Malware Analysis Report

2025-01-22 23:09

Sample ID 241201-xb792asrfq
Target 92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe
SHA256 92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87

Threat Level: Known bad

The file 92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (196) files with added filename extension

Renames multiple (319) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 18:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 18:41

Reported

2024-12-01 18:44

Platform

win7-20241023-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A

Renames multiple (196) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\CheckpointTrace.wma.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "SAPI.SpLexicon" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "SpLexicon Class" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{C866CA3A-32F7-11D2-9602-00C04F8EE628}" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "5.4" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "SAPI.SpLexicon.1" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe

"C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe"

Network

N/A

Files

memory/2404-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2404-8-0x0000000002F00000-0x000000000310C000-memory.dmp

memory/2404-1-0x0000000002F00000-0x000000000310C000-memory.dmp

memory/2404-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2404-13-0x0000000002F00000-0x000000000310C000-memory.dmp

memory/2404-11-0x0000000000400000-0x0000000000616000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp

MD5 ecec5a6f6670d851f1a213e1bfc0c3c6
SHA1 5b577cf88086903e1416b769198c208bd3d9441d
SHA256 b7dec034bf1b681888e0765173377fab27f4dda1f400d0a043507f1339a00236
SHA512 e65b77c07bff0858fb1382d89525d2062582d8b6d55a3a19335866d94b543c5369f67a931596ba648414b669ff150e35ec524e75b310be59cf636e9c5fea9a1f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 24eb1dc607c822c027af1b681a7b4f20
SHA1 eaaee8fc8e9936aee5cc373d8bd2a85dec2002df
SHA256 cca2a6286472d224bd0ef8a504d9cd63a3563c2369c82829f99d25baee3d16bf
SHA512 f550d637badc0f8d894b6e586bbe003100cf15a699aa58c9e5d2e52f7682d8fa82149410538dfb3c7fd903b4bbfb643dad090bf04b51262791f24bb659814b23

memory/2404-26-0x0000000002F00000-0x000000000310C000-memory.dmp

memory/2404-25-0x0000000002F00000-0x000000000310C000-memory.dmp

memory/2404-37-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2404-43-0x0000000002F00000-0x000000000310C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 18:41

Reported

2024-12-01 18:44

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A

Renames multiple (319) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\ApproveUse.TTS.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "DAO.DBEngine.36" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "DAO.DBEngine.36" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\DAO\\dao360.dll" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "dao.DBEngineClass" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe

"C:\Users\Admin\AppData\Local\Temp\92eba36eb3d071e979bbe62623b4850677f96a83bc2b0a7256d6a6dd5a930c87.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/3408-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3408-2-0x00000000049B0000-0x0000000004BBC000-memory.dmp

memory/3408-9-0x00000000049B0000-0x0000000004BBC000-memory.dmp

memory/3408-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3408-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3408-14-0x00000000049B0000-0x0000000004BBC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

MD5 0ce48f3f6bb212d66888f41f274f3293
SHA1 b1b8d8f02feaa1584745def9511c7bb9d612b465
SHA256 c33fdb15571aaa1722d543cf46fc32824834ffa28bf461d25b469944f070b9c0
SHA512 2805101e943375bde5e96576422e1c2d7f60f44d06b5653bff9a1b823e07206700f4f70929e331935ed90e0c338c4898dd2da1a309b4416586b7a5dbb95341db

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 42811ef5d4f01ba2640c69fd05baa01b
SHA1 206475dc3f095892998f472b9af00f0626c02fb7
SHA256 cf321aeff4fd68e812ec496bdc55926a23c41170569e19b0eafc9c0a42b34b55
SHA512 3963f4bf6f93255ad84d5478109af4276939fa3ad1daf33be6d77381ee8c81d7a89465ee276f2d5c6ddb2062d079cf74de4ab5522a4e2477a08a08b59c4b0085

memory/3408-31-0x00000000049B0000-0x0000000004BBC000-memory.dmp

memory/3408-30-0x00000000049B0000-0x0000000004BBC000-memory.dmp

memory/3408-74-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3408-84-0x00000000049B0000-0x0000000004BBC000-memory.dmp