp
memory/3992-22-0x0000000001300000-0x000000000140C000-memory.dmp
memory/3992-23-0x0000000001300000-0x000000000140C000-memory.dmp
memory/608-24-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/2188-25-0x0000000000600000-0x000000000070C000-memory.dmp
memory/2188-26-0x0000000000600000-0x000000000070C000-memory.dmp
memory/2188-27-0x0000000000600000-0x000000000070C000-memory.dmp
memory/608-31-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/712-32-0x0000000000F00000-0x000000000100C000-memory.dmp
memory/712-34-0x0000000000F00000-0x000000000100C000-memory.dmp
memory/712-33-0x0000000000F00000-0x000000000100C000-memory.dmp
memory/608-35-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/464-36-0x0000000000780000-0x000000000091C000-memory.dmp
memory/924-37-0x0000000000F20000-0x0000000001014000-memory.dmp
memory/2180-38-0x0000000001020000-0x000000000112C000-memory.dmp
memory/2180-39-0x0000000001020000-0x000000000112C000-memory.dmp
memory/2180-40-0x0000000001020000-0x000000000112C000-memory.dmp
memory/464-41-0x0000000010000000-0x0000000010013000-memory.dmp
memory/608-42-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/924-43-0x0000000000F20000-0x0000000001014000-memory.dmp
memory/608-44-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-45-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-46-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-47-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-48-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-49-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-50-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-51-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-52-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-53-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-54-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/608-55-0x00000000004A0000-0x0000000000ADD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RGI99C5.tmp
| MD5 | dd4f5026aa316d4aec4a9d789e63e67b |
| SHA1 | fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153 |
| SHA256 | 8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737 |
| SHA512 | 3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568 |
C:\Users\Admin\AppData\Local\Temp\RGI99E9.tmp
| MD5 | a828b8c496779bdb61fce06ba0d57c39 |
| SHA1 | 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda |
| SHA256 | c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d |
| SHA512 | effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea |
C:\Windows\TEMP\Crashpad\settings.dat
| MD5 | 295c35172675c56d85b3271fc5adbaf7 |
| SHA1 | fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0 |
| SHA256 | f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0 |
| SHA512 | 15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a |
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
| MD5 | 0aa22364f7b837652afb323504680abd |
| SHA1 | ac806b580a795cbaa32e33131980145bf18282cd |
| SHA256 | 48434bf87dd82ecd09ccf48d1a2f6b6e3357cb0c5b37dc1a80a7903ea570d91a |
| SHA512 | ccd50fc8a6a99a74a8a6f0fd33c917e217335c22d621d9689771561d06fe3d6cdc9a67c8c03dc9b7a3d97561d32f7e377604013bf00732be5e90a3ae5a4a53a6 |
C:\Program Files\Google\Chrome\Application\SetupMetrics\25285606-14a6-48a3-bb51-0a675a3e0f14.tmp
| MD5 | 6d971ce11af4a6a93a4311841da1a178 |
| SHA1 | cbfdbc9b184f340cbad764abc4d8a31b9c250176 |
| SHA256 | 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783 |
| SHA512 | c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ea98e583ad99df195d29aa066204ab56 |
| SHA1 | f89398664af0179641aa0138b337097b617cb2db |
| SHA256 | a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6 |
| SHA512 | e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f |
memory/608-118-0x00000000004A0000-0x0000000000ADD000-memory.dmp
memory/548-119-0x0000000002A30000-0x0000000002A31000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-30 19:47
Reported
2024-04-30 19:50
Platform
win11-20240426-en
Max time kernel
19s
Max time network
110s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "¶zvþÿq·9[™5Ø<j´›]\u0081„m\u00ad¸`Geª‹ó" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "k¹<\u009d\x7f…rì\x16«\bVΣáÎp\x12\x16‹\u00adtx9=\x03ÎB" | C:\Windows\SysWOW64\cmd.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "I\tžpv>Ñ\x15°K\vx%¢ƒ\u0081lÀ\x14\x12m$…çý\u008fÅg" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "§•͹\u0090W%`\x142èTo\x12 ÎŒ\x10bT¢ÃS½«M¢ù" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "k»LÒ•ó\x18ÕàAªž6Û\u0090\x7fÚ4il~\u008d…†\\z\aø" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "²µ¶\f/•[ÍHŸ@/k\x1c˜" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "KÕôóß$ßbQÈbƒw‘eμä—\"nÞ\x1b›+‰…†" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "©\x13Íhä¦î¶IÞ‚×Ø.Ÿ\\cC<\x02ð.â\u0090\x03p\t\u008f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ð\u0081>\x1dø@T÷Výæa/ï“r7œ‡™´]Dð8Ÿ·Í" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "ˆ®)P÷^\x19\x10\bÿR[ø£8¹òsš¥:„Úw4£-ã" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "#ñ‰6¢Ï\x01\x10\n&õzÑù\\\x1fµ)’Ügf\vÆs†\x17É" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "‘fÜ{ã§ûf›\t¶\x02‹€q{Â)w([•\x03&\x1d~¼Å" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "âòWÈ\x18Ý…bý\x0f˜åž\x01oCV\u0081\u00ad‹Ô\x0e©'•ãoÜ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "Š2N#åSs–N\x1bÒ†96œ\x0e\x1d\\\n»ì Ÿ™?ç—(" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ß#úÍZOúˆt›\u008dÂ.Âý[BÂ\x1bŠ\x05/\r»´YñS" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "\x1fIU\x05Zm\x1f\x18{ü „Hij\x02ï÷Z\u0081ë—¾½?\x1c±:" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$Function = "\x1a\x01¿%\u008f2\x19á‚ÜüRîñÙ©Ò\fÃûñÏê\x02¥\x10¢&" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$Function = "ª¾d°\u00a0¬îà\x1dJ”ñ”,ð°\x15Ÿƒ”_Û\x04ÝÁ\u008fõ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "c7Ja{–ñ˜`&`à¤'”ј€»\x02¶¢I^ÆrC@" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "?@‰±\u0081c#sÄ)frL\a\x1eR\u00a0@G^\u008f&rôŒ\\±Ü" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "C\bìæþ\x1eè\u00a0(]<a@\x19y3¯¨5—z¼þ\ttcŒ&" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "¥åƒì/Ô·“\\áÎeE@7ïó€+\\Í\x16d\x185„~9" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "Kx\x19Z\x1eÊð\x1d\u008dÌ\x13Œüž`{æP2hÛ³\x1cöD!nç" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "™\rt\fæÀ-HÿÌ/\x1b\x1e\x17â&[s¨i«ÔNEïo\vI" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\Dll = "÷t¬q\x18“qôLêU^ˆÍÅgf\x7fç¿\x17õ)¿x®˜¼" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "e›V·ôR¯ž" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "ĆùÚSˆ$geQ†ë™–9OÝS«‰Ã»½èª[òÑ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "ùã\u00adm³\x01Ð9w\x1eàv…f›úË(\x15¼»×\u0081ƒ“\x14‡Ã" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "CVR\f‹“\x04D;?¾ÁÉd\x11œ\x0f{—;" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "…\u0090¬ÎÛÓÿ.¶Ú|PV\n#B\x02\x1a‘ó\"ÐÅöT¬À\u008f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "Ò–\u0081â:\x02kš%,§éן*\x7f´?\x1b‹!ÓP!Db&Ë" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "Ÿˆ»\u00adf“\aGÿ\t#°—µbI87_º\x1dB\x10nn¡ô&" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "ù™¯›\x11Fg\x19HS\x02–QJ;SX‰Ë”LËØ@/-BT" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "Qr·jX‚vXlÑ„»\\ÙôJ)¨Þl¥\x132„ï\x0e90" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "\x18Ü($_\a9ÅdOa\x7f/" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "D†YŠ!Ç¡t" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "4Ë\x01ã\x1bx„àí”»øKµŸe¶ƒ•\x16yÂXSãa…N" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{000C10F1-0000-0000-C000-000000000046}\Dll = "Ò¼H½ç-*\x16J œM•bz‚³¼?\u00a0áõPã\x1fï\x182" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ÃÿXk²>ÎÃ\x15ë\x1dŠcõ\x1aåñ¡œUïîp'Ú[\x1c\x13" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = ">Qh£s5ƒ¼\x11oô(9öÝ$eºoÆ-}ÎêÕýNÕ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "—oÿ\aä¨]Í“•ˆ\u008fâ\x10Ésž5\x05>\x02Ú%\v3Ù" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = ".mÀú&g&ö\u0090žå<g;´›\x02õ¡\x1e2‚eBY,îÊ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\Dll = "8\f/4+Ø!çáÀ¥¢\u00819\u009dº µ¸Í\u008fàC€€:¬\\" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "çH¡¡›O\a\x0ewÎVDÍ\tõÜJÈÉ¥¦ªÉ\x18\x0f8\x1f\v" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "¶\b4+®”n8xUtæ?(pÌdªÝŸ\x03ñ\x03Y\"sÎÈ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "ÖXN¿¡Ý\x17ÊŒöióBE6\x7fôOÓ™\x1eÒk\x1b:õ@é" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "8€x¼‰aD\vç'+¿ûó\v»À©:¶ö›w Þˆ(þ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "\x0eJ¬ä·†CûEkÔ´¤\x1aµ\u00ad…ŸÑ¼×ª¹X‚6Æ\x14" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "\x18¨:n³yJÅ?²\tõÖÆæ\u0081±Èç¬íS\x19˜øË&9" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "\x14WM–ÚøZº×ŒU7áëÀ\x02\x18\x02–µÿÇ\x15â\x06é‰?" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "S\x12\x02\u008dÌ z\x0fÇÔÕÍ\u00adâû+O^önÐòz!¦¨ÊÓ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "Ûj̳úAqüL=J(\n\x03\aF¾“«Žœ\x1dTd\x16î_ž" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "‡³Ä_+÷£m…Ù6~\x03‡ææÛÞÌïà}þ\x0f\x1dþ]…" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "üJ0ã£\x01—€GIgg¸—j<¦\x7f9\x0f좷¥ËöŠ\x01" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "Ç´~\x0f¯}(\u009dV+\r\x10¤á³hÆ,¯‘ vt-\x14·Òn" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = ":ºêA\x11È´7Yß\f\x16\x04™H\x0e\x15¾\x05\u008d\n´\x04\bé\x1a)ˆ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "¹Ê32œ-\x17ê½ð\x13\x10Q‚›\x1bnGT2AÊ\x1e¡úz»" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "\x18b3¬\x16ÔW–«»”ЇÈ2=‰ˆØ‡\u00a0ä¢1b" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "dQÃÑÄ.L»A¤\x16ôÁÿ\x02)×\b\bÛLÄ5æp;rF" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "\r‘I.¨wO\x03™vßöѨYj,€{‡ÌD\x06Q\x16)—´" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "…~\x1bxº:q\fû´\x1a‚\x03½\x18Á¾Ã-ú_4œ\x15·Ðþ\x0e" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "I\x1aA‰¤Ú\u009dG‘\u008f=\u0081‹§]ÌB7RUúWhRyÏÓP" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "Ýh\x16ü<>ò¯¹o4÷çÝó£\u009dö–'‘\x18\u008f©Aîþí" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = "%Vˆ\x11ü»ú:Š›\x06Îwì\x11¡\"Óp¹7l`\u0090º¹\x02þ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "\x01î{Ùåû+\u00adOY?|¤¡Ì\x19f\x05æÚœU\x1e5ºàRç" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "»E?'ø[â¥SG2\u009d-K\x1aeú\u0090òüÛ^\x16»¦eDÚ" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies AppInit DLL entries
