a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
Size

98KB
MD5

a26e6798f6c74735a97ecba300b2945a
SHA1

7111433cba15ef9381278fbac15157772f7475b5
SHA256

a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36
SHA512

06f775dde85b069f758ff644cd13cdb0369a40a42fb78d4fcb7e0d2fb398ac08c47e49e2c9d7db40fdb69adc888758ace92bee68f79cdfb173458e287480ad9b
SSDEEP

1536:igYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239au7538iJkZX/4p0N2N:FYP2XerzhOUxu/XUtauF8iJkZP4pn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindWare\tb.vbs	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File created	C:\Program Files\WindWare\淘宝-购物.lnk	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File created	C:\Program Files\Internet Explorer\iedw.ico	cmd.exe
File opened for modification	C:\Program Files\Internet Explorer\iedw.ico	cmd.exe
File created	C:\Program Files\WindWare\__tmp_rar_sfx_access_check_240549984	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File opened for modification	C:\Program Files\WindWare\Internet Exploror.lnk	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File created	C:\Program Files\WindWare\tb.cmd	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File opened for modification	C:\Program Files\WindWare\tb.cmd	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File created	C:\Program Files\WindWare\tb.vbs	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File opened for modification	C:\Program Files\WindWare	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File opened for modification	C:\Program Files\WindWare\iedw.ico	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File created	C:\Program Files\WindWare\Internet Exploror.lnk	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File opened for modification	C:\Program Files\WindWare\淘宝-购物.lnk	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
File created	C:\Program Files\WindWare\iedw.ico	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ = "╠╘▒ª-╣║╬∩(&H)"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\WantsParsDisplayName	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\LocalizedString = "╠╘▒ª-╣║╬∩"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InfoTip = "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iedw.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/go/taobao.htm"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\Attributes = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideFolderVerbs	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 3376	956	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe	79
PID 956 wrote to memory of 3376	956	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe	79
PID 956 wrote to memory of 3376	956	a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe	79
PID 3376 wrote to memory of 372	3376	WScript.exe	80
PID 3376 wrote to memory of 372	3376	WScript.exe	80
PID 3376 wrote to memory of 372	3376	WScript.exe	80
PID 372 wrote to memory of 4860	372	cmd.exe	82
PID 372 wrote to memory of 4860	372	cmd.exe	82
PID 372 wrote to memory of 4860	372	cmd.exe	82
PID 372 wrote to memory of 2400	372	cmd.exe	83
PID 372 wrote to memory of 2400	372	cmd.exe	83
PID 372 wrote to memory of 2400	372	cmd.exe	83
PID 372 wrote to memory of 4972	372	cmd.exe	84
PID 372 wrote to memory of 4972	372	cmd.exe	84
PID 372 wrote to memory of 4972	372	cmd.exe	84
PID 372 wrote to memory of 5012	372	cmd.exe	85
PID 372 wrote to memory of 5012	372	cmd.exe	85
PID 372 wrote to memory of 5012	372	cmd.exe	85
PID 372 wrote to memory of 4708	372	cmd.exe	86
PID 372 wrote to memory of 4708	372	cmd.exe	86
PID 372 wrote to memory of 4708	372	cmd.exe	86
PID 372 wrote to memory of 3468	372	cmd.exe	87
PID 372 wrote to memory of 3468	372	cmd.exe	87
PID 372 wrote to memory of 3468	372	cmd.exe	87
PID 372 wrote to memory of 4660	372	cmd.exe	88
PID 372 wrote to memory of 4660	372	cmd.exe	88
PID 372 wrote to memory of 4660	372	cmd.exe	88
PID 372 wrote to memory of 4676	372	cmd.exe	89
PID 372 wrote to memory of 4676	372	cmd.exe	89
PID 372 wrote to memory of 4676	372	cmd.exe	89
PID 372 wrote to memory of 4864	372	cmd.exe	90
PID 372 wrote to memory of 4864	372	cmd.exe	90
PID 372 wrote to memory of 4864	372	cmd.exe	90
PID 372 wrote to memory of 4576	372	cmd.exe	91
PID 372 wrote to memory of 4576	372	cmd.exe	91
PID 372 wrote to memory of 4576	372	cmd.exe	91
PID 372 wrote to memory of 3284	372	cmd.exe	92
PID 372 wrote to memory of 3284	372	cmd.exe	92
PID 372 wrote to memory of 3284	372	cmd.exe	92
PID 372 wrote to memory of 4432	372	cmd.exe	93
PID 372 wrote to memory of 4432	372	cmd.exe	93
PID 372 wrote to memory of 4432	372	cmd.exe	93
PID 372 wrote to memory of 1892	372	cmd.exe	94
PID 372 wrote to memory of 1892	372	cmd.exe	94
PID 372 wrote to memory of 1892	372	cmd.exe	94
PID 372 wrote to memory of 1540	372	cmd.exe	95
PID 372 wrote to memory of 1540	372	cmd.exe	95
PID 372 wrote to memory of 1540	372	cmd.exe	95
PID 372 wrote to memory of 4384	372	cmd.exe	96
PID 372 wrote to memory of 4384	372	cmd.exe	96
PID 372 wrote to memory of 4384	372	cmd.exe	96
PID 372 wrote to memory of 720	372	cmd.exe	97
PID 372 wrote to memory of 720	372	cmd.exe	97
PID 372 wrote to memory of 720	372	cmd.exe	97
PID 372 wrote to memory of 4656	372	cmd.exe	98
PID 372 wrote to memory of 4656	372	cmd.exe	98
PID 372 wrote to memory of 4656	372	cmd.exe	98
PID 372 wrote to memory of 1296	372	cmd.exe	99
PID 372 wrote to memory of 1296	372	cmd.exe	99
PID 372 wrote to memory of 1296	372	cmd.exe	99
PID 372 wrote to memory of 1916	372	cmd.exe	100
PID 372 wrote to memory of 1916	372	cmd.exe	100
PID 372 wrote to memory of 1916	372	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe
"C:\Users\Admin\AppData\Local\Temp\a3d20573a47b6d41aa293989043810bbf8893b86742183e3f9e6952400958a36.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\WindWare\tb.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tb.cmd
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
      4⤵
      Modifies registry class
      PID:4860
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "InfoTip" /t REG_SZ /d "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" /f
      4⤵
      Modifies registry class
      PID:2400
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "LocalizedString" /t REG_SZ /d "╠╘▒ª-╣║╬∩" /f
      4⤵
      Modifies registry class
      PID:4972
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon"
      4⤵
      Modifies registry class
      PID:5012
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "C:\Program Files\Internet Explorer\iedw.ico" /f
      4⤵
      Modifies registry class
      PID:4708
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32"
      4⤵
      Modifies registry class
      PID:3468
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
      4⤵
      Modifies registry class
      PID:4660
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
      4⤵
      Modifies registry class
      PID:4676
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell"
      4⤵
      Modifies registry class
      PID:4864
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell" /ve /t REG_SZ /d "╠╘▒ª-╣║╬∩(&H)" /f
      4⤵
      Modifies registry class
      PID:4576
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)"
      4⤵
      Modifies registry class
      PID:3284
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
      4⤵
      Modifies registry class
      PID:4432
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command"
      4⤵
      Modifies registry class
      PID:1892
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/go/taobao.htm" /f
      4⤵
      Modifies registry class
      PID:1540
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"
      4⤵
      Modifies registry class
      PID:4384
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry class
      PID:720
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:4656
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1296
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindWare\Internet Exploror.lnk

