Malware Analysis Report

2025-01-22 23:11

Sample ID 241201-djz4vavlfy
Target c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5
SHA256 c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5

Threat Level: Known bad

The file c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (226) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (708) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 03:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 03:03

Reported

2024-12-01 03:05

Platform

win7-20241023-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A

Renames multiple (226) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\DVD Maker\Eurosti.TTF.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcs.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\SortOrderIndex = "66" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\System.PropList.DetailsPaneNullSelect = "prop:" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\System.PropList.DetailsPaneNullSelectTitle = "prop:System.FileCount" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\imageres.dll,-1023" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\command\DelegateExecute = "{c51b83e5-9edd-4250-b45a-da672ee3c70e}" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder\QueryForOverlay C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "UsersLibraries" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder\HideOnDesktopPerUser C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\MUIVerb = "@shell32.dll,-34645" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder\PinToNameSpaceTree C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalizedString = "@%SystemRoot%\\system32\\shell32.dll,-50691" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\SeparatorBefore = "1" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\command C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\Description = "@shell32.dll,-34646" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\SeparatorAfter = "1" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder\Attributes = "2961178893" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe

"C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe"

Network

N/A

Files

memory/1980-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1980-1-0x0000000003260000-0x000000000346C000-memory.dmp

memory/1980-7-0x0000000003260000-0x000000000346C000-memory.dmp

memory/1980-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1980-12-0x0000000003260000-0x000000000346C000-memory.dmp

memory/1980-10-0x0000000000400000-0x0000000000616000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp

MD5 e46db7d5c037a7e7c9ae48a8abf2fa9e
SHA1 f6b577d8ffc78a8b6c230dc0361af8c897ba196e
SHA256 b6998a12a5ead7f3e7fb3dcb89a1968ae26c02a9bdca83ef58cb93afbb9ed77e
SHA512 aaa6f989ca982d890b49f067cde7d09017a14cbea41b544104377e3d3f2f734be933e5d5ea2e5d146c5f19985e0d54464b51bdaae47131bbb397abea143ed019

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 376cdcbbfa6f5919268e37317e2ddb88
SHA1 d68e5872b8dd0f8c07062c84a077523cefafe36a
SHA256 1bffcf547e16e240df51d5d2b3bfc274fab4252be1ca6444ec52b479dc597268
SHA512 82f223ff806e1726cfd87af6c6952b9f94411446e712ce62b07fbccc90fb37937fc7155854905814473562934ae82b5c4b407f2f959937f70c153a9b3fc1ae0f

memory/1980-25-0x0000000003260000-0x000000000346C000-memory.dmp

memory/1980-24-0x0000000003260000-0x000000000346C000-memory.dmp

memory/1980-42-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1980-50-0x0000000003260000-0x000000000346C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 03:03

Reported

2024-12-01 03:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A

Renames multiple (708) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwresplm.dat.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\ConvertFromPublish.TTS.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "IE Background Task Scheduler" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\ieframe.dll" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe

"C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/2768-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2768-2-0x00000000049D0000-0x0000000004BDC000-memory.dmp

memory/2768-9-0x00000000049D0000-0x0000000004BDC000-memory.dmp

memory/2768-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2768-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2768-14-0x00000000049D0000-0x0000000004BDC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 75fcdff09eb9ed1dfabdc20072d2291a
SHA1 19d357b732a090657dc482cba2e89c8bfe9e7237
SHA256 5fa59abde0d09b5a18b2e7abade587099ad7c1afc280b015e7820a445490923f
SHA512 6a088a300a17e2ed1c37618b430a83f6477ff1771b30fbbe5ab80850f1fe29867c0eca606bc172f36fba286e71274bb8cdf56b05a010210fd35a189a7a4ec3f1

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 c1642fa4681b7d2df8e6ccf46de0b747
SHA1 ccff13b5ceb09e885b1c369bcaa8008f681bbcce
SHA256 92624b86e56303fdf071882ac4f5848c8a6cd59e888749f0ee461315dbe44549
SHA512 87a8d7626d9e67e768f03bf79ae0622dbc6bb236222d0953f1edf1bd9b96b7b7e7c80c01687a69a5d513ad733d4b5c34a2800f18b0d4aba8d090a472e45f14d7

memory/2768-46-0x00000000049D0000-0x0000000004BDC000-memory.dmp

memory/2768-47-0x00000000049D0000-0x0000000004BDC000-memory.dmp

memory/2768-130-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2768-150-0x00000000049D0000-0x0000000004BDC000-memory.dmp