Beyond good ol’ Run key, Part 68

December 8, 2017 in Anti-*, Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

Modification of Software\Classes\CLSID branches is a well-known trick used by malware for ages. It is important to recognize though that there are many variants of the trick – the keys are used by different applications and libraries, and for really different purposes – there is no end to possibilities they offer to malware authors.

Here’s a probably less-known CLSID branch that could be used to execute malware anytime you press WIN+E to open a new Windows Explorer window.

Example for calculator (tested on win10):



There is a side-effect to this setting; launching explorer.exe – whether via WIN+E or directly via clicking explorer.exe inside Windows Explorer, or running it via WIN+R will always end up with calc.exe being executed. The malware would need to handle these situation with an appropriate action.

Comments are closed.