Malware Analysis Report

2025-01-22 23:11

Sample ID 241127-rtyknatmam
Target 64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
SHA256 64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce

Threat Level: Known bad

The file 64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload family

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (415) files with added filename extension

Renames multiple (196) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 14:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 14:29

Reported

2024-11-27 14:31

Platform

win7-20241010-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A

Renames multiple (196) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\6 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\7 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "URL Shortcut PropSetStorage Mapping" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\2\Key = "URL" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\10\Key = "WhatsNew" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\15\VarType = "11" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\5 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\7\Key = "ShowCommand" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\8 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\9\Key = "IconIndex" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\7\VarType = "3" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\8\VarType = "3" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\2 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\9\VarType = "3" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\CLSID = "{942bc614-676c-464e-b384-d3202aaa02da}" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\Section = "InternetShortcut" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\12 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\12\Key = "Desc" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\9 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\9 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\InitPropertyBag C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\11\Key = "Author" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\14 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\2 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\5\Key = "WorkingDirectory" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\6\Key = "HotKey" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\9\Key = "IconFile" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\13\Key = "HotKey" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\ieframe.dll" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\13\Key = "Comment" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\10 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\2\Key = "URL" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\8\Key = "IconIndex" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\13 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\13\VarType = "18" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\13 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\6\VarType = "18" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\14\VarType = "66" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\14\Key = "IDList" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\15 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\15\Key = "Roamed" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294} C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\Section = "InternetShortcut" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\11 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\10 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\10\Key = "IconFile" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

"C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe"

Network

N/A

Files

memory/1796-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1796-1-0x00000000030C0000-0x00000000032CC000-memory.dmp

memory/1796-8-0x00000000030C0000-0x00000000032CC000-memory.dmp

memory/1796-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1796-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1796-13-0x00000000030C0000-0x00000000032CC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

MD5 60f5e8027708a08f55e58c4969fa8083
SHA1 bcb52a1e3218ccfefda661ffcd057657cdbefdf2
SHA256 7e8e141819ec8b1b6f8350aed8b840a983af2689d64248efd934e65cdd40057c
SHA512 64fee121c76dfc9eeb66c88b5ea60c3fc2733eb57237575f3545e75be0b6a57ea96ec315bd7480a91ee13d9275fdee81f6fa71618e8a1bd9917c60238eb644ce

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 fb012b9f5c1e749fcab90e329faa215e
SHA1 0fc9f2900f65e074d156ea4b1e1a055253119b17
SHA256 b73d31f61c7a8f858cdc6faa489f2e6ccb67e93b809ea32dd4e90042c2fd13b2
SHA512 c9daf0ac70a694da0fed1606d7a4afcc31f728aba8a974356cf88bf1614618f8ecdc24fc126e6016ceedceb29a72da0008a9569b79fad50adb1b0d797951ac37

memory/1796-25-0x00000000030C0000-0x00000000032CC000-memory.dmp

memory/1796-41-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1796-45-0x00000000030C0000-0x00000000032CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 14:29

Reported

2024-11-27 14:31

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A

Renames multiple (415) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processenvironment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Code Integrity Wmi Provider" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\CIWmi.dll" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

"C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/452-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/452-2-0x0000000004980000-0x0000000004B8C000-memory.dmp

memory/452-9-0x0000000004980000-0x0000000004B8C000-memory.dmp

memory/452-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/452-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/452-14-0x0000000004980000-0x0000000004B8C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 b8a797ae4de60f6b8dd57d209af55a9b
SHA1 6ffb42c7dcb6ba1e49688d4f7b3c07f4c46f7d4e
SHA256 9ca411a4ef31677f0bf8128e5937b75957eab65558bfe96a9e9670dcc042f46f
SHA512 85c450d464d2c77361f5b432fdebd2b0415d93207180af2c3a974c723df1b58fcafde2764c23cedf41f336f510f23ce62bdee0a31dcda0ed683443fedd11588e

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 75aadeb68ea3f5b36df673cabaae888d
SHA1 01992be20a5902d424a6233bfe75c1df30775e59
SHA256 eab9042a1c9505cea8687591ff415220b7f1a86955fcbe16096f473d837a8735
SHA512 0236ce84de75c93a53976bc8eb97097fedd4265ffb207d645df5ff9642929ef0e0d86c5b62cf12f4e71c2df9b2ade5d043ef7c53f672fa7a2a577735ad9cd1b2

memory/452-42-0x0000000004980000-0x0000000004B8C000-memory.dmp

memory/452-43-0x0000000004980000-0x0000000004B8C000-memory.dmp

memory/452-114-0x0000000000400000-0x0000000000616000-memory.dmp

memory/452-128-0x0000000004980000-0x0000000004B8C000-memory.dmp