Analysis Overview
SHA256
1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
Threat Level: Known bad
The file c4da0137cbb99626fd44da707ae1bca8.exe was found to be: Known bad.
Malicious Activity Summary
DarkSide
Modifies extensions of user files
Drops startup file
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Windows directory
Modifies data under HKEY_USERS
Modifies registry class
Enumerates system info in registry
Checks processor information in registry
Modifies Control Panel
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-14 07:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-14 07:24
Reported
2022-01-14 07:27
Platform
win7-en-20211208
Max time kernel
119s
Max time network
122s
Command Line
Signatures
DarkSide
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\WaitRequest.png.a2d31b63 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompareStop.raw.a2d31b63 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConnectShow.png.a2d31b63 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DebugUninstall.tif.a2d31b63 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PushPublish.raw.a2d31b63 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReceiveRequest.tiff.a2d31b63 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.a2d31b63.TXT | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.a2d31b63.TXT | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\a2d31b63.BMP" | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\a2d31b63.BMP" | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\a2d31b63\DefaultIcon\ = "C:\\ProgramData\\a2d31b63.ico" | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.a2d31b63 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.a2d31b63\ = "a2d31b63" | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\a2d31b63\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\a2d31b63 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe
"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe
"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe
"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe -work worker0 -path \\?\C:\
Network
Files
memory/1676-55-0x0000000075021000-0x0000000075023000-memory.dmp
memory/952-57-0x0000000000000000-mapping.dmp
memory/572-59-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-14 07:24
Reported
2022-01-14 07:27
Platform
win10-en-20211208
Max time kernel
127s
Max time network
150s
Command Line
Signatures
DarkSide
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\HideConvertTo.crw.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\NewFind.crw.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PingUnpublish.tiff.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RenameEnter.tiff.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResizeRestore.tif.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SyncCompare.crw.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ClearWatch.crw.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DenyEnable.tiff.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetWatch.raw.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnpublishUndo.crw.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.a97d73e3.TXT | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.a97d73e3.TXT | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\a97d73e3.BMP" | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\1361672858.pri | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\1361672858.pri | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1642145181" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\a97d73e3.BMP" | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t|1642231514" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C00412F80011 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000cbd31cc1c7bf06449dfc981d43fd0ab30000000002000000000010660000000100002000000022a3f9311f197087811833b49d09bb960aaafbd8ba8ce026901c7135d6ea90b0000000000e80000000020000200000000e242e9418803204d89ab2b990d220dc8c23c67d0857033a95c159634f7127a1800000003c177d6cb2651f38027632aa419a066182318ce87fd4ce8dd9b7eaf457825772b3a842581b73c47071190c579860cef41942b7a3f5149b1f629027ff699dceec119850598649b3cb501890de7fcc215e1e2baf928eb96fe85389d74f921778a1f781f2871320eea07a137b9bab30beeec2219b81b622865ceaab12ab4583010940000000fe80e1625902c5ef92f097cfbd3cd57945afd1952ae6a180b4f9648ea7081cdccdb8028edc99ad0ce93788b702c10fb0b2a6e42d6aca0e6edcbe27586011582a | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000cbd31cc1c7bf06449dfc981d43fd0ab300000000020000000000106600000001000020000000f0ab40350453be28aa24b520abaf2d4fefa748a81fea41e10b643118983db07c000000000e8000000002000020000000900f9ef3b4ed1e3f9b989e7900ac505a8b39fbdbf7d1e49c8d34b2e8bf0093cdf0030000536aea02251e77a377b8d1a0dd1b46d0fd9393513b594687b0cc1c402c781887591a145d1d89366b15a831c49f35eee437ae73354f52da53e89a8d33c23f79b2f320879dff7936cb08c8522dd3032fb0c6a3b65e1a15b7e02a8907ad481f490288c8b3660f1bb2c4f166dc667e742a3b1582c85df8bdd68b7a2f00cd0a947c028cc8154fd881bc9a08b4306de1c255f285d3c2cca401aa2ac83a5f90b6ba100b0b13dfdbc457a2a2dfba7cdc3646d662a7b9b70232e75a07da1ad86a5b4ddc81ce069ed2aa84c4fcb755ea44045bcf66b9c72c52ece9a18c948129a1f95dd94a122a2a8e406414b600dddf53089b3d703eeb0cfcf514d0108c64faa61b0629027d8259b283625f2c7bc81b0904dc44b3aed0c677b1800989673b619955cbb8f64c464ac0bc4fab5effa97554f68762ec75f96065fc039fe5cd73b5732c62e8bc70ac267eea9a3b8b22922759d52f6423e7c1ac3589143de0392d2b6d88e6269235bfb2d2e4b071fabddc2f928001b9d718a78d96867e34e54f480aa7b588a5a501dbf35d0862564f0918e5378969074caeba25302a6fc4e72e28fb9b00888a133178186a8caa7c265f973e4f20c1b5c46f691d20450c5637f8199579f62cbda9ac81665bb115b7f3fa0f2e353ee0ff11d55da8e1d89d1c62616d5e11365cffbb2612b61738fc72c65e9429e0565f58a17ee1943008f238923d78c701fe68b8f723ee8e2cf33e1d37b44d3486be7bd8567308dcf3cdfff52926dd3c2d5b79a5f09e96f60e1df045249b6c293150e268423e08aa12ecc377434f991d8e967f0e6a08fa93514d1380ca72d9214ba8c4e159d1ef7726b61be0ef9b91a38e812b8bbd11c0c9166d492ed44032b75b6a4e996cf95b13e8377619626ab89fb4fc51422d25d59306e54bf3fea2436067e148af42ed0a786c63d7443e2d7f4f010a66367f6977be6a76ba86bd17669b4a86bd38f01800d2f4e4eb342e0c1f1b67edf7dbe237321e879b4542581c834083c0386a99c36039b38bb7839fa96d601bc316e2f684c3e9c0d77c63b27716bdc5e3fa0af81005fce46df9f34f78fea7dd95ea9d332bdf651766cc48db6048e00fee5116deba8edc1b634d5efe2e752fafe4e7fe8d87190ede36ff4c7c910202e5d11b108321e082d94aa130449b7ff467cec5a9ecfb07b59b11b7b631a70b32323ca2a921673df29cea6be4c67a6503594ce9e140acf803dc8d14ef162c2a4b55492f56fb91f4cf96dbef7d22c6965810b67203683643615e3f1fba3571613c9eebbf85e127688abae83218c6aeaec0e8816a1bde566f5be5a182a9e5261920f3b86c637ecb3cf37457036755d255d02e61b6907346eb1e4ece6a3f78e0c86eca0364806b40e05555981e1cd42d89894ad813ec12ea5227e00195a3e849347043a6a7752840000000d6683772a1d78d4b9e71bb4083232c47602ebb3a35486aba017ce3fbacaa8ec32a1f2e1419a62b38388c963e062e104c0edc9bcbaa378a2df86826267db906ee | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.a97d73e3\ = "a97d73e3" | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\a97d73e3\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\a97d73e3\DefaultIcon\ = "C:\\ProgramData\\a97d73e3.ico" | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.a97d73e3 | C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe
"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe
"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe
"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe -work worker0 -path \\?\C:\
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/3084-115-0x0000000000000000-mapping.dmp
memory/1296-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\F7OQ64ZU\microsoft.windows[1].xml
| MD5 | c2268530aaac28d18b2a176b8ab9b626 |
| SHA1 | d17e650a1faf88c2b849cde371982aa1d95d7dc9 |
| SHA256 | 6b2f5f43bf895969e9ea55dcbcb0cb766fa420548e7718403744e1466b72c5cd |
| SHA512 | 051b12ed7b7637bd642e21537dea9e4e4f2e2c01f93f27f9758b169dd6d704092a7bf203244b890265d4cfb803179fafa9e7fe157a258c682d17e2a16b51106f |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\F7OQ64ZU\microsoft.windows[1].xml
| MD5 | c2268530aaac28d18b2a176b8ab9b626 |
| SHA1 | d17e650a1faf88c2b849cde371982aa1d95d7dc9 |
| SHA256 | 6b2f5f43bf895969e9ea55dcbcb0cb766fa420548e7718403744e1466b72c5cd |
| SHA512 | 051b12ed7b7637bd642e21537dea9e4e4f2e2c01f93f27f9758b169dd6d704092a7bf203244b890265d4cfb803179fafa9e7fe157a258c682d17e2a16b51106f |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal
| MD5 | 2779af4cec8db079935497c8fe89aa4a |
| SHA1 | d4fd8040cb92c2fef7af6fdf4da3d0759c19ff24 |
| SHA256 | 1d1dd401599ce1c099c03b467c5a5b45be3295392488a6d75144deb3542d4318 |
| SHA512 | 8e8f2e1160a7d789ee2935718d4d12e7ef964f4c3d8cb875ed04ab2fb35b1157c3337fe700adf61679dc216cdcbec08b366839b9b98784dd9c68df2991259f6f |