Malware Analysis Report

2025-01-22 23:09

Sample ID 241202-se96ksynhw
Target 5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe
SHA256 5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e

Threat Level: Known bad

The file 5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (195) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (245) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 15:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 15:03

Reported

2024-12-02 15:05

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Renames multiple (245) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwresplm.dat.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.ApplicationClass" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Interop.Excel.ApplicationClass" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE\" /automation" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}\ C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Excel.Application.16" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Excel.Application" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Excel Application" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe

"C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 70.107.222.173.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/632-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/632-2-0x00000000048B0000-0x0000000004ABC000-memory.dmp

memory/632-9-0x00000000048B0000-0x0000000004ABC000-memory.dmp

memory/632-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/632-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/632-14-0x00000000048B0000-0x0000000004ABC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 b6542c8141530e943c6aab1a01082760
SHA1 3924ff3d2c05cae5f46d7b5f6981977709f55b92
SHA256 a9c7d54c13a142a1b61586599019fd7e644278c57338df487444af3f63d147d7
SHA512 98a5f2874bcc7059110707d9f601ade04a11addbed5000d3d9385f11f690761279bd8fecbfe548565c9c16930bbd5a25af4d7626b832e0601f6a7d3c7a2ec89a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 ae4329e5319f00e233db3c56e6a51db9
SHA1 da4aed93d289a3d188128e1f78bd4f9f70000c42
SHA256 747c7cab86cbeb2cdee7ad3949d6e59f7cb570c515181a8b59acc6c2c2d4177e
SHA512 efbc024904493dfe9ad68b8c60b719379f0f11210163119914ea1c9a1258ba0acc38d38017831ef4f96f558a5b9a31987dc1d703e12f679cb37b5a22beafac2e

memory/632-34-0x00000000048B0000-0x0000000004ABC000-memory.dmp

memory/632-80-0x0000000000400000-0x0000000000616000-memory.dmp

memory/632-90-0x00000000048B0000-0x0000000004ABC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 15:03

Reported

2024-12-02 15:05

Platform

win7-20240708-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Renames multiple (195) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DisableProcessIsolation = "1" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{00000003-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\OverrideFileSystemProperties\System.Kind = "1" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "lnkfile" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Shortcut" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppId = "{00021401-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex\MayChangeDefaultMenu C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\shell32.dll" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\OverrideFileSystemProperties C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe

"C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe"

Network

N/A

Files

memory/2624-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2624-1-0x0000000003250000-0x000000000345C000-memory.dmp

memory/2624-8-0x0000000003250000-0x000000000345C000-memory.dmp

memory/2624-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2624-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2624-13-0x0000000003250000-0x000000000345C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 b903ce8ed1bcf09b6d41218991180c6f
SHA1 cad5d6a46c4ce9199f93fbb3f87739d0a5a7569b
SHA256 dba7a78167d64544e45ece74b6fa3a96b44b26067e1f3e26049d969e16004168
SHA512 c0d07d3435d350aa84a8b292d6f6111e4acc82823aceaedbeebe399a94ff3ea3e22e2fa655e9c0e753075563853de6cb48cf25481d15f36c89c69a126b1d2888

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 9e1d5f47bb51509239e5a47051d87bb1
SHA1 9053169bfe12b45c85b5e0f8ef72ad4c71b4bedf
SHA256 dbe526202eb82bdd6d7469c64fba9ef9b78d99f9cd1d1c8f5e086d46612efbce
SHA512 8a2adc4d0ed995a2167a8f0ddf58cbb3610c3bf2a874a72e7f8ef08aa15e2a896f9c1b6757c27159f3d00132bdc509b2d28d4a7b420ae7f9bda00aff2971eb16

memory/2624-23-0x0000000003250000-0x000000000345C000-memory.dmp

memory/2624-35-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2624-39-0x0000000003250000-0x000000000345C000-memory.dmp