Malware Analysis Report

2025-01-22 23:11

Sample ID 241202-1pm3sszral
Target 3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe
SHA256 3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a

Threat Level: Known bad

The file 3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (222) files with added filename extension

Renames multiple (616) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 21:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 21:49

Reported

2024-12-02 21:52

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Renames multiple (222) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Outlook File Attachment" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Print,0,2" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Outlook.FileAttach" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b004f00550054004c004f004f004b00460069006c00650073003e005500330069006f006b006a0040004a0069003f0035007600320062006600790076003d0046002c0000000000 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Open,0,2" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\2 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\2\ = "&Save As...,0,2" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Outlook File Attachment" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "File" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe

"C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe"

Network

N/A

Files

memory/2052-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2052-1-0x0000000003100000-0x000000000330C000-memory.dmp

memory/2052-8-0x0000000003100000-0x000000000330C000-memory.dmp

memory/2052-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2052-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2052-13-0x0000000003100000-0x000000000330C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 f80ff98b576fea3c553415bdffa42990
SHA1 24333ea117521a870ac0b9712d979a3b9fb37560
SHA256 939233ed2e3174bdafbfe69ee52de280496e2835626c8f9826013d89aee219bb
SHA512 89bc5c0ee2b62c349e49673691e278dbbdee9a4bee67b313ed3688c21bc02480c3cafd4f0404be1e03f46211cf01f1a12b632770ca3f171e96bf6c7ec9126009

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 066249d513ca91c08aaebdee80bccc5a
SHA1 26b97ff9231dc3251774745a9a4a4db86fc9c2d2
SHA256 0a1bb15efa5d936914df3bd01d174d1bf3cdf9693fd0e48ea1d101d40e24d672
SHA512 4b08b5aac4e8f003b808c6b003f8131e2f8d3b5bddd33f0ada9708e27f35c081ee1bedf48976f3225b3652f1c1db95cff06e56566190323fc415feafaab31fb9

memory/2052-26-0x0000000003100000-0x000000000330C000-memory.dmp

memory/2052-25-0x0000000003100000-0x000000000330C000-memory.dmp

memory/2052-41-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2052-45-0x0000000003100000-0x000000000330C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 21:49

Reported

2024-12-02 21:52

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Renames multiple (616) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\CloseUnprotect.raw.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Crashpad\settings.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\DenyConfirm.wvx.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "CFeedbackPane" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\Windows.UI.Immersive.dll" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe

"C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 147.255.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/3960-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3960-2-0x0000000004410000-0x000000000461C000-memory.dmp

memory/3960-9-0x0000000004410000-0x000000000461C000-memory.dmp

memory/3960-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3960-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3960-14-0x0000000004410000-0x000000000461C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 8c453572138ae70b12e569586ee3b9e5
SHA1 fc276cc9a8c16a68698e46cf68ce0442137dc961
SHA256 3ae53ddbf5f8ef638e91f5e95f1751894e9e4a6edd789580c8f8455f38952d5a
SHA512 093dc2c53f5ea2e95a38de601ef0fe063f7e2102da38bfb3ae16919c6cba68cf8a5fcbd763565a639a6e550a6297411936d8dd14c3a1dc9ae935f4fdb0e3f18b

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 f09832b3081808dba559d846e704b064
SHA1 b19b6e2fdd1b1254e326e6f80a5f4914e5eee0c1
SHA256 3849e0de1700a4b391c304cb0842f4545cf6efb6d2167845c2e22945570c2594
SHA512 ab6de22a5a21beae5d1506c386f4a2558661f820f968e3bc1d9541251bbc2a76ba151896ddbd0b590271fee570eb9fafebe07100ce701198d1784236396a8874

memory/3960-41-0x0000000004410000-0x000000000461C000-memory.dmp

memory/3960-40-0x0000000004410000-0x000000000461C000-memory.dmp

memory/3960-114-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3960-128-0x0000000004410000-0x000000000461C000-memory.dmp