Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 08:33
Static task
static1
Behavioral task
behavioral1
Sample
0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe
-
Size
98KB
-
MD5
0067a831f19e162fd8b2fdafadae56ad
-
SHA1
d2df95ef453237d32e51f83f67e43c6b8db56c8a
-
SHA256
fc4d978dc7821f491b7e52b5d4e3fa5ba39a39f3437e8cf5fa4d273831689782
-
SHA512
ceffb611d134b7b5ca60758a445a6f2c79d6c7232382cdfef15ea4484a7401ec25052539d825490fce94832e1fa9a93927d63ceb04316319d6d89102b1004723
-
SSDEEP
1536:igYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239au7538iJkZX/4p0N26:FYP2XerzhOUxu/XUtauF8iJkZP4ps
Malware Config
Signatures
-
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\iedw.ico cmd.exe File opened for modification C:\Program Files\WindWare\Internet Exploror.lnk 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File opened for modification C:\Program Files\WindWare\淘宝-购物.lnk 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File created C:\Program Files\WindWare\Internet Exploror.lnk 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File opened for modification C:\Program Files\WindWare\iedw.ico 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File created C:\Program Files\WindWare\tb.cmd 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File created C:\Program Files\WindWare\__tmp_rar_sfx_access_check_259436230 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File created C:\Program Files\WindWare\iedw.ico 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File opened for modification C:\Program Files\WindWare\tb.cmd 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File created C:\Program Files\WindWare\tb.vbs 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File opened for modification C:\Program Files\WindWare\tb.vbs 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File created C:\Program Files\WindWare\淘宝-购物.lnk 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iedw.ico cmd.exe File opened for modification C:\Program Files\WindWare 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry class 38 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\WantsParsDisplayName reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iedw.ico" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideFolderVerbs reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InfoTip = "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\LocalizedString = "╠╘▒ª-╣║╬∩" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\MUIVerb = "@shdoclc.dll,-10241" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H) reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ = "%systemRoot%\\SysWow64\\shdocvw.dll" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideOnDesktopPerUser reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ThreadingModel = "Apartment" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\Attributes = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/go/taobao.htm" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ = "╠╘▒ª-╣║╬∩(&H)" reg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2200 2368 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2200 2368 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2200 2368 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2200 2368 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2200 2368 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2200 2368 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2200 2368 0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe 30 PID 2200 wrote to memory of 2828 2200 WScript.exe 31 PID 2200 wrote to memory of 2828 2200 WScript.exe 31 PID 2200 wrote to memory of 2828 2200 WScript.exe 31 PID 2200 wrote to memory of 2828 2200 WScript.exe 31 PID 2200 wrote to memory of 2828 2200 WScript.exe 31 PID 2200 wrote to memory of 2828 2200 WScript.exe 31 PID 2200 wrote to memory of 2828 2200 WScript.exe 31 PID 2828 wrote to memory of 2324 2828 cmd.exe 33 PID 2828 wrote to memory of 2324 2828 cmd.exe 33 PID 2828 wrote to memory of 2324 2828 cmd.exe 33 PID 2828 wrote to memory of 2324 2828 cmd.exe 33 PID 2828 wrote to memory of 2324 2828 cmd.exe 33 PID 2828 wrote to memory of 2324 2828 cmd.exe 33 PID 2828 wrote to memory of 2324 2828 cmd.exe 33 PID 2828 wrote to memory of 2724 2828 cmd.exe 34 PID 2828 wrote to memory of 2724 2828 cmd.exe 34 PID 2828 wrote to memory of 2724 2828 cmd.exe 34 PID 2828 wrote to memory of 2724 2828 cmd.exe 34 PID 2828 wrote to memory of 2724 2828 cmd.exe 34 PID 2828 wrote to memory of 2724 2828 cmd.exe 34 PID 2828 wrote to memory of 