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "[f\x13vHŸéV·=œmÜ\x1cK\u009d˜‘³ÁR´ÃU¯çÓ”" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "@¯}siÈò=Oh\u00a0\\¸÷|<¶:Šâ˜šÌôŲy\u008f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Locale = "3‰ç:\x05§gçu .°ðÿÞßÌž«áDùÀ¸ÞóuQ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ = ")XúÊ@ô‡\ve½è|¢°\u008fÂ+A\u009dqG+Å\u008d¬õ¢'" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = "\x16Lá'Ç%2ï>Un&Ü\fnT~ÓÍÀ‘é9¦\x1añlœ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Version = "…ô8¸4‘+\x1a b0»E˜y\x12\x1f\rñÑ\x06ê„×t" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "\x19þjýJjÇ\añš\fÂŽà4\n~Nx#ü¤Sz”˜0^" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\KeyFileName = "2iWµŽ\x19Ñ: iÿ@?’@]ï¡—Ö#+\aHjœ0\a" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "&ø²ø]\u00a08ùŒˆmMè\u009d‡oŽ\x1d€³Ä¸Ä·3=ÔÎ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ComponentID = "¨\u0090ùÇ\\“§\vºØŽàPÏP@\x17e»\n\u0090\u00ad§; \x1f¿l" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "Bv9`rZ&†\u009d_r" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "0j˜ª)‚s±`Ô:èRø(\x10}ÓvrÐEU\x14»Eì¾" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "R9q%#Ä’O\x13" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "ñ‹Ž\x1bÙU’3±p»‡\u00817\fDg…‘ù\u008f¡:Åœ\x05ʨ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\StubPath = "\x7f\u00a0a\rfÒ²ôïý(\x0eþ\x0ft\x03E\bJ\x16¢)†\u009dòUd§" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "\a<ý¶êk6£ôʨ*\\\x11êá\x106\x02%Ñ'éPмv?" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "ë}¸*µ>=ˆió\x1a.¹Z1·®ç\x16+'û^’1¦\fõ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "ñ¨bK\x1cH‰R\x17y:ÕÆ\bäÍ£3ÃØ!äh°¦–‹»" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "\f3›\u0081ckªF\x19€\x03\x17%¢ËÙS‰Ó¼\x1cnÚù‚îî×" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "\x1b\u008f`Á~ŒÌÇì¢,=@|\\Dd½·\x03\x10Å©ýúÃ\n¸" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "\x0e¿[!vójÀP4ÔßΆÃ\x7f\x1av$\\úå$÷é|\u00adË" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\StubPath = "-\x18ÖǤ]" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ = "\x13¥þê\x1bg‰\x01PWÍŽ\u00a0‘\x1bºâîèÞuªÁ-©¡‘ÿ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "†\u0090êÄ\u008f“T4\x1dÒÀ+¥¬\vt¯wždDVÁÑxÔô³" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Version = "\r\x7f\x1d\x13¨µosn99áq§û‡Ç\u00a0óã\x06íqÂH\u00ad}\u00a0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ComponentID = "\x1a°ÍÙIŽ\fzQ\u008fJî’;2\x1aìØ`m#É>6D{®." | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "FJr\x1cÝ\u0090¸Ü»aØÑ\x1eå\t¼J¥àS:V—\x1e\bz\x19\x0f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "zñºVò86¬9g\x0f5ÿÕÍ1X§ìA9¶6Å«\x7f[H" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "¡æud4ßS4eÌ\x01^\nMDOQ¥\x17b\f{Q¾Q°Pá" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "!ɆOÉ‚LS7¢î%!³d\x16Tïw\x1cÃg4¬°lúw" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "\x1c¹û~#NÓb~oÒn¾1™èÌ&„0\x1c_\x03H\x19\x18+œ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "‰ùñBà\t;YÐTø\x03q\x12u¼Õ?M\x142˜G®fòa\u00ad" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\ = "Tàënsó±®8G‡¡)‹\u00a0Þˆ\u0090ù6÷’õ0mœlÈ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Version = "‘EÕ\x0ep…·NGä€Yĵ“\x1e]}\x05$\\bb\u0090Ùäh\x11" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "\x16¶2Ð46ÍÐ\bëÏų²©[0.¼U¹\x0f”;Žÿò)" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ComponentID = "¿Kþ\u009d¥æ[W4\u00a0X1÷û—Ú|Mæ,\x04rjeÅØ•¿" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Locale = "à/ÃÑËîó‰üNay,ß\t‹É_¶!^Hᢎ’Tk" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "\t•Õ\x19º\u00ad³0n¿È#†Ø/ð<Õr«ŽŒ ‘ñ¡Gµ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Version = "@Ã\x10®ÙLìE\u0081Ë m®\b©‡}½" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "ò#ýò\x03•…\x125áåi\vªTŹù2þN#gu¤.K«" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = ">\bvFŒ[\x06Kþn›¬\x10\x1cÚ\x15\"Ÿp“\aüÉ?·=\u0090x" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\Version = "TbyrL\"jùÏ&æ½éàç\x01\x02M\x17æ>#D^\x15Ì1Í" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "æs\x05„%ü{5:,\x1aç\bSûg¨¤½ì“Õs(ÎH\x1b0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "\tJž`\";a&\x11\aµ2õÿ>Ó\að<\x1e…À€z\x11ˆ,\x7f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "÷oo+°=––á'NòÛƒ\x1cNk|°\u009dB˜ò`ï7}¸" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "š\x02t?ýƒp8o\x04qÇd-‘ð™\x18á\x7f\x0eLK\x17\u00ad\x13»¬" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "¯‹§MÍ\x1cÙ\x0fË5ÀÐ\x19½\x17Úð€±uþñ\"„C5\x13c" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "Y´•\x05QA¢\rœù\u00a0“\x13Û+ºYÅK\u0090Ñ" | C:\Windows\SysWOW64\cmd.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\FilterFullPath = "«(«’ÿZµ£´\x14haQ.\r\x0f]\b,õ¡a}\u008dYöcÏ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\FilterFullPath = "™\vðm6'ºÛº£‚çA®]Uä\x11ªõû\u008f‰Ëè5\x15\\" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\AppExecutionAliasRedirectPackages = "ÝÒh¡p!)