darkside | bfa618d0d4f6ad7c98c588e4826a38391544520d4478e28c77ef29018c167516

General

Target

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Size

60KB
MD5

c4da0137cbb99626fd44da707ae1bca8
SHA1

a38e9891152755d9e7fff7386bb5a1bca375bd91
SHA256

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
SHA512

dd8212ff73522c6590ff8d8a3a48276fd872649eada2315b045c8c9f6cf054c3fe6cd741a16744eb82eff763acb745f07336c44db8f0c693770180cf7fd90645

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\\README.aeef1a75.TXT

Family

darkside

Ransom Note

----------- [ Welcome to Dark Side] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 100 GB data. Example of data: - Accounting data - Executive data - Sales data - Customer Support data - Marketing data - Quality data - And more other... Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68 When you open our website, put the following data in the input form: Key: pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrR HQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBY gNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1 xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIn daNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC

http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ApproveGet.tif.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeDismount.raw.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\JoinInvoke.crw.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\EnableStep.crw.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\MoveSubmit.crw.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeResume.tiff.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectCheckpoint.tif.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\CompareDeny.crw.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromMove.tif.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\CopyApprove.tif.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\EditDebug.crw.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveReceive.tif.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\Pictures\TestSend.crw.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

Drops startup file 2 IoCs

Processes:

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.aeef1a75.TXT	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.aeef1a75.TXT	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 10 IoCs

Processes:

OfficeClickToRun.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeClickToRun.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\aeef1a75.BMP"	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OfficeClickToRun.exeOfficeClickToRun.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

OfficeClickToRun.exeSearchUI.exeSearchUI.exeOfficeClickToRun.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10"	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

OfficeClickToRun.exeOfficeClickToRun.exe1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "001800057D984715"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUPrSa9Xbh1D0J93uIPuLO4a+WXwAOZgAAEEiSSIzlWaadeeKewPVRNF/gABu4aLWIgARH9/sogvaDy8l2ZFDozBdLmUJBa+Dj9tpDOR1hC1N0lB1y++YRkVYZvvTdn6X7IpyFD5bZ7Tm+bHyJIYQICLHky1gepB8Xq9jpTdlA/vby9wvIJ378paK+5Z8SVuUhq4HAhbgbDTV+WVCz2qaug3fpTRKAogNLh5pg3J5e1leQYrZUErr+Y2+8kiLFHvckYtrdszrxiQB8GskU/SjFJy0YcVPKcIWf9DlG5Pz+tfyS/tKL4NdWbitp3gyZo4zDZWLQqJxjBrfgWGh83P9Q611a3B4JKraeL+NrGwE=&p="	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\aeef1a75.BMP"	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001800057D984715 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000045f2a43814c9a94f8b25ef795f13414a00000000020000000000106600000001000020000000ff0bbd8204eb21e497df30d87d57e12a2179c3862284816b413852be41549e2c000000000e800000000200002000000010e020981441975f97ff22e8d1909edfe18c0c9d68e8fb91f88da8ae49fef4b380000000c0587e1f5cceb7c33fb606c5133bed035e1de85c8dd5e78726e2ad24c52badccdc9f176e9407be53bc4195d225d7ecece1137af28e778c5575804d31679b75abb8210a795b0009f4879774bca0c8cd89185157599f12aa353e00a5a2b1e7bf0f67014e97f49752ef4b3ac2850db974ef1c93737bd6c082f07bb8976fa30de0b540000000050629277bedfb94e861a16d0c9a9eabe124058422bf06a5fb5a6ded5e35ad1bce4a4b842dd7af7f4f761551a41bced7b15401b3a4fd52999f6467e11ac5fe32	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000045f2a43814c9a94f8b25ef795f13414a000000000200000000001066000000010000200000005f2f2096f86148695570181e3ca679bba864c5128a95436d37758cd10c7ef575000000000e8000000002000020000000e98431d96d75b9240ef30535b9187aae324f47f14b3c074fabb6883a8e819ab2f003000030b0d58aaccd5074ab2ed8dac0d0cdcbacf22e515bb9a7b7a7d81c42bf10e71e0a903b3d0977d97bd4f24163003839fa95f37395880a89b5663007811a62c3a52521a7d31457710d0b51c00003d2f54d2cf05f9f06adb5602de620a1df9c4224aa2186e5c820c65f2aee43efa2a7ebb371c4510624fd94a17803fcb13cd54aef5d5c0ca948c46b879495c26e48602cea8cba7db9eec8619f651fd4717b107c5e755c2e37f8e8a54e9d1baf0ce6a722ebe14b67ae8e63498d4eb826cf78af75dc24326a5de757a7ba396e951e1dad6f45fe792492ddb6cf3e9b93d84b30e70f99fde9785e28166db88bd797daa4f8c14ddafd4c6d66df80f6a3b25d53614c2134c73585bc8df1655c4ab1850c5d017df6b3b7216fb5386b53fbfdb9f55c76436810c7e4d640dcffa7a6b2c54ca6b768109fa0c3e3967bfc2658e02b6db64d39c9b045dd322d365d7710975835b9408b580d91a73aa22e109d9731e67ef14edbaaabbf8645fee568e3968101dcf5833321ce9749a535825220126595aa5615e0315450e2d2c739078bc23392cd69ec4e77be4f1641abfe9b8ffd5179c6dd0848fe2a84d9e2e3eff749b41d5533f007413ca8b048548ddceaa5c0718e232fe98108a3fe482ab670134b15d18ab277dc35b8518dbf8b6e064aada59e7bf6f6a36ffa2a4f51a7806c6b9cea57225de3b6b6203352fbd843facd97a05f8b74fb17006e3e4ade675381e7bd6a7da12e7b91c8fffd7503bb01c126f3f9f54472a82994d03c0206aadec376cd3f94f0dd3c6ae29f0d89c2886986043f6ef64a4f3c3f13ca9e3bdae817122c4182f388ff9df8cba2b45243b529ed87d407104fb185127ebe447d49425fd704c0602dcd070383b5152aaa373996780378e0e5ac0acad26a65444705bb4328e6f61012d7779d5675c73ec70212a6be5fb7657dd1666ade2b1cba749d72bbc9dfd234c3e45ab1478a9a28539bda55f8cbc5b690027643825f67ca602ca6c851e2f16e4a2ed1ea9303f42fe40b174f737d53e35346d6841004a77d026357bdf1b63dd2cc502db5029022685c1d8f9748534644c55b0a475b719d7e304f02eb3c451d9e85a38164f37cb5fbf37ee4ebaaa6260ad1526d83db2e1cbba89f6508c545551d84cd43bcac6b47e30fab7482711e068d434827d72eec04db43a6581d9f9096289227e7250b05dc1ae15e6d69e02d79fcc7c87103738f8be7374d0305292eba3b94ccb16bdb813d10d09d64585b0eaa305c61ee2808c05fad30f95d3dc3f9a0d6a471ab7cd883847f5b890ed8b668778962d46a637e2a73910cb238f7df10c5650e57e5fe8c4e79a44600cbf3277c79aaf6d0397d20656a05d53c2d91143dfba4cdb38b48e26dcf10c0ffbe7c193bb19a676086829d85a5722ed117998fc853f942aeccc11438a940000000c94536a3a7d561eac0a6bb41df9cb4ac5d422451db5e22bc478a72f68293b38a5d545adc2c758cd170f67c6541f803605d03dde2583530e1e2ca8ecc3c3ecd9d	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe

Modifies registry class 44 IoCs

Processes:

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exeSearchUI.exeSearchUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aeef1a75\ = "aeef1a75"	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75\DefaultIcon\ = "C:\\ProgramData\\aeef1a75.ico"	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75\DefaultIcon	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OfficeClickToRun.exeSearchUI.exeOfficeClickToRun.exeSearchUI.exe

pid process

1016 OfficeClickToRun.exe
812 SearchUI.exe
3816 OfficeClickToRun.exe
3528 SearchUI.exe

pid	process
1016	OfficeClickToRun.exe
812	SearchUI.exe
3816	OfficeClickToRun.exe
3528	SearchUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

description	pid	process	target process
PID 4088 wrote to memory of 820	4088	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 4088 wrote to memory of 820	4088	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 4088 wrote to memory of 820	4088	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 820 wrote to memory of 1348	820	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 820 wrote to memory of 1348	820	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 820 wrote to memory of 1348	820	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
"C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe"
1⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
"C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
  "C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe"
  2⤵
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
    C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe -work worker0 -path \\?\C:\
    3⤵
    - Modifies extensions of user files
    - Drops startup file
    PID:1348

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:812

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\09XU2J0F\microsoft.windows[1].xml

MD5
eb506adafb8f7d38d4cc337aaf069d4c

SHA1
1d22ba0e2033ff8a3d5e5309fd042a6837704029

SHA256
a2ec9fd58ae4969ccf7c842ddf4ead4b5530423d99fb487917c092f271c201b2

SHA512
1e4ef7a1a1f1a2db6abb1b7ccfa8b2bc64cb151d64e5d502f7a3ccc0aa171ca75b28efeb7e859103e87933291f6cc72280fe4fca5cc6062d50c55386d87381c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\09XU2J0F\microsoft.windows[1].xml

MD5
d949485c4b8437b3933fd577551a2a5b

SHA1
5064bc278385327a6fdd6d38bd8afddd1eeac6ba

SHA256
0eb4519964cbbf7b18db72c9645c2b9a1e4dbe6465eefcb21926acf28fcd0aeb

SHA512
b197f8f3ce7a596347f7ff104e68c2d300a04611aad49fe53295bd37d4f9bab65be41934096d6afe354c76445c30511203a86beb92142eb92bdb82a302d528b5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal

MD5
1067962e83202a7db71a8d9be4df7936

SHA1
1f5f7572004ccc0877c28ab32d164d060662c5e1

SHA256
483bcdc92511b1ce3723893957d40b6716ec9cb493463090ac3d158bbe7a6875

SHA512
2d48c81cc716976cde856beb1b54554342d35da2b640d8d4d7c29140b73b82d3e6ebcfe8bca08ba5236eeaae895f4f38ac6d88e04bdd44bd8a7be1b59c02bf1b

Download Submit
memory/820-114-0x0000000000000000-mapping.dmp

Download
memory/1348-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads