Malware Analysis Report

2025-01-22 23:10

Sample ID 241203-a6vwvsxlek
Target 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
SHA256 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538

Threat Level: Known bad

The file 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (216) files with added filename extension

Renames multiple (532) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 00:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 00:49

Reported

2024-12-03 00:52

Platform

win7-20241010-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A

Renames multiple (216) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\ClearReceive.rmi.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Access, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Access.AllModulesClass" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Access, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Access.AllModulesClass" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

"C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe"

Network

N/A

Files

memory/956-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/956-1-0x0000000002FA0000-0x00000000031AC000-memory.dmp

memory/956-8-0x0000000002FA0000-0x00000000031AC000-memory.dmp

memory/956-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/956-13-0x0000000002FA0000-0x00000000031AC000-memory.dmp

memory/956-12-0x0000000000400000-0x0000000000616000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

MD5 5cf9cbf6b03e35a8200ead00c192c99c
SHA1 76934ffe25acf258478a8fdbe416e0edb66b30e5
SHA256 4ace30a83dffb4877fd05735d905daf593fc8384b9ebe84e2e148bf4ee3056cc
SHA512 2e012cdac68307d1a23d13741c6c0d04cb369949e6659789d9a07310a273894c00c08342c9a5cf5130863e90db91f329f2f82772b55441b46b9c5d0769f9487b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 d8c8ffdd57f79c60c44a9d9ee8671996
SHA1 1f54a50a7759bca06db5a63e0984918688c6ce51
SHA256 69b445434f9f320194c7cd01595dabee0f0cf2cccced728e1bb5bcee6eee7d57
SHA512 04b82ae417c3e3eb2d6177b089badfd9ba0afdeac6946a1e2d4757ebbbdf3d3a214255af5a6e51b6eacc19fd5289604393807de121a1c7eaac38e51c3da4e405

memory/956-26-0x0000000002FA0000-0x00000000031AC000-memory.dmp

memory/956-25-0x0000000002FA0000-0x00000000031AC000-memory.dmp

memory/956-41-0x0000000000400000-0x0000000000616000-memory.dmp

memory/956-43-0x0000000002FA0000-0x00000000031AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 00:49

Reported

2024-12-03 00:52

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A

Renames multiple (532) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "MSDraw,Word.Picture.6,1" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "1,1,1,3" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Word.Picture.8" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "9" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4\ = "Rich Text Format,1,1,3" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0\ = "Embed_Source,1,8,1" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WORDICON.EXE,1" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Word Picture" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "3,1,32,3" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\"" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Word.Picture" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "Picture" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Open,0,2" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Word" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "MSWordDoc" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "HTML Format,1,1,3" C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\NotInsertable C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\NotInsertable\ C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0 C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

"C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3788-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3788-2-0x0000000004A60000-0x0000000004C6C000-memory.dmp

memory/3788-9-0x0000000004A60000-0x0000000004C6C000-memory.dmp

memory/3788-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3788-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3788-14-0x0000000004A60000-0x0000000004C6C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 f0e95b3bc3c3609e9af9327417bc2ab1
SHA1 fedf68c78a759c423b1a6bf5f205dc9f1ab4e080
SHA256 8428037496a503ca0b7f3f465a3a6fe5ee4aa257ae51c0be5ef21336ba02964c
SHA512 40b0071e07260b2c82ac6863b5a9ba4a7688c53015ccfb639bb02cb94ebf4270b30f140b233a9a741b6e530a4e29632c7a45d3bd56eeeec381f72a93d8f45351

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 2fff8eb570b6ba243373813e0169abe2
SHA1 1bdccbb6123b24dd046a6835fc3a6a59f1ca4e84
SHA256 6765d00e99592a85a74f87e988451b9e07785d95b39eb8a0c084e00952b8a3e4
SHA512 ad23528175b1e60989696b64a919ad05ae4202eb897901a6f3e4c8cdff564ca3456ff71fab672e69192313783fac47a30317fc3e39cfe71ab55a5a1cd53b75f1

memory/3788-48-0x0000000004A60000-0x0000000004C6C000-memory.dmp

memory/3788-130-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3788-146-0x0000000004A60000-0x0000000004C6C000-memory.dmp