\tÕT>›Ã=‡\x11pǃ%Bcö\x01x@ì1" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\AppExecutionAliasRedirectPackages = "þ¶äw¨=\u008flölËh‰\bʬÛv¹d\x176šð%7Ü\x19" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\FilterFullPath = "‚v\x18¡\u0090B¢(¢\u009dg\u00901ì_ñH?üEWi*Ç\x0e\x15ç" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\AppExecutionAliasRedirectPackages = "¢L+¹”™\n3\x1e\x14‹Yª0-(X—¡è\u0090\x1a˜ê¡_H\x14" | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\Geo\Nation = "j‡m¢On\x19c[\x0fd\x13ø&g9\u0081\u0090¥\x1f\nK\x1cΞ£ÍÖ" | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "ÈŽ&w8Ro\r¦N*\x0f\u0090È’zœ\u00a0\\\u00a0R[\x0fS;%;h" | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "j¥œÉ—\x11oßÇ–Õ\x10u\u008dÖ×\x11ÂÃpðt\x150XÀAë" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "<Jå\u009d3${!\f\r·Û(A¥œŠ\x10çv\x04\x0e$txN†\x06" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicy = "aç’8Ù”¡Š2JˆLÆ@KÃÒa ”\x16ç*ÐéÍy_" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\PreCreateKnownFolders = "œ\x19ǰIpse\x10RŽ«\x1dþ\x10Ý:¿›ç¤2m\u008f\x1b€Ù·" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "/We»\x1b†\x04¾¤9îÿ¡\\XÓ‘\x1c—³\x1e\x1eá¨V\u0081\x03\x06" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\ = "1µuiE%”\x03'ôé\x17\nÂÈ1È\x05u\x1e€(hÚZ,\b‘" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "\u00ad.ürj*lçÕ\u008d\x0f_€Ã0RBt\x1dó²\bØ\x030†òë" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "[\x1bKk¬À\rš\x19œs\x19\u009d™EJöØ-$ÃCpÓ}\x04\x18\a" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "sgÓ‰ãVÿS0yù[\u00a0\x01Ã'ÔÒh”°`Ê\x02\x06Â\a1" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "•ú\u00901BS£Œ—dŽóM‚”¾" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "µO\x18ûGXÅÁ1 %¶³¢·ÿ\tü\\D*…\x11ÒÁ‹ˆW" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ = "ó\x0f|ÍD\u008dwža1Rõ\x1b„0ÎçQ\x1fôl<\x16T·!{ƒ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DllName = "\x05€þE庆Ë}7\x05”søAÛ\x15Ä\x02u¥¯“ŽT\x7fLK" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "þÍÊo¾‰÷INµšh$\açÆäSe¸™×kG`¶]ž" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\DllName = "ÿ2\x7fª\x1ad”JZk" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ = "#q\x13—vîVE¢$˜†P¤oVöxÚ›,@®\x12Ù" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DisplayName = "\bÝeõ±+xÉ\ro\rù^\x15\x17ámkÄú\x1dsÄ ‰SdÌ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\GenerateGroupPolicy = "·³œB‚\x19\x14—\a¬¯B\x17'\x19ÛÆÉÄ\x1adƒï‰‘¯ S" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DllName = "iFÐ\x17\x1f¯4áÕzÞm`\u0081øn^¨ZÊÒq¯\x0f\x15!ž¶" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DisplayName = "\v\fˆo‰í[w¾ùÖÑ‘\x1f³\x1d\u008dåw¼}~\x02áHËü¥" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "ª…o•fè\u008f\x1a%\\\u008d7œgI&”a¹\x02L~èÍ\u008dv>Ø" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "\x18^\"q,ínk§Çä€\u00a0¢º¶\x1fÈâ(\x11ëâXgƒ“Ì" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\GenerateGroupPolicy = "Mê‹÷4Z\x10ߟ€0\x143\x11ª£Œ‹Ï.x¼Rå£B¸_" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "&\x12I?DM±\x05òe6\x0f\x19\x11)¤mŠ÷?¼´O||0'%" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "\fÉÄáÚ\x05(\x17èÅsŠO–×¾\x0fç–œº¼w\x06\x06 %ª" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\GenerateGroupPolicy = "„\x03Æ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ = "\x131‘ḭ’¿Çìóµ-@ê\n\u00a0þ‰ÇÅ’Å\u009dífþà" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = 5800ba00dc02010001005900bf009d00eb007800a30006002800770038007000ff001300fa001000d900142008003a00d200d8001a00420000000000 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ = "½ƒ¨áã¦\x11xhj±ûvØÿ\x14ZÐ\x1dq\x05¦S•\x0e(W\x1b" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicy = "›]Íìbã9Ün¤+xEûžóå\b̯4®‡É1ù\\Ö" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "7“‚ät\n³Q\x0f\x03é(\x1bä¯ê\u008dý\x0f¯Ë¶h0šQzv" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2A8FDC61-2347-4C87-92F6-B05EB91A201A} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ProcessGroupPolicy = "\x05º0²\x14oØ¢\x0f¤®J‹qˆ¨q%þì0¹Ú0ؼ\x18õ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DisplayName = ";`7šîëý;ˆ¨‰I•-WÕ\rbô³Ù\x06ïŠ\x16Ÿ-·" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ProcessGroupPolicy = "q¤ðÇ^\u009d˜€ÌÄ\u009dZ\x17¶ÂÇ\f\x0eq'}@Ÿ.—p/B" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ = "\nöÐ@Øä®ƒÃãpŠ\x03ƒè\x19\\]W†\x06sÍ£Q¨p¤" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DllName = "\x10ãtÝ.˜Ú_¸È^NXzÆúO\x1c\vÅö\u00a0à€¯:†]" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DisplayName = "T¹\x1fO\u00a0\x044 Ù'\x1bL§.i4V;øF\rú²!ÿÕ$2" | C:\Windows\SysWOW64\cmd.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WallPaper = "y=ž(Û¾Ú›ÖŒLλíþ+Ï0/ÍKáÚÐTøŠ;" | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4684 set thread context of 3596 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4684 set thread context of 3744 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4684 set thread context of 1156 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4684 set thread context of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4684 set thread context of 3340 | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System.ini | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\StickyKeys | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\RightOverlapChars = "äKš\f¾ÙrîKj0Üó\u008d0½»à½‹“)J¿hô}\"" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WheelScrollLines = "\u00a0œ¯hð7š$ÅIâÛ`N3›\x7f¢Rÿ,z܈q‹6ý" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\InfoWindow = "Ž\x1e?Qz:\\Í„¦™\x06\x16òöѾœñ*ôloòxÙ\x17{" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sCurrency = "åsïA’–”Û!Y÷¶A€C|üèù\x1aHº~kŒÆfÎ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\DoubleClickWidth = "ƒ…餅\x11×7âµ\x17\x17èÖh\u00a0’Ô‹e=å!\vh•\x14\x1e" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\1 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Response\AutoRepeatRate = "7\u0090¶\x1ev‡ÏSÖ\x12z63îQ¤4)o³\nô+´Ž«¨!" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Appearance\Current = "àïÜ\x0e3\"žf\njÞÁ\u00905A\b\x01ŽIì±c\x1eØ·xMü" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\4 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\ActiveBorder = "“Úÿ]^\u009dB\bN®Ü\x05~z™[í|ËGàóýg+\x1cêŸ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Input Method\Show Status = "¾|<)IOdM\\\x03DKfÔ`pp\u00ad÷¼¦DÎpËÌØ\x1a" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sMonDecimalSep = "ÏÏ\u00a0VõÕ¾é|\x18’\x1d¡\u0081W\x1d@턜Je\x1ba¡ë€Š" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\InfoText = "}©£)Ë\x1b\v¦ý€Î\x06áLô\x13Cï\x01+Ì" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\MenuHeight = "Ñ‘ÂA0zM–Æ}yîs\x01„\u00a0;Ùâ\nûƒ»…×ç_Ö" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\ScrollHeight = "(Ê’KÛséR÷®_qÎ6€a°\roâïFÐ*Ú\x19\x060" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\TimeOut\Flags = "\u009d·7âÖЫèiÂE½aÃ9Qà@\x02ÛÃí–>;\u008dð" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\DragWidth = "Q\u009d+î\u0081ã\x14Äo‚b\x18qiˆ0•I7èúØ4¾:UX›" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iMeasure = "V…¼GK\x0e\x03ã\u0090\x1ež\x18HíEÐ\x05uÐh\x7fŸ{\u00a0V¿\x19—" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\2\Name = "ŽŠº\x15\x1a\x1f}P\tÿ9+R:\x12(7\aZ-êp‘àðSñÎ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Blind Access\On = "qi´íˆ\x1bIì\x1f‹oÕËL\u008f\x12\n\x19ÿ“×AºçeM…¥" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\CursorBlinkRate = "¾ÄÀR›L[)/âY¯ÒiždCøY/\x14ºj¼0¯\x01" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sList = "U\x7f$µõ£]š5Á\x06¼\x05Ô\x1fàÝÀþ®ËnzW¥O˜é" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\ActiveTitle = "@EØÏ±GÖ1¡ÇµAµÎ¸¯" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\MouseHoverHeight = "_Ž÷á¦H\x15%Þ:³¡º˜I.î\x1c‚þ·ºå–^ë?S" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\MouseSensitivity = "¶$—\x05gsÝiØÃ\u0081\fu¹fRš4(\"5ê—ׂ…;¼" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\MouseKeys\MaximumSpeed = "r#ж;Èqž/\\î°Ü¼ÜÛ\x13tÍý[ìŒj\x1d%°À" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\SlateLaunch\ATapp = "<‚ƒŠ»hA=\x01^\x01\u00a0/ÍÔ9YrZ»`_3\x05ûôíã" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\4\Description = "Íw|1(\x14¸\aÙP`êl’šê‚»’\u009d\u00adlÍ\x1b\fKÃÁ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Preference | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Response | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\Menu = "cãóØ«\x189ÀW\x1eþ\u0081““Î\x01.\x1cêëýÍ\x04¦„MÍë" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Cursors\UpArrow = "° \x06™\x19\x14‚›—OŸÔТT_ñ\vIµy¶\fôûrv1" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sGrouping = "¦(Çÿ\v\x062~\nÒ·¨öÙ•›‚{Þâ³n\u009dQ:T%ë" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sLanguage = "rÅWf[H\x1cÈ\x11Ka\x1bF\x1fè\\«ètKŽ<xCÙ\x0f+\x18" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sShortTime = "\x1a…sï\x10Sg8óæy¼J.ÕÝÛ\x1f›„c{þ\fñƒþÎ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iTime = "\x016È]\x12\x0e)¿2‘\x7f>*€–¨—\x05\x03)0M[†…ÕSÖ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\PowerCfg\PowerPolicies\3 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\GrayText = "\b\n»Ž\bžON\u0090yNÂ4¦Z7l¶\x10g¤\x12õ&¤kŠ\u00ad" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\MouseKeys | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\MuiCached | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\MouseKeys\TimeToMaximumSpeed = "Ð\u0090µÃº¨\x19•ÌnMˆˆ„îÍRfYÆtͳ͚\"3Å" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\DockMoving = "A\x16£¡Ý\x06¶¦\anä`Z£\x12ò}oKã±Þ„Õ\u00a0UUt" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\SmCaptionHeight = "*v\u00ad4\x063xé<Ü^üÂ)H¾Ûb\x10½6]\n„\x1e·l„" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iTimePrefix = "ÖBx– ÂàÞ1‚©É\bãIïBÁ_\ræÞ†[›Ù\u008dù" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Sound\ExtendedSounds = "v«»\x1b—£ôu\x1c¾¾\x1apâ\x19\x17÷C–·Ðææè.ª\x05\x0e" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\SoundSentry\Flags = "\"aX\x06£\f\x1cÀ£.¢\"üzÑ´÷Wrò•\x06£Ç\r⸠" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\TimeOut | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\Hilight = "ˆ³¤{°õò\x15\x03Û\u0090#â'8ZÌôG×e¿\x1f£è\x11úb" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\WindowMetrics\ScrollWidth = "¥T\b'Æ2½Òä² `î\u00a0˜àlRö\aë\fdú\x18âS," | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\sYearMonth = "\n¼Îz\x1cê*Q{Š}naøÆv«\x11\u0090XDw;š€+•ý" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\iDigits = "\u0081ƒÊ\u00a0È,/ä±\u00a0Ú¸ØÉìЃÁ AÙÊãk\t\x02R\x16" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Blind Access | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "pâÌ\x16:I¥ÌGk}q<#ùD²¡@Þ2f\a\r\bFÆ\x02" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Colors\GradientInactiveTitle = ".¦É$.LdÉp\x14ë(÷Šñ[n\tée4}WS åßJ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\ExtendedSounds = "ó§8/¿,«*¬ôžjñO³…ا71ö\x02ra\x7f'nÖ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Mouse\MouseTrails = "úâH@_AÔ\t¯Þâ\x14ø¨:û‘h¸ý{Në# ü‘Ä" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Cursors\No = "‡TƒD†oK”(Ú\x17K\x14®»\x17RK¿" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\International\Geo\Name = "[ÙÄ”ä\x1d.oN’5\u00a0·m\x18q¯éN%Ìâ\x17;¡\u009d\x15`" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Accessibility\Keyboard Response\DelayBeforeAcceptance = "ü\x18\aæXÆ;@1Ò\u009d)ÿs¿\bm·\x1dô$>\x16÷mì¶\u0090" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Colors\HilightText = "[L\x7f\u00a0\x18¹ÉÃ9†dpN£\x1e?ƒS\u008d÷4\x04N£õ\u00a0[Î" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\HOVER | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}\BlockType = "\x05,5mÑ\u00adñœK\vdcŒgzc\x11\x17ë\x10\n-sáÆó\b†" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F41E8255-3897-4cf4-AEC7-4F85171A0B3C} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7}\Version = "ºåùái½Y¼ë@Ö\x01!\x15ÓçÈp¿cø/ÇDË\x14R·" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "\u0090›\x19H\x1e\u008f\x10\n\x19³\x19§´É5…ídv„Åš(\x19ËWNž" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08f24d68-9087-4b24-81ad-7b34af3e3ed5}\AppPath = "ß÷ Ö¼ááTݽËz\x13‰-\"ú¾ëåL’Œö©ð[›" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\JIT | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ThirdPartyCookies\WindowClassesToNotify = "ê-¿¹LS\x11鞎ÂMú\x1aU·Dµ5Ñs1\x18œ\x1b‡hÈ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1C}\Version = "Ÿ¼nÒ$\"\x1eÈŒ\x12é‰Ê0d\x0e€—¨\x06m\x18?\x0e\x06ö\x14†" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\USESWRENDER | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\Version = "‰£š(t\x14|sJd)?™\x10—íw»rî?.ƒÖ6\x18n›" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Suggested Sites | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\AlternateCLSID = "VïÁ¹\x13s…¡…\x1c\x02½iL#²å¿v\x01Ã}š\x18Hšaí" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\Type = "\x10LQ¾æ¿ƒæ\u00ad`¼\bA©\x0fQ$LÛ\n8S{~d\u009d½ö" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{7778AA60-698A-41D9-9BF0-7AB41045AA7F}\BlockType = "V\x7f)M\aP$åsçÒù†–K¾r’3Pð!NIÉ×Èy" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\MenuText = "ǧÆñ\u00a0|¢\u008d\x1c\u009d¶]Ú5¼\x1e/vcõ·fÿ\x15\"˜o“" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "ÛÜ\v\u00ad\x05¼éûEL;EŒ²p\x17•\x11>R\\òËŠ÷\a}\r" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\Version = "º}\x03Ò¾x¢ÁÖS±5°ÑÌn\x14î+Å7ä„L\x15ožÑ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\DllName = "\u008dÆ¡M9\x1b¡eë+<=˜Þ%\x036\u00a0Â…\\Q(\bÜR×ä" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MkEnabled = "ŽÇ\u00a0ÐÊÍŽ¿¥\x1cg.÷QŸè¤8a\x12þ6\"\x15\x16>æ\x12" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\RegPath = "Æ\x15ã<´E\x1dÅ4Ý2ªb\tØlT\x13Ø:õ™E‚=Ê`[" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\NEGOTIATE\RegPoliciesPath = "ÂCEóÙ)\x0eû!TËÛ7À$\x1eƒub\u009d\x1d[p\x1a\x02½çŒ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\RUN_INV_SIG\ValueName = "B\u008f3-ûi\u009dWÌ\bž\x1fÌû…€Hò\x05R¤ê©·„–^é" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\CompatibilityFlags = ">\u008fjÜ\"ãyäþ\x03+\x1cÚÄãw#\x1cÏB0A¸Â\x0f÷(\n" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}\AlternateCLSID = "¶ÔP³)ú\x12V¬¤?â\x12È\x01{x,4-\v\u00a0Á1(°„¦" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{70f641fd-9ffc-4d5b-a4dc-962af4ed7999}\AppPath = "FP\v\"ì}WœëùÑX\u009duaKæ‚V]=B«]¨¿ÚH" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{619C4601-855D-4004-819D-62EF5AC5FE50}\Version = "ÇÕ@K¾Á'¡t£.\x05\x1aNf9“Mÿ‹\x0eRV‡#¨‚¦" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AF949550-9094-4807-95EC-D1C317803333}\FWLink = "\x0eÄ3¤·q6Ðû”æ>\x14|`Ý\x17\x17‡ÂÇ¥m‰øéƒÄ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\CompatibilityFlags = "&p涯\u008f\x11Z" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSLREV\RegPoliciesPath = "5@®—hêºáôa§>ø,ÞÍYÊû§¦{+ÏØEGA" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\XMLHTTP\Type | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\PlugUIText = "k\u00a0\t\u008dW\vó\x01!þxJÚõ\u008f™ÇÂ\x14oxDJÀ—æ\u008dà" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{258C9770-1713-4021-8D7E-1F184A2BD754}\Version = ".