Overview
overview
10Static
static
1014ed02af2b...e1.exe
windows7-x64
314ed02af2b...e1.exe
windows10-2004-x64
166bcfa4ec...88.exe
windows7-x64
7166bcfa4ec...88.exe
windows10-2004-x64
718f6e53cc2...bc.exe
windows7-x64
318f6e53cc2...bc.exe
windows10-2004-x64
31ecdd2baa0...97.exe
windows7-x64
71ecdd2baa0...97.exe
windows10-2004-x64
7259af5147b...f4.exe
windows7-x64
10259af5147b...f4.exe
windows10-2004-x64
104c8b1c9ed7...16.exe
windows7-x64
34c8b1c9ed7...16.exe
windows10-2004-x64
34cca8b360d...0a.exe
windows7-x64
34cca8b360d...0a.exe
windows10-2004-x64
1057f8e4e1d3...c5.exe
windows7-x64
957f8e4e1d3...c5.exe
windows10-2004-x64
9922cba3477...c3.exe
windows7-x64
3922cba3477...c3.exe
windows10-2004-x64
3b5bd106864...88.exe
windows7-x64
10b5bd106864...88.exe
windows10-2004-x64
10da5f0322d3...24.exe
windows7-x64
7da5f0322d3...24.exe
windows10-2004-x64
8ec7b605aae...33.exe
windows7-x64
7ec7b605aae...33.exe
windows10-2004-x64
9ff70347ce0...0c.exe
windows7-x64
1ff70347ce0...0c.exe
windows10-2004-x64
1Analysis
-
max time kernel
61s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2025 08:45
Behavioral task
behavioral1
Sample
14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
166bcfa4ec03b68bc4ee3fc95806f6d155575be88cbc3c4b7aa5891ca3cc6a88.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
166bcfa4ec03b68bc4ee3fc95806f6d155575be88cbc3c4b7aa5891ca3cc6a88.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
18f6e53cc27bda15c98f79e76f9210bf05b1d8528b96cf4c1523a7aeec7532bc.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
18f6e53cc27bda15c98f79e76f9210bf05b1d8528b96cf4c1523a7aeec7532bc.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
259af5147b99b4c014aeb425aaf236fc76ab60f1aa06efa77027393854e5fff4.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
259af5147b99b4c014aeb425aaf236fc76ab60f1aa06efa77027393854e5fff4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
4c8b1c9ed7ba0d921b0971a3e5de96bfdb3b18024e8880c7aaa2759f13c01316.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
4c8b1c9ed7ba0d921b0971a3e5de96bfdb3b18024e8880c7aaa2759f13c01316.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
4cca8b360d5053a789ea822ab80261dc6f010c1c72b0d449ca8cdcaffd2e2c0a.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral14
Sample
4cca8b360d5053a789ea822ab80261dc6f010c1c72b0d449ca8cdcaffd2e2c0a.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
57f8e4e1d3339c0abadc0f64fc6a4abaff19cd138724cdbb3fae5f37905547c5.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
57f8e4e1d3339c0abadc0f64fc6a4abaff19cd138724cdbb3fae5f37905547c5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
922cba3477ffa83332622df72c2e580fcb3bdd437952c4b6b2c096b4a094acc3.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral18
Sample
922cba3477ffa83332622df72c2e580fcb3bdd437952c4b6b2c096b4a094acc3.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
b5bd1068644f0c38e7aa1cb38dcc40eacf146be9b43d8fd865fddee61ea9a588.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
b5bd1068644f0c38e7aa1cb38dcc40eacf146be9b43d8fd865fddee61ea9a588.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
ec7b605aaefd00f0507f43c78590266b74345bc9308eba26fc542b6a0ae5e133.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
ec7b605aaefd00f0507f43c78590266b74345bc9308eba26fc542b6a0ae5e133.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
ff70347ce0294dc6741692164f65608d9bb47e396486c50da08a94a5b3cbe50c.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral26
Sample
ff70347ce0294dc6741692164f65608d9bb47e396486c50da08a94a5b3cbe50c.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
Errors
General
-
Target
14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe
-
Size
7KB
-
MD5
4262c56e7745e6a4203c77550586571f
-
SHA1
98df4673cd065861e7b52dca9d55f836abd10872
-
SHA256
14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1
-
SHA512
1fa4772eb617fd3a44b53f308c939eee181c262c9619b91f1cb25913d906a426b94bd8c66cb83508dab31836fc8d410db184444b44da4d5e65dd88b29347a4b6
-
SSDEEP
192:Aemtzvx1X/L3YLSB5p26kL3LKLQKpJZsfjr9pT:AjZLX/LoLOp26kL3LKLQKHefjr9p
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe -
Modifies data under HKEY_USERS 26 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe -
Modifies registry class 28 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4174397412-4125106315-2776226590-1000\{4CBB48B5-0058-4F11-A948-F5C93A1C58ED} explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4174397412-4125106315-2776226590-1000\{0833D26D-8B0C-42B0-BDC1-FDEFF0A7A090} explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4174397412-4125106315-2776226590-1000\{14545C24-ADFF-4DDD-A644-2AE8F6801E6D} explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4174397412-4125106315-2776226590-1000\{1F2B1F6C-FC0E-487C-9255-34BB8BBAE705} explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4468 14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe 4468 14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe 4468 14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe 4468 14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe 4468 14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 4468 14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeCreatePagefilePrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeCreatePagefilePrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeCreatePagefilePrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeCreatePagefilePrivilege 2728 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeCreatePagefilePrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeCreatePagefilePrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeCreatePagefilePrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeCreatePagefilePrivilege 1528 explorer.exe Token: SeShutdownPrivilege 3156 explorer.exe Token: SeCreatePagefilePrivilege 3156 explorer.exe Token: SeShutdownPrivilege 3156 explorer.exe Token: SeCreatePagefilePrivilege 3156 explorer.exe Token: SeShutdownPrivilege 3156 explorer.exe Token: SeCreatePagefilePrivilege 3156 explorer.exe Token: SeShutdownPrivilege 3156 explorer.exe Token: SeCreatePagefilePrivilege 3156 explorer.exe Token: SeShutdownPrivilege 3404 explorer.exe Token: SeCreatePagefilePrivilege 3404 explorer.exe Token: SeShutdownPrivilege 3404 explorer.exe Token: SeCreatePagefilePrivilege 3404 explorer.exe Token: SeShutdownPrivilege 3404 explorer.exe Token: SeCreatePagefilePrivilege 3404 explorer.exe Token: SeShutdownPrivilege 3404 explorer.exe Token: SeCreatePagefilePrivilege 3404 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3156 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4192 OfficeClickToRun.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe"C:\Users\Admin\AppData\Local\Temp\14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4192
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3156
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3404