Malware Analysis Report

2025-01-22 23:10

Sample ID 241202-sjfgrsyqby
Target 5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe
SHA256 5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e

Threat Level: Known bad

The file 5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (240) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (198) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 15:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 15:09

Reported

2024-12-02 15:11

Platform

win7-20240903-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Renames multiple (198) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\ClearGet.vbs.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Outlook.OlkSenderPhoto" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Control C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook.OlkSenderPhotoClass" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Typelib C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Outlook.OlkSenderPhoto.1" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ToolboxBitmap32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE,5517" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Typelib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\OUTLOOK.EXE\"" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "9.4" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Outlook Sender Photo Control" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook.OlkSenderPhotoClass" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe

"C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe"

Network

N/A

Files

memory/2464-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-1-0x0000000002FE0000-0x00000000031EC000-memory.dmp

memory/2464-8-0x0000000002FE0000-0x00000000031EC000-memory.dmp

memory/2464-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-13-0x0000000002FE0000-0x00000000031EC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

MD5 933bca93d052cfe5499e1bd52f02b76d
SHA1 96ab0e80cc7a0514a2b04feaea082c37755835ee
SHA256 c38c6f4082a3ff66bad7800a9bee3c1744d51ce263d69e1afc607c71d8d8aac7
SHA512 a960d5fd6667fa1dc0e3264e53a0fe9e697d8bdb425abaf2199877505398a2659b252cf5c6b82daf78e1478e6c73be2b5f79d2997c2c692b8d5545ddb2f2d863

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 4e08a31fe0521ea8854cfdca793f8898
SHA1 6ba82db05b6264a3cb12eba9f4d87335629a523c
SHA256 88be274bd786de96d8f2b90dc5c5a9760cc93cf18172a69b7caf3fa411449284
SHA512 03a573790cbcf8e2d0b128f461b9e8b5669a03bcec2f39948031406798bb780a7b465d86809ff1c137fbf84ce0984755caac3533553d006e210c607f36fe9957

memory/2464-23-0x0000000002FE0000-0x00000000031EC000-memory.dmp

memory/2464-35-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-39-0x0000000002FE0000-0x00000000031EC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 15:09

Reported

2024-12-02 15:11

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Renames multiple (240) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrfralm.dat.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Scriptlet.TypeLib" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Object for constructing type libraries for scriptlets" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrobj.dll" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe

"C:\Users\Admin\AppData\Local\Temp\5f20bcf65bc80712585d8680faeb5b5a9919d77340762c41e5f3f86a75fd210e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 210.68.20.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 206.68.20.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.68.20.2.in-addr.arpa udp

Files

memory/3264-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3264-2-0x0000000004930000-0x0000000004B3C000-memory.dmp

memory/3264-9-0x0000000004930000-0x0000000004B3C000-memory.dmp

memory/3264-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3264-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3264-14-0x0000000004930000-0x0000000004B3C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

MD5 87594f1e6db97c6de5dcb6c61451b782
SHA1 7279d77d9e9a32541b9a6f2d4290404eb4a86911
SHA256 3d5e7799340cb5f9f8142bff6e7dfcdce5d19086de7ad6ecac521473e430328d
SHA512 236f44d706318c84f43f4c0afae3c7650c6adeda576560adb967a38f6bbe2560a62e72cad7880fbbf9a7a121e5decfd7cd1130b401195bdbfbfd8d77145f43e1

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 79d52c68bac237d3c65bbe7c5f0c5ac4
SHA1 74dfa6f7b8c45a9cf8e89b8f5de9837187d38ef1
SHA256 1d89f36a1e79f3d19daed0969abe75bc9eac0e8d22ee61539ae337de8e5b646b
SHA512 6986f3e474e89fcf6e1c0d20257366b5a6da5c5596e7a8efcc96cba9595033afe10d3ad70ab9102cdae3429137e0b9e37db0db64346ff9671b6a89405a646283

memory/3264-29-0x0000000004930000-0x0000000004B3C000-memory.dmp

memory/3264-28-0x0000000004930000-0x0000000004B3C000-memory.dmp

memory/3264-56-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3264-62-0x0000000004930000-0x0000000004B3C000-memory.dmp