š}›K\x1bÄ•ˆ\x11:,”úB$\x188\rÈ\x12\u00adšì7¡mN" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}\CompatibilityFlags = "…د½èQ\vxÀÛQsK\aýý;¶\x02\u009d/X¡Z3‹—Z" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash = "\b\x12±á/²1œ1ÔÔÇ™\u0081ÞlnìL\u009dTšæt×û$ü" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "¡UL3‚\x12¿†àL¸„\x1b\x13\fÝ\x1b\x1f“ä0ãë$¡\x15oŒ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\PlugUIText = "{!\x0f—˜_\x0f¤ž\x15hg¸†¡ØBÂx|œ³&\x16\"k/b" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\PrivacyAdvanced | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\StartPage | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{57F02779-3D88-4958-8AD3-83C12D86ADC7}\DllName = "ô°ì€&Uãsü\fËt\u008f<+r+6RzѺ\x1c-\f–D\x16" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Document Windows\Maximized = "{|ÈäÄ\x19dëløEK×¶%êù=\x04\x03xxù\a?\x19X3" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV\Text = "9ÍìC\x11ðMÌ\tœ¨í\x06ÌÄsç˜8™\x1a.<×è^ŒÂ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{09AF76DD-6988-4664-97D0-362F1011E311}\CompatibilityFlags = "\ag\x1d\rf\x18dþ^" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3EB9C349-7473-48AC-A59B-42F31751974B}\BlockType = "\x17\x1c'-\x03]abèo\n\x7f\x7fsò@kèÆ4ÙÍDb\x0e.DŽ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{92085AD4-F48A-450D-BD93-B28CC7DF67CE} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{F5BEA1B9-FEF6-4093-846D-753C42A1B00A}\DllName = "äR\x15é\x05\x1e7 âGÓ$ø{„@)v×?ýÞ?\"eAªý" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8DCB7100-DF86-4384-8842-8FA844297B3F}\BlockType = "kWMP\x01>§¶ƒoø¶W'Ü^þ!…Ëj{^½^\x12¶\b" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "C\x14\u0081v\x10wÜ\v™\u008dÐx\x03Ág’¸”è§Žé’\a¹†È\x12" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "~\u0090\u0081†£]¹\x0f\u0081B\x16Þ=zølÄ\x17\x1c¦aiÛ\x03l3â\x13" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPEND\UncheckedValue = "‘}“\x7fCè;ç\x15ø\x01\u00905{¨3k{çV:±å_‰%\x14'" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYNOTDEFAULTBROWSER\PlugUIText = "=$µo\x0e*,d˜\u00adg\x11ïoõtô?M\x7fµU¨m›Ñ\x03S" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER\CheckedValue = "Û™-òØÊy&`eÓ\b¬m\x14º¦S‹`áÚâ÷É\u008dB¨" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{01E198E3-24FF-4602-9944-65E7B323296D}\FWLink = "\u0090:Éç\u008d Ó™SK,Ìz\x17Ÿª\x1dõ\aqŸJ“x´Sår" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\URLSearchHooks | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{77BF5300-1474-4EC7-9980-D32B190E9B07}\FWLink = "@…\x1dðnL51Ì&:žÅ4;‡NóHBÙ8\x1fñà/\x03:" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "2@É4‹uñ\u00a0’»\x05¥pÀ\ay\f\u008f¾v\x13–8—%¶šr" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\NavigationCanceled = "Duœy\x14æ˜Þ\u00a0n*ô\x18Ó𣵳ä\x17\x17\x06ˆ\x03\x16Yž\r" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\Type = "®ö\x06¢¹ß®´FEA„\x03µ…dØ›aŽÉTS/8œÖ”" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\RUN_INV_SIG\PlugUIText = "¾G2®ó5vÖÔ\u009d\x1e\rç*\aðe9.³¢\x01m\u008fß521" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2\Text = "4£B\x14ÜÇ!b•\x1aò;yý#Y\x12úz;½ÈæJAÛ\x1cô" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "˜©\u00ad>Ç]¾¹ïTÓ:Óo…¹`\u0090\x1bñòø\x14ká[“‰" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "ãÓz×\x059}ôëp5åà-¹HV\n5\u0090\x7f½! –õލ" | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VeryFun.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = "—º\u009dÀ…ÇyCûX©tøS\x1f„Ùg\u00a0˶·\n`ìôG0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ÍÞÓª\u009d©4yÀ\nn\x16òt°dçDG‘vǹ@ÅM¹H" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "ÄÀ²\x18\x17KŒQ°I^*³a\x12BÏ¡ÁÃ\x0f\x15#Vz\x16ô[" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "–\x10Åt\x1a¼\x19;°\x10Z\x1dÔ\nˆq)U'Æ×\\‰¶L\x7f\"&" | C:\Windows\SysWOW64\cmd.exe | N/A |
Processes
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\VeryFun.exe
"C:\Users\Admin\AppData\Local\Temp\VeryFun.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004B8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -UserConfig
C:\Windows\System32\ie4uinit.exe
C:\Windows\System32\ie4uinit.exe -ClearIconCache
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7cea5ae48,0x7ff7cea5ae58,0x7ff7cea5ae68
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=2 --install-level=0
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7cea5ae48,0x7ff7cea5ae58,0x7ff7cea5ae68
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x248,0x24c,0x250,0x21c,0x254,0x7ff6dc9eeb10,0x7ff6dc9eeb20,0x7ff6dc9eeb30
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb94e23cb8,0x7ffb94e23cc8,0x7ffb94e23cd8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
Files
memory/4684-0-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/4684-1-0x0000000003D70000-0x0000000003D7B000-memory.dmp
memory/3596-3-0x0000000000E00000-0x0000000000F9C000-memory.dmp
memory/3596-4-0x0000000000E00000-0x0000000000F9C000-memory.dmp
memory/3596-5-0x0000000000E00000-0x0000000000F9C000-memory.dmp
memory/3596-6-0x0000000000E00000-0x0000000000F9C000-memory.dmp
memory/3744-11-0x0000000000700000-0x00000000007F4000-memory.dmp
memory/3744-13-0x0000000000700000-0x00000000007F4000-memory.dmp
memory/3744-12-0x0000000000700000-0x00000000007F4000-memory.dmp
memory/3596-19-0x0000000010000000-0x0000000010013000-memory.dmp
memory/3596-18-0x0000000001C10000-0x0000000001C11000-memory.dmp
memory/3596-17-0x0000000010000000-0x0000000010013000-memory.dmp
memory/3596-16-0x0000000010000000-0x0000000010013000-memory.dmp
memory/3596-14-0x0000000010000000-0x0000000010013000-memory.dmp
memory/3744-7-0x0000000000700000-0x00000000007F4000-memory.dmp
memory/1156-20-0x0000000001100000-0x000000000120C000-memory.dmp
memory/1156-21-0x0000000001100000-0x000000000120C000-memory.dmp
memory/1156-22-0x0000000001100000-0x000000000120C000-memory.dmp
memory/4684-23-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/1952-24-0x0000000000960000-0x0000000000A6C000-memory.dmp
memory/1952-25-0x0000000000960000-0x0000000000A6C000-memory.dmp
memory/1952-26-0x0000000000960000-0x0000000000A6C000-memory.dmp
memory/4684-27-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/3340-28-0x0000000001310000-0x000000000141C000-memory.dmp
memory/3340-29-0x0000000001310000-0x000000000141C000-memory.dmp
memory/3340-30-0x0000000001310000-0x000000000141C000-memory.dmp
memory/3596-32-0x0000000000E00000-0x0000000000F9C000-memory.dmp
memory/4684-31-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/3744-36-0x0000000000700000-0x00000000007F4000-memory.dmp
memory/3744-37-0x0000000000700000-0x00000000007F4000-memory.dmp
memory/3596-38-0x0000000010000000-0x0000000010013000-memory.dmp
memory/1300-39-0x0000000001380000-0x000000000148C000-memory.dmp
memory/1300-41-0x0000000001380000-0x000000000148C000-memory.dmp
memory/1300-40-0x0000000001380000-0x000000000148C000-memory.dmp
memory/4684-42-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/3300-43-0x0000000000E00000-0x0000000000E10000-memory.dmp
memory/4684-44-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/4684-45-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/3300-46-0x0000000000E00000-0x0000000000E10000-memory.dmp
memory/4684-47-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/3300-48-0x0000000000E00000-0x0000000000E10000-memory.dmp
memory/4684-49-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/3300-50-0x0000000000E00000-0x0000000000E10000-memory.dmp
memory/3300-51-0x0000000000E00000-0x0000000000E10000-memory.dmp
memory/3300-52-0x0000000000E00000-0x0000000000E10000-memory.dmp
memory/4684-53-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/3300-54-0x0000000000E00000-0x0000000000E10000-memory.dmp
memory/4684-55-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/3300-56-0x0000000000E00000-0x0000000000E10000-memory.dmp
memory/4684-57-0x00000000004F0000-0x0000000000B2D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RGIEB17.tmp
| MD5 | dd4f5026aa316d4aec4a9d789e63e67b |
| SHA1 | fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153 |
| SHA256 | 8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737 |
| SHA512 | 3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568 |
C:\Users\Admin\AppData\Local\Temp\RGIEB3A.tmp
| MD5 | a828b8c496779bdb61fce06ba0d57c39 |
| SHA1 | 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda |
| SHA256 | c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d |
| SHA512 | effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea |
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
| MD5 | 802a45170dfcd6f48c575c93902456cf |
| SHA1 | b6d26ccbb32aee5c17f57103f7244fa1a4ad9111 |
| SHA256 | 1b3172603138de664da041c2f3f4ee93b22e69155f66c8dd3b9eef1e1aa4b47a |
| SHA512 | 2968928dc36df6766acb7b26867682641fc51bd3a6f2a66d46e39d6c30fa5a20b32d870874c41fc6cf46a5210d55bcdc0dcf0a1db337fe00934ce06d0a453e93 |
C:\Windows\TEMP\Crashpad\settings.dat
| MD5 | f253896b9ddf47a15eb8932fdf7caf07 |
| SHA1 | 1b52ed22b1d9a9838ae183eb982d7a4bfb8a1304 |
| SHA256 | 046f7d44ec9ff7bd53a01226b5bb0425cd14ac6654028b1afebda035409082a2 |
| SHA512 | eb2e4bdebaa30d56de2ab5dd4eb21a4ba21b9047ccffc9455b5df3394b8cf7d661be2c1aede918a86225af961d05d8296a17832b06db48f410f73ba9fe696c3f |
C:\Program Files\Google\Chrome\Application\SetupMetrics\27d6e799-a7fd-4369-847a-03995b7f42c2.tmp
| MD5 | 6d971ce11af4a6a93a4311841da1a178 |
| SHA1 | cbfdbc9b184f340cbad764abc4d8a31b9c250176 |
| SHA256 | 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783 |
| SHA512 | c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 704d4cabea796e63d81497ab24b05379 |
| SHA1 | b4d01216a6985559bd4b6d193ed1ec0f93b15ff8 |
| SHA256 | 3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26 |
| SHA512 | 0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\199606c1-1d0d-491f-9131-74bc9d165d48.dmp
| MD5 | d98c0c75c630599b6ccb3e6466ea0119 |
| SHA1 | 22bdb39d42c036b5be1e994e5f4d6e342d35e4bf |
| SHA256 | 2a8e1bcddefb3929f5c97a5d37a830e37897273b7f8b88db790d9b5f0c372ac5 |
| SHA512 | d0747d96de7cfc7a9c4da41cf6e3ab17c71f85503c176a2f63af7ba8bc9b30bfb45ac76ea021d357fe0b165f776d3cc0bed12a52c5e7d3ee139a653f76a60655 |
memory/4684-139-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/4684-140-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/4684-141-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/4684-142-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/4684-143-0x00000000004F0000-0x0000000000B2D000-memory.dmp
memory/4684-144-0x00000000004F0000-0x0000000000B2D000-memory.dmp