Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 04:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05c2832548779cc63710886b102d4640.exe
Resource
win7-20231215-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
05c2832548779cc63710886b102d4640.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
05c2832548779cc63710886b102d4640.exe
-
Size
101KB
-
MD5
05c2832548779cc63710886b102d4640
-
SHA1
4a1a60af539c38b4859275dcdbe0b9b03d3c786c
-
SHA256
13f84881b5d8c5cde33a4d73a5e348534aa2b03583e96b140488080bad5f7d7a
-
SHA512
25fbcb6b994f521defca3b71de9a6f3b0789c492f4fb4a07d5af1693ac34f5e0e4ec2ab334bef0d9238347c2c8f24f11cf6502c43f01d6969465b0362ea21c9c
-
SSDEEP
1536:igYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239au7538iJkZVa/4p0ND3Y:FYP2XerzhOUxu/XUtauF8iJkZ84pao
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 05c2832548779cc63710886b102d4640.exe -
Drops file in Program Files directory 26 IoCs
description ioc Process File opened for modification C:\Program Files\WindWare\36O安全刘览器3.lnk 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare\Internet Exploror.lnk 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare\3.cmd 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\36OSE.vbs 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare\淘宝-购物.lnk 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare\iedw.ico 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\tb.cmd 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\36O安全刘览器3.lnk 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare\36O安全刘览器 3.lnk 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\3.cmd 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\Internet Explorer\iedw.ico cmd.exe File opened for modification C:\Program Files\Internet Explorer\iedw.ico cmd.exe File created C:\Program Files\WindWare\__tmp_rar_sfx_access_check_240615156 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\36O安全刘览器 3.lnk 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\360SE.vbs 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare\360SE.vbs 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\tbb.cmd 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\淘宝-购物.lnk 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare\36OSE.vbs 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\iedw.ico 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\Internet Exploror.lnk 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare\tb.cmd 05c2832548779cc63710886b102d4640.exe File created C:\Program Files\WindWare\tb.vbs 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare\tb.vbs 05c2832548779cc63710886b102d4640.exe File opened for modification C:\Program Files\WindWare\tbb.cmd 05c2832548779cc63710886b102d4640.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 39 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iedw.ico" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\Attributes = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InfoTip = "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\WantsParsDisplayName reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ThreadingModel = "Apartment" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ = "╠╘▒ª-╣║╬∩(&H)" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.9281.net/go/taobao.htm" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideOnDesktopPerUser reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H) reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\MUIVerb = "@shdoclc.dll,-10241" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideFolderVerbs reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\LocalizedString = "╠╘▒ª-╣║╬∩" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H) reg.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings 05c2832548779cc63710886b102d4640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ reg.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2088 2112 05c2832548779cc63710886b102d4640.exe 93 PID 2112 wrote to memory of 2088 2112 05c2832548779cc63710886b102d4640.exe 93 PID 2112 wrote to memory of 2088 2112 05c2832548779cc63710886b102d4640.exe 93 PID 2088 wrote to memory of 1068 2088 WScript.exe 94 PID 2088 wrote to memory of 1068 2088 WScript.exe 94 PID 2088 wrote to memory of 1068 2088 WScript.exe 94 PID 1068 wrote to memory of 3300 1068 cmd.exe 114 PID 1068 wrote to memory of 3300 1068 cmd.exe 114 PID 1068 wrote to memory of 3300 1068 cmd.exe 114 PID 1068 wrote to memory of 2204 1068 cmd.exe 113 PID 1068 wrote to memory of 2204 1068 cmd.exe 113 PID 1068 wrote to memory of 2204 1068 cmd.exe 113 PID 1068 wrote to memory of 2424 1068 cmd.exe 96 PID 1068 wrote to memory of 2424 1068 cmd.exe 96 PID 1068 wrote to memory of 2424 1068 cmd.exe 96 PID 1068 wrote to memory of 4604 1068 cmd.exe 112 PID 1068 wrote to memory of 4604 1068 cmd.exe 112 PID 1068 wrote to memory of 4604 1068 cmd.exe 112 PID 1068 wrote to memory of 1276 1068 cmd.exe 111 PID 1068 wrote to memory of 1276 1068 cmd.exe 111 PID 1068 wrote to memory of 1276 1068 cmd.exe 111 PID 1068 wrote to memory of 2376 1068 cmd.exe 110 PID 1068 wrote to memory of 2376 1068 cmd.exe 110 PID 1068 wrote to memory of 2376 1068 cmd.exe 110 PID 1068 wrote to memory of 1348 1068 cmd.exe 109 PID 1068 wrote to memory of 1348 1068 cmd.exe 109 PID 1068 wrote to memory of 1348 1068 cmd.exe 109 PID 1068 wrote to memory of 1640 1068 cmd.exe 108 PID 1068 wrote to memory of 1640 1068 cmd.exe 108 PID 1068 wrote to memory of 1640 1068 cmd.exe 108 PID 1068 wrote to memory of 4580 1068 cmd.exe 98 PID 1068 wrote to memory of 4580 1068 cmd.exe 98 PID 1068 wrote to memory of 4580 1068 cmd.exe 98 PID 1068 wrote to memory of 4772 1068 cmd.exe 97 PID 1068 wrote to memory of 4772 1068 cmd.exe 97 PID 1068 wrote to memory of 4772 1068 cmd.exe 97 PID 1068 wrote to memory of 3016 1068 cmd.exe 99 PID 1068 wrote to memory of 3016 1068 cmd.exe 99 PID 1068 wrote to memory of 3016 1068 cmd.exe 99 PID 1068 wrote to memory of 2232 1068 cmd.exe 107 PID 1068 wrote to memory of 2232 1068 cmd.exe 107 PID 1068 wrote to memory of 2232 1068 cmd.exe 107 PID 1068 wrote to memory of 4440 1068 cmd.exe 106 PID 1068 wrote to memory of 4440 1068 cmd.exe 106 PID 1068 wrote to memory of 4440 1068 cmd.exe 106 PID 1068 wrote to memory of 2604 1068 cmd.exe 105 PID 1068 wrote to memory of 2604 1068 cmd.exe 105 PID 1068 wrote to memory of 2604 1068 cmd.exe 105 PID 1068 wrote to memory of 3880 1068 cmd.exe 104 PID 1068 wrote to memory of 3880 1068 cmd.exe 104 PID 1068 wrote to memory of 3880 1068 cmd.exe 104 PID 1068 wrote to memory of 1684 1068 cmd.exe 103 PID 1068 wrote to memory of 1684 1068 cmd.exe 103 PID 1068 wrote to memory of 1684 1068 cmd.exe 103 PID 1068 wrote to memory of 4348 1068 cmd.exe 100 PID 1068 wrote to memory of 4348 1068 cmd.exe 100 PID 1068 wrote to memory of 4348 1068 cmd.exe 100 PID 1068 wrote to memory of 1520 1068 cmd.exe 102 PID 1068 wrote to memory of 1520 1068 cmd.exe 102 PID 1068 wrote to memory of 1520 1068 cmd.exe 102 PID 1068 wrote to memory of 4796 1068 cmd.exe 101 PID 1068 wrote to memory of 4796 1068 cmd.exe 101 PID 1068 wrote to memory of 4796 1068 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\05c2832548779cc63710886b102d4640.exe"C:\Users\Admin\AppData\Local\Temp\05c2832548779cc63710886b102d4640.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\WindWare\tb.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\tbb.cmd3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "LocalizedString" /t REG_SZ /d "╠╘▒ª-╣║╬∩" /f4⤵
- Modifies registry class
PID:2424
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell" /ve /t REG_SZ /d "╠╘▒ª-╣║╬∩(&H)" /f4⤵
- Modifies registry class
PID:4772
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell"4⤵
- Modifies registry class
PID:4580
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)"4⤵
- Modifies registry class
PID:3016
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f4⤵
- Modifies registry class
PID:4348
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f4⤵
- Modifies registry class
PID:4796
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f4⤵
- Modifies registry class
PID:1520
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f4⤵
- Modifies registry class
PID:1684
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"4⤵
- Modifies registry class
PID:3880
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.9281.net/go/taobao.htm" /f4⤵
- Modifies registry class
PID:2604
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command"4⤵
- Modifies registry class
PID:4440
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f4⤵
- Modifies registry class
PID:2232
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f4⤵
- Modifies registry class
PID:1640
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f4⤵
- Modifies registry class
PID:1348
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32"4⤵
- Modifies registry class
PID:2376
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "C:\Program Files\Internet Explorer\iedw.ico" /f4⤵
- Modifies registry class
PID:1276
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon"4⤵
- Modifies registry class
PID:4604
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "InfoTip" /t REG_SZ /d "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" /f4⤵
- Modifies registry class
PID:2204
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"4⤵
- Modifies registry class
PID:3300
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5468fada123f5548ac87e57bae81f6782
SHA1edb8f012c25906e6afd8bf335b495e16c440243d
SHA256091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d
SHA512635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa
-
Filesize
127B
MD59c06bf76c6711c2366c8895393cc54e1
SHA1ed3ec44e280dd5840a022e2a878e9d6a0cc2f87a
SHA256e775e69f73ec09a0024b6f3efd309090cd9ff149fc3bc8a9d0e6faf17e53615d
SHA5126e8d2a6f403f8c56a242611e3e1c18ae53a80612a58207510f3cc204572243637a3de758e27af213a37ccf6b7dc69c611215c5fb0de0f4f2bcd41fef06ecaf10
-
Filesize
2KB
MD52cf45d3fd1abea440d5c3b6bba482e2f
SHA128794d41bf5be9710047f70e4ef4663bab63a97c
SHA256799d3d37249f8254406e120964f6abbd6a7040c46344d60213d1a58050d8f345
SHA51238af05a303f425324a575ddf94c9f85cf21ef61155b8b9b4eb900636639c3ac4df669cc9490c862f44383d67500b6e569541edf0981790b3588e85c9aa42d1c8