Analysis Overview
SHA256
27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4
Threat Level: Known bad
The file 27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample was found to be: Known bad.
Malicious Activity Summary
Avoslocker Ransomware
Modifies extensions of user files
Drops file in System32 directory
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-23 14:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-23 14:19
Reported
2021-11-23 14:21
Platform
win7-en-20211104
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Avoslocker Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\AddMount.raw => C:\Users\Admin\Pictures\AddMount.raw.avos | C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisableClear.png => C:\Users\Admin\Pictures\DisableClear.png.avos | C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InvokeSet.png => C:\Users\Admin\Pictures\InvokeSet.png.avos | C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockSelect.raw => C:\Users\Admin\Pictures\UnblockSelect.raw.avos | C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-23 14:19
Reported
2021-11-23 14:21
Platform
win10-en-20211014
Max time kernel
134s
Max time network
140s
Command Line
Signatures
Avoslocker Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ConnectDeny.tif => C:\Users\Admin\Pictures\ConnectDeny.tif.avos | C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RegisterUnblock.png => C:\Users\Admin\Pictures\RegisterUnblock.png.avos | C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveSync.png => C:\Users\Admin\Pictures\ResolveSync.png.avos | C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t|1634514746" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "001840053DBD191D" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001840053DBD191D = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000be5702db2abf3e40a6d5e01f6819a2f500000000020000000000106600000001000020000000d077d6a995ec2ddc328988a740d0c040635178e48de6b94fb16a81e66ca528e8000000000e80000000020000200000009e494bb06f81689f2ea67a305a8859c1c8881a6c06fa27962db5a367603d0a3d80000000a10b6a5a65b4f6be71114b8556d6f41140e83ae82a3fbf569a0be148a90995028b035a13726777e8728ec76fe41a0bf7bb8d62f2af0999c705d06c6ca54fe63f1c4d592a66e774a683611354853b937575e52549e42f631951ce6f79037a61144e7c01bfbd176fa4be0bec55622fbc3b764458b69d963ddb86b68483885c90d94000000016a60aef773e4f37755738ccd5d3d12f29592f0be28f45a16c5daf53b10ca989ba7065b392b1ba0689541c47929e42f9786cfd00d81c93a21b28a31e6a5df1cb | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1634428408" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUTtlZ6S5DAUSlRrmXzKeUMjH15hsOZgAAEM7/Hnh/kWM8wF2lThETH5PgAJCXg98o3e4Pfvqwnxtf14nexSom2eRktEeSIoxvYGm/EkgkOeLb3Z+JhceAC59O3TpZGxbXgZkXkZSb1OmL/rLm1NWSTm8ujUu0RIqRFQ06cjIhFEglq96hOrfkFrlEUfqbBw8XuxPWm7/ac2eL3ng6HaufNLXl0miGb94G2H6JWI8S3401Pqipne5OhlQocmCZGUwMp5QgWoXzAOGrw5NZBZHjJ8Pdr3YE02aWqbggiCjde0hqBDm8V7RogH4GX8DqZyrsLJrYKCrmKaHMQaohxBbV0CXy5qn+9jlfC0bDGwE=&p=" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000be5702db2abf3e40a6d5e01f6819a2f500000000020000000000106600000001000020000000f7714763a52420542caacf8e0cd6be148b37fd5a131b9bf2041a085fe9b38126000000000e80000000020000200000001dedf000744f68cc7ced001b41d5f6bd8cd83dd9b59adf575db7c4b88db37828f003000013957e1710ed26a41995e10180942dd73b28458b7035355a6db5d02b5cc493adaa5d2c64bb5ef6b24bd92510d8c2d4f0347d553c2b0c71a6cb0e5eb0613209fa04dd8a469dd867298ebbcc80f832e801be0514192254b537f1ec2f032f06475f7176b4ba5c7043a5987449df5240e3a42b3fc362459d0413002e17d136ec76438e4568f5a76494ce547674df6f92b1d40fccc4a1e83ca132484c7ec0e2275c84229e6dd1282c8d2a5efd7ddcaa4502dde96d119432630b9ea8dbcd27935b77a96df80c6c9247e643536272f659f33eae057d9dd1f92820a71d001aefde59bf65bde3e985911a90e51e6d5a8ab8a68e093103501801b10040a6e203c13e844cc310af2f33379097d92728e49d89175cc823828b597500a84e44306e13c37372a7c6f50cd024caa24e1cbaba62b5c6fbc103f10dfaa3df20bc078f21f7ea9622df0371e1ab7d006b4ac3e0acf76ac43506bd3334f563e7422617dc84dcc8a487ae3733a0fb45593efe0c028ce2cde7ec67f33ed74f493846afaf44c34d35a8dd0993c0af1302becb2d200c99ed2a501e5c80cd9d6a9293aac836b3b252b21e030b2c4097019a52771f121d3339c8ba5366e8dfd4e50437b28db7b2cdfa759059afb4ff7f79dd8916fe64237c1eafb84f8325693840ca387044cf302791a64a155126619afa1c803f9d273208fe2ed2df1783e0c88e093db21285a892349edd1fef1c7e1dc804c171ec036cd1c52423c762d28b712995124e3a7611c89db52ce120df539ca2c2cc30bc447a379f29fb9cdee1862c45888f234ac114faf0aa077235783e602606663b13e296f0667bd7ae89b10fac746572cf9cf6394191e85834cf355ae7220ff24ec4bbdbd12ad912f1468b597e397a5b54c9c633fdbcf95cb08cf8716b95d48fb8846569fba69c4e9744b63aa4a5f56b7733e718097b8f9593592378edee18ae860931f178565c0464c8cbd51e14b5438899ae17fc68ad56ef59dbc6f8738a3c73518bd6c7ecf2140f89fe3032c8d3f492cb15fb0b10c8c550f3bb1dc63c0ccf3776d8693ae7bd0ead3e433767aba1db6017d257552f8eee331702a6fab99f508aeb307e31630d1fc170030f82be80e488a8600afeb7b80b77a4c264c3ab0e0becaa063903081a331740ba5e95ee17e55df399392f2495db197ddc1b2d777d9bc6ce28807015984b4810ddcb0ef0d4fa94a6ca315fe742f39585ed26e13cbb572eeebe09fa4b63d783c3db6dd550352b1ebcbf11315c17615726a7be68d2553b480bea5b6792e0c1f8d8c94fe4ca282e642f5ac455da26ba1f14021762c38705c9852f9dc3b76394332c450be4760b714b33f3ce11ce499289b82715d0b1a749eed09da20e2d4da25fa271d46ac6d03993daac707c13bdbfa1b4607e508b4f32b088ee6b833393737fa6400000002041f864f60d57fa5e497af1fe0174697f73f74c5aa1e8de16ffc2069b30a0b02ad6dc8368eecffdc82430e29ae65203104a94c431f602596f2e2fc3c030a223 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe"
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Network
| Country | Destination | Domain | Proto |
| IE | 52.109.76.32:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |