Analysis Overview
SHA256
8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d
Threat Level: Known bad
The file 8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (221) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 19:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 19:21
Reported
2024-12-27 19:22
Platform
win10ltsc2021-20241023-en
Max time kernel
47s
Max time network
33s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
Renames multiple (221) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.2" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Interop.Excel.ChartClass" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE\"" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "Chart" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\ReadWritable | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4\ = "NoteshNote,-1,1,1" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\XLICONS.EXE,3" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\ReadWritable\Main | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "NotesDocInfo,1,1,1" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Excel.Chart" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultExtension | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable\ | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "Biff8" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0\ = "3,1,32,1" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "2,1,16,1" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Excel.Chart.8" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{00020813-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Open,0,2" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultExtension\ = ".xls, Excel Workbook (*.xls)" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1 | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.ChartClass" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\ReadWritable\Main\ = "Biff8" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}\ | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "1" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "1,1,1,1" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Excel Chart" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Excel 2003" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "Biff8,Biff5,ExcelChart" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DocObject\ = "16" | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe
"C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
Files
memory/384-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/384-2-0x0000000005330000-0x000000000553C000-memory.dmp
memory/384-9-0x0000000005330000-0x000000000553C000-memory.dmp
memory/384-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/384-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/384-14-0x0000000005330000-0x000000000553C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1669812756-2240353048-2660728061-1000\desktop.ini.tmp
| MD5 | 38de2f2f1ff31888f3bef0b401cb429d |
| SHA1 | 56b07d117c8742515f27bcea656ed747ea84847f |
| SHA256 | 50a9900c8d3ce4d47fba17e3a9e2ce36157e94a8a4d8ebddb5d7eb40d1c70185 |
| SHA512 | bac433ce02ea9ef9b0c5dd7d2b98bf58d2dff32f0ffd953e595ff461a9f6d8a68190b36d3d082ea51e14919473e1c1eca691670ba736fa105c69caa6292a794f |
C:\Program Files\7-Zip\7-zip.chm.tmp
| MD5 | cb95cbab8a25d4dd80893bb1d5d47642 |
| SHA1 | fb3a106b8ff641ad54de0701891629e4c5f54f93 |
| SHA256 | a8268372b6d8a1f7b056fb56d17d74027b712f2be0bb9dfa0d230dc772b9c4e6 |
| SHA512 | dd3b26696f25449d076cc7d0c52cda0b32e9ec815c00306d989d3f64754820768e61363759f382b637a60d9ee12180ad14327d085d6982fe7bfbcbad09f8184b |
memory/384-40-0x0000000005330000-0x000000000553C000-memory.dmp
memory/384-41-0x0000000005330000-0x000000000553C000-memory.dmp
memory/384-106-0x0000000000400000-0x0000000000616000-memory.dmp
memory/384-118-0x0000000005330000-0x000000000553C000-memory.dmp