Malware Analysis Report

2025-01-22 23:11

Sample ID 241127-xp52tswkb1
Target 2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe
SHA256 2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8

Threat Level: Known bad

The file 2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload family

Banload

Renames multiple (431) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (199) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 19:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 19:02

Reported

2024-11-27 19:04

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A

Renames multiple (199) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\ClearConvertTo.xsl.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\wmcodecdspps.dll" C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PSFactoryBuffer" C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe

"C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe"

Network

N/A

Files

memory/2360-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2360-1-0x0000000002FF0000-0x00000000031FC000-memory.dmp

memory/2360-8-0x0000000002FF0000-0x00000000031FC000-memory.dmp

memory/2360-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2360-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2360-13-0x0000000002FF0000-0x00000000031FC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 5b929370e84ad20c2051f479520f5956
SHA1 f883b5f55ea4692e723be5269dbf2126a0803a65
SHA256 fb0d030c4d93328e3028f11b251ac9801e77e4ba1045701a7debc8f01420384f
SHA512 c24c72adc4a15e7547e6425620379f852debdbe3bed2535a4b5cb0166f171f7fd758f9d12ea568d9d2c9675b173fe9e0f922f8d75f4ed72403d4633a79c022ba

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 a5da00043ab3c7d607db2d5652830e67
SHA1 53ab41a22731a0d4c6b676ad3f6c0d243eff82fd
SHA256 cb819e0d7dd30d047cb8cb9561d0ad7a02a776e8474f6f45dfa3c05597646d38
SHA512 410339ecab0732538f4e24b7f34241c9b245b106ea017360b208065f8b7d8ae9285a365f6b3f500a329f6465477a30de61921e8c564c715c45de1ad8624c2cdc

memory/2360-25-0x0000000002FF0000-0x00000000031FC000-memory.dmp

memory/2360-43-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2360-51-0x0000000002FF0000-0x00000000031FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 19:02

Reported

2024-11-27 19:04

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A

Renames multiple (431) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Crashpad\metadata.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\ConfirmHide.MTS.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado25.tlb.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "XDS Feature Segment" C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll" C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Programmable C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{B0EDF154-910A-11D2-B632-00C04F79498E}" C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe

"C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2268-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2268-2-0x0000000004480000-0x000000000468C000-memory.dmp

memory/2268-9-0x0000000004480000-0x000000000468C000-memory.dmp

memory/2268-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2268-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2268-14-0x0000000004480000-0x000000000468C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 87dfa021de296e6349eb0bb89df571e2
SHA1 e1c281f0c18ac40c28427b445b769a59860fac8e
SHA256 c50ea93e46f1ab7056f152f2d830efc998f1992ea65f443262101c7d65859e8c
SHA512 e4a8dd88ba56c3062c127697d21c64d77669b2149e7336980770eceed0dbd99950260839f275dc91f3641db1d49da126f51769f1f74db6d7a8753b39ce3bae7f

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 513e5903480d82ae4cb5e86f5cd6161e
SHA1 c62c2cb6815853df44c37994243e9ea397d7deea
SHA256 ab0fd17f43471b0d001003e497bc57c73e8bad39226d6126a8472b3941db42df
SHA512 72cb6bea6fd14600d3000e14bb0aae60719166db3930255ec27dad2bb01aa22cc3aecd6a1943bbb7d4b15ee73d8ef33e0b59c82c119313855da9841b5e89a740

memory/2268-42-0x0000000004480000-0x000000000468C000-memory.dmp

memory/2268-43-0x0000000004480000-0x000000000468C000-memory.dmp

memory/2268-110-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2268-124-0x0000000004480000-0x000000000468C000-memory.dmp