Icon Overlay Handler

DLLs that are specified in the AppInit_DLLs value in the Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program. This value can be abused to obtain persistence by causing a DLL to be loaded into most processes on the computer. More background on this attacker tactic available at https://attack.mitre.org/wiki/Technique/T1103.

Veramine's detection engine detects instances where an application has modified the AppInit DLL registry settings. Here is an example detection:

For more information about our AppInit DLL tactic detection mechanism, please login to the Veramine portal and review the User's Guide Registry Writes detection category.