Filesize
104B

MD5
b6090a24bad18a0205bb215cb1fd42e6

SHA1
da56e637a186333e1fa8401b9600e9efcadbe86b

SHA256
5cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8

SHA512
4ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4

Download Submit
C:\Program Files\WindWare\iedw.ico

Filesize
14KB

MD5
468fada123f5548ac87e57bae81f6782

SHA1
edb8f012c25906e6afd8bf335b495e16c440243d

SHA256
091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

SHA512
635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

Download Submit
C:\Program Files\WindWare\tb.cmd

Filesize
2KB

MD5
4b8b392ac99df4d6f2239666eed11fa1

SHA1
27984247b633823df077b190e5ec5317a539698d

SHA256
6a0861f8cc7c16a931bb80ec8b270bd5e9081bdcd04f981a44238ee8e4a257a0

SHA512
f69762846470bd711b89c59429dd68812de9ff8828237f9c61283770f90c8f9bbe1c2c539f429cc0308832816ac3368b5925032103f3ae1e94b24247fc64ba3c

Download Submit
C:\Program Files\WindWare\tb.vbs

Filesize
126B

MD5
633a419fc58b7353d6eaef683fe1fca1

SHA1
5ece6a3d396e1888c5c051b12411537e3957aee1

SHA256
786068fda43174b1dc28073d1d0861aeb06debe26b2a6a9453680976f0433d2b

SHA512
f209583d2e0b9392a49c6f276be1f91cc4f719ae5284b72971e5ca2dd7bb1759fd59873ddba7ebf200944dd9855ee49c9528fe906efa8d9e0c9adad677457b50

Download Submit