Malware Analysis Report

2025-01-22 23:11

Sample ID 241203-xd8zcatncq
Target 8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe
SHA256 8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425e
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425e

Threat Level: Known bad

The file 8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (195) files with added filename extension

Renames multiple (245) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 18:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 18:45

Reported

2024-12-03 18:47

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A

Renames multiple (195) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "3,1,32,1" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DocObject\ = "16" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "HTML Format,1,1,3" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Word 97 - 2003 Document" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DelayRenderFormats C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DelayRenderFormats\0 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0\ = "Embed_Source,1,8,1" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Open,0,2" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\1\ = "1" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "9" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Word.DocumentClass" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\IPersistStorageType = "1" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "MSWordDocx,MSWordDocm,MSWordDotx,MSWordDotm,MSWordOdt,MSWordDoc,1" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable\Main\ = "MSWordDocx,MSWordDocm,MSWordDotx,MSWordDotm,MSWordOdt" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "Document" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\PriorityCacheFormats\0 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Word 97 - 2003" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DelayRenderFormats\0\ = "Woozle" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable\Main C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\wordicon.exe,1" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Printable C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "MSWordDoc" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\5\ = "NoteshNote, -1,1,1" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Word, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750000000000 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Word.DocumentClass" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\PriorityCacheFormats\0\ = "Rich Text Format" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "1,1,1,3" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4\ = "Rich Text Format,1,1,3" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\5 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\PriorityCacheFormats C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultExtension\ = ".doc,Word Document (.doc)" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Word, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\WINWORD.EXE" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe

"C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe"

Network

N/A

Files

memory/2512-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2512-1-0x0000000003180000-0x000000000338C000-memory.dmp

memory/2512-8-0x0000000003180000-0x000000000338C000-memory.dmp

memory/2512-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2512-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2512-13-0x0000000003180000-0x000000000338C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 bde49d9934eb2a744d6e663b70c07371
SHA1 cfce3c541fd60c56ad93f80b87be965ea947d87e
SHA256 2c72ab2de76208182488da845b9cefb97da4621951a53b512a675060dd5c6f78
SHA512 60b6f2b84832abbc6ee4947a7a20a8aa121b4937407d10363484dcf62d4d3667b61dbfbf0874d035805bbe289a297a7358a18ba3493b19821230b681ba50a9a7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 728346a990864f31010ed0b69b4d9e15
SHA1 9ef86f54bd66a807714347156265583b008733fc
SHA256 1492978a3aa562906851e5faf1beb0d158e917f975d9f4a7d25979d0048bb54f
SHA512 defaf5dd8404b3bae329dac56391030855c7b3d9db34a1f6cdd12e20e9b386db3e5d5ca376d18739504994d642abcbfd0de126706a45654a66017cf30b73d9e0

memory/2512-23-0x0000000003180000-0x000000000338C000-memory.dmp

memory/2512-33-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2512-35-0x0000000003180000-0x000000000338C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 18:45

Reported

2024-12-03 18:47

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A

Renames multiple (245) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Word" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "9" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\NotInsertable C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\NotInsertable\ C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "Picture" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "MSDraw,Word.Picture.6,1" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "1,1,1,3" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WORDICON.EXE,1" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\"" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Word.Picture" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "MSWordDoc" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "HTML Format,1,1,3" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Word.Picture.8" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0\ = "Embed_Source,1,8,1" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4\ = "Rich Text Format,1,1,3" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Word Picture" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0 C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "3,1,32,3" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Open,0,2" C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe

"C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/1404-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1404-2-0x0000000004240000-0x000000000444C000-memory.dmp

memory/1404-9-0x0000000004240000-0x000000000444C000-memory.dmp

memory/1404-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1404-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1404-14-0x0000000004240000-0x000000000444C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 81ecc4f3ec6fd5de8dd191ddc1da6c8e
SHA1 a9025c2d1dda510a2857d728538923af2c906fe5
SHA256 01d8399cb04f4dc1ef631d914d8075a168fd320df3d00d4a2a2eb7f32af6c504
SHA512 37360cca6e05f1aeec126804e672a9b86be92ceb11e4e293a400127189cdff0c47fa5bb7a2dacfba284a713449efbdec49bd4ac9ed76be0ffe02cd00349ab60d

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 5ae5ece450853544da6e054a1d314c98
SHA1 287b03b4dca5c77942651f43b093902339da5375
SHA256 9afd1c8c56be74cd11079447361c28e08a35d5274612b12c1041a638f70b8cad
SHA512 bb1ca76bbb68c744f33fdb170e3055c48d484a6926888982290700db6ea0344dab43baa9f7de51aa44d5abf48f6259ca95631a0b95f1ba6694d96fbe5638dbeb

memory/1404-33-0x0000000004240000-0x000000000444C000-memory.dmp

memory/1404-32-0x0000000004240000-0x000000000444C000-memory.dmp

memory/1404-76-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1404-86-0x0000000004240000-0x000000000444C000-memory.dmp