Analysis Overview
SHA256
8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425e
Threat Level: Known bad
The file 8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (195) files with added filename extension
Renames multiple (245) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-03 18:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-03 18:45
Reported
2024-12-03 18:47
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
Renames multiple (195) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "3,1,32,1" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DocObject\ = "16" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "HTML Format,1,1,3" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Word 97 - 2003 Document" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DelayRenderFormats | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DelayRenderFormats\0 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0\ = "Embed_Source,1,8,1" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Open,0,2" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\1\ = "1" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "9" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Word.DocumentClass" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\IPersistStorageType = "1" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "MSWordDocx,MSWordDocm,MSWordDotx,MSWordDotm,MSWordOdt,MSWordDoc,1" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable\Main\ = "MSWordDocx,MSWordDocm,MSWordDotx,MSWordDotm,MSWordOdt" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "Document" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\PriorityCacheFormats\0 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Word 97 - 2003" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DelayRenderFormats\0\ = "Woozle" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable\Main | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\wordicon.exe,1" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Printable | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "MSWordDoc" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\5\ = "NoteshNote, -1,1,1" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Word, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750000000000 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Word.DocumentClass" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\PriorityCacheFormats\0\ = "Rich Text Format" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "1,1,1,3" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4\ = "Rich Text Format,1,1,3" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\5 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\PriorityCacheFormats | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultExtension\ = ".doc,Word Document (.doc)" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Word, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\WINWORD.EXE" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe
"C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe"
Network
Files
memory/2512-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2512-1-0x0000000003180000-0x000000000338C000-memory.dmp
memory/2512-8-0x0000000003180000-0x000000000338C000-memory.dmp
memory/2512-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2512-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2512-13-0x0000000003180000-0x000000000338C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp
| MD5 | bde49d9934eb2a744d6e663b70c07371 |
| SHA1 | cfce3c541fd60c56ad93f80b87be965ea947d87e |
| SHA256 | 2c72ab2de76208182488da845b9cefb97da4621951a53b512a675060dd5c6f78 |
| SHA512 | 60b6f2b84832abbc6ee4947a7a20a8aa121b4937407d10363484dcf62d4d3667b61dbfbf0874d035805bbe289a297a7358a18ba3493b19821230b681ba50a9a7 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 728346a990864f31010ed0b69b4d9e15 |
| SHA1 | 9ef86f54bd66a807714347156265583b008733fc |
| SHA256 | 1492978a3aa562906851e5faf1beb0d158e917f975d9f4a7d25979d0048bb54f |
| SHA512 | defaf5dd8404b3bae329dac56391030855c7b3d9db34a1f6cdd12e20e9b386db3e5d5ca376d18739504994d642abcbfd0de126706a45654a66017cf30b73d9e0 |
memory/2512-23-0x0000000003180000-0x000000000338C000-memory.dmp
memory/2512-33-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2512-35-0x0000000003180000-0x000000000338C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-03 18:45
Reported
2024-12-03 18:47
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
93s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
Renames multiple (245) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Word" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "9" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\NotInsertable | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\NotInsertable\ | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "Picture" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "MSDraw,Word.Picture.6,1" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "1,1,1,3" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WORDICON.EXE,1" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\"" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Word.Picture" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "MSWordDoc" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "HTML Format,1,1,3" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Word.Picture.8" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0\ = "Embed_Source,1,8,1" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4\ = "Rich Text Format,1,1,3" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Word Picture" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0 | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "3,1,32,3" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Open,0,2" | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe
"C:\Users\Admin\AppData\Local\Temp\8ad5a6233319b2d6a55683abb6b3d69909ee03894fc110bf539317f5d366425eN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
memory/1404-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1404-2-0x0000000004240000-0x000000000444C000-memory.dmp
memory/1404-9-0x0000000004240000-0x000000000444C000-memory.dmp
memory/1404-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1404-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1404-14-0x0000000004240000-0x000000000444C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp
| MD5 | 81ecc4f3ec6fd5de8dd191ddc1da6c8e |
| SHA1 | a9025c2d1dda510a2857d728538923af2c906fe5 |
| SHA256 | 01d8399cb04f4dc1ef631d914d8075a168fd320df3d00d4a2a2eb7f32af6c504 |
| SHA512 | 37360cca6e05f1aeec126804e672a9b86be92ceb11e4e293a400127189cdff0c47fa5bb7a2dacfba284a713449efbdec49bd4ac9ed76be0ffe02cd00349ab60d |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 5ae5ece450853544da6e054a1d314c98 |
| SHA1 | 287b03b4dca5c77942651f43b093902339da5375 |
| SHA256 | 9afd1c8c56be74cd11079447361c28e08a35d5274612b12c1041a638f70b8cad |
| SHA512 | bb1ca76bbb68c744f33fdb170e3055c48d484a6926888982290700db6ea0344dab43baa9f7de51aa44d5abf48f6259ca95631a0b95f1ba6694d96fbe5638dbeb |
memory/1404-33-0x0000000004240000-0x000000000444C000-memory.dmp
memory/1404-32-0x0000000004240000-0x000000000444C000-memory.dmp
memory/1404-76-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1404-86-0x0000000004240000-0x000000000444C000-memory.dmp