2724 2828 cmd.exe 34 PID 2828 wrote to memory of 2760 2828 cmd.exe 35 PID 2828 wrote to memory of 2760 2828 cmd.exe 35 PID 2828 wrote to memory of 2760 2828 cmd.exe 35 PID 2828 wrote to memory of 2760 2828 cmd.exe 35 PID 2828 wrote to memory of 2760 2828 cmd.exe 35 PID 2828 wrote to memory of 2760 2828 cmd.exe 35 PID 2828 wrote to memory of 2760 2828 cmd.exe 35 PID 2828 wrote to memory of 2764 2828 cmd.exe 36 PID 2828 wrote to memory of 2764 2828 cmd.exe 36 PID 2828 wrote to memory of 2764 2828 cmd.exe 36 PID 2828 wrote to memory of 2764 2828 cmd.exe 36 PID 2828 wrote to memory of 2764 2828 cmd.exe 36 PID 2828 wrote to memory of 2764 2828 cmd.exe 36 PID 2828 wrote to memory of 2764 2828 cmd.exe 36 PID 2828 wrote to memory of 2852 2828 cmd.exe 37 PID 2828 wrote to memory of 2852 2828 cmd.exe 37 PID 2828 wrote to memory of 2852 2828 cmd.exe 37 PID 2828 wrote to memory of 2852 2828 cmd.exe 37 PID 2828 wrote to memory of 2852 2828 cmd.exe 37 PID 2828 wrote to memory of 2852 2828 cmd.exe 37 PID 2828 wrote to memory of 2852 2828 cmd.exe 37 PID 2828 wrote to memory of 2868 2828 cmd.exe 38 PID 2828 wrote to memory of 2868 2828 cmd.exe 38 PID 2828 wrote to memory of 2868 2828 cmd.exe 38 PID 2828 wrote to memory of 2868 2828 cmd.exe 38 PID 2828 wrote to memory of 2868 2828 cmd.exe 38 PID 2828 wrote to memory of 2868 2828 cmd.exe 38 PID 2828 wrote to memory of 2868 2828 cmd.exe 38 PID 2828 wrote to memory of 2872 2828 cmd.exe 39 PID 2828 wrote to memory of 2872 2828 cmd.exe 39 PID 2828 wrote to memory of 2872 2828 cmd.exe 39 PID 2828 wrote to memory of 2872 2828 cmd.exe 39 PID 2828 wrote to memory of 2872 2828 cmd.exe 39 PID 2828 wrote to memory of 2872 2828 cmd.exe 39 PID 2828 wrote to memory of 2872 2828 cmd.exe 39 PID 2828 wrote to memory of 2876 2828 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0067a831f19e162fd8b2fdafadae56ad_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\WindWare\tb.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\tb.cmd3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2324
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "InfoTip" /t REG_SZ /d "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2724
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "LocalizedString" /t REG_SZ /d "╠╘▒ª-╣║╬∩" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2760
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2764
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "C:\Program Files\Internet Explorer\iedw.ico" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2852
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2868
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2872
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2876
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2888
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell" /ve /t REG_SZ /d "╠╘▒ª-╣║╬∩(&H)" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2740
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3008
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2816
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/go/taobao.htm" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2820
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2804
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3004
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2900
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2776
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104B
MD5b6090a24bad18a0205bb215cb1fd42e6
SHA1da56e637a186333e1fa8401b9600e9efcadbe86b
SHA2565cf73d8ba3a6656e804041884cefc0148c3ef80fd4b8633a6647a033082f15f8
SHA5124ca8a5cd200eaf8d8a023c47e7a279e41279c045bf567b81f95e93ca25d5a51dec2786de98efa5b907ec5633c8400e497f6bcaf636d4591d7c42e21ec3039ad4
-
Filesize
14KB
MD5468fada123f5548ac87e57bae81f6782
SHA1edb8f012c25906e6afd8bf335b495e16c440243d
SHA256091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d
SHA512635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa
-
Filesize
2KB
MD54b8b392ac99df4d6f2239666eed11fa1
SHA127984247b633823df077b190e5ec5317a539698d
SHA2566a0861f8cc7c16a931bb80ec8b270bd5e9081bdcd04f981a44238ee8e4a257a0
SHA512f69762846470bd711b89c59429dd68812de9ff8828237f9c61283770f90c8f9bbe1c2c539f429cc0308832816ac3368b5925032103f3ae1e94b24247fc64ba3c
-
Filesize
126B
MD5633a419fc58b7353d6eaef683fe1fca1
SHA15ece6a3d396e1888c5c051b12411537e3957aee1
SHA256786068fda43174b1dc28073d1d0861aeb06debe26b2a6a9453680976f0433d2b
SHA512f209583d2e0b9392a49c6f276be1f91cc4f719ae5284b72971e5ca2dd7bb1759fd59873ddba7ebf200944dd9855ee49c9528fe906efa8d9e0c9adad677457b50