Malware Analysis Report

2025-01-22 23:11

Sample ID 241202-qxpw9a1nen
Target f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
SHA256 f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8

Threat Level: Known bad

The file f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (231) files with added filename extension

Renames multiple (726) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 13:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 13:38

Reported

2024-12-02 13:41

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Renames multiple (231) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\CopyShow.odp.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\DVD Maker\DVDMaker.exe.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\DebugMerge.vdx.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\DirectDB.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Shell C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex\PropertySheetHandlers\{00020D75-0000-0000-C000-000000000046}\ C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Shell\Open\Command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE\"" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex\PropertySheetHandlers C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder\Attributes = 72000000 C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InfoTip = "Displays your e-mail, calendar, contacts, and other important personal information." C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE,7" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\MLSHEXT.DLL" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Shell\Open C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Outlook" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex\PropertySheetHandlers\{00020D75-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"

Network

N/A

Files

memory/2644-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2644-8-0x00000000030F0000-0x00000000032FC000-memory.dmp

memory/2644-1-0x00000000030F0000-0x00000000032FC000-memory.dmp

memory/2644-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2644-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2644-13-0x00000000030F0000-0x00000000032FC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 410d0bb541855e91a4bc810285f4432a
SHA1 9c70380b591785f30615442f07d9773a0a431fb5
SHA256 502a473b2520969df2647e30e072b095177c15aea545fd16b2ebb989c69cebca
SHA512 df4f609a52cbb85a905ec8219c4ca21d0a2ae9461eaf5db5b6fb1b0ea8406d8e64a1bf7d66e153503ce029c83f2f9dd00408457ed1da033f3d94f7b054a2035c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 cd58e83722735223a7cbd84d407006c1
SHA1 bc1e28d5d69e60a679c20d754c17cb29ed65cf77
SHA256 f2706dac445fa6f6f50a394752928824f8ec473e4d7c2f9da6ac1e51deae7080
SHA512 f86a26fdaf84693e69dbfb0f597d12ff70a3d084f34f6f474b86162b59da1604be450eb7cc1602fb0957668fbba26280441b83f7f37d4015d73cb8356c880d9c

memory/2644-25-0x00000000030F0000-0x00000000032FC000-memory.dmp

memory/2644-43-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2644-51-0x00000000030F0000-0x00000000032FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 13:38

Reported

2024-12-02 13:41

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Renames multiple (726) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\ConvertHide.wmf.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\LICENSE.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "lnkfile" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\windows.storage.dll" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{00000003-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Shortcut" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DisableProcessIsolation = "1" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\NoOplock = "1" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\OverrideFileSystemProperties C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\OverrideFileSystemProperties\System.Kind = "1" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex\MayChangeDefaultMenu C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{00021401-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1008-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1008-2-0x0000000004970000-0x0000000004B7C000-memory.dmp

memory/1008-9-0x0000000004970000-0x0000000004B7C000-memory.dmp

memory/1008-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1008-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1008-14-0x0000000004970000-0x0000000004B7C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 38eaba0b1e911e207f6df44e7403d410
SHA1 61112f70d4ae3a0731cb7907cad64390a8b196af
SHA256 16695f3518e61621918c0a02317b5245167880940d857da1817eb13da85581a5
SHA512 7d58a9b76c4def07dcdd70fff178f4e87517d777a0628693db27d83aaf92c2848bbfa538e39ba3d047305fc6fc8fcc2dd305a59408ddd47b61a12b832f343702

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 2b3d40875c65783683ba819a4afbce21
SHA1 75e9fc673d455eeb75e70a70d9212e8854ceb98c
SHA256 ad7d3ba7de248fcb5edc49bb17b0b2ae7841cb0823f7fb5bbd6b58ce492e7741
SHA512 48d3def6009c925c90c3c40a88f1e0a8901121e0428e2c6641e390a1ea1e754fcc1a9bec5b232ba67f84218b4f79013b81099773b1e1e8bc45b6c74d39464644

memory/1008-50-0x0000000004970000-0x0000000004B7C000-memory.dmp

memory/1008-51-0x0000000004970000-0x0000000004B7C000-memory.dmp

memory/1008-136-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1008-154-0x0000000004970000-0x0000000004B7C000-memory.dmp