Malware Analysis Report

2025-01-22 23:11

Sample ID 241203-bafbzaxndj
Target 933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
SHA256 933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8

Threat Level: Known bad

The file 933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload family

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (198) files with added filename extension

Renames multiple (452) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 00:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 00:56

Reported

2024-12-03 00:58

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A

Renames multiple (198) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "ActiveMovieControl Object" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\wmpdxm.dll" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "AMOVIE.ActiveMovieControl.2" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{05589fa0-c356-11ce-bf01-00aa0055595a}" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "2.0" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "AMOVIE.ActiveMovieControl" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

"C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe"

Network

N/A

Files

memory/2372-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2372-1-0x00000000030F0000-0x00000000032FC000-memory.dmp

memory/2372-8-0x00000000030F0000-0x00000000032FC000-memory.dmp

memory/2372-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2372-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2372-13-0x00000000030F0000-0x00000000032FC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 15b498c6ecc869d93747e50baeacb8a1
SHA1 6a50263dff1cfb9590f41ba5fc4cc778c94d3e33
SHA256 308d2265f08d790acc874cb5a60e14d6f46c74b89b74f137dbc72689c264ddea
SHA512 290fe5ad7a8d991701b76acf06444d6fc78171ecd941d0de53b2eb3b53552cb77066a0d420ff5c301902a6e18d9df14cb19b562c247ad3c20a160fbc13ec07c0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 bfce0c45ea645ab7ed2b81883e47c0a1
SHA1 8967422f4d8b377c9ba3f69c430298bd5308bab1
SHA256 a3e323eda5da26216d52b136a665869572ec7732c6e81b6684d59215de5e3ba5
SHA512 405ef44e8721866d57a524159e7fb18dcbc8510052446798cb7124552847183a7b9577b44c8fd6b5021c57c90bc39d9f8845d80c6cfc897a4550f85c9b0b1fc1

memory/2372-25-0x00000000030F0000-0x00000000032FC000-memory.dmp

memory/2372-41-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2372-47-0x00000000030F0000-0x00000000032FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 00:56

Reported

2024-12-03 00:58

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A

Renames multiple (452) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado25.tlb.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\dotnet.exe.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\SettingMonitor.dll" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Mouse Setting Change Publisher" C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

"C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3112-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3112-2-0x00000000047D0000-0x00000000049DC000-memory.dmp

memory/3112-9-0x00000000047D0000-0x00000000049DC000-memory.dmp

memory/3112-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3112-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3112-14-0x00000000047D0000-0x00000000049DC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

MD5 e19aece2670456e55b5b883bb719b0d2
SHA1 96898898887af01d91bf1b2a06ea435a4c4b08c9
SHA256 a45b9ab524ed0b756f3022fe1e8cec7d61eec1a078e5d7eec22733bd178aaaa3
SHA512 726c9f717faecfaa722f47230f306eb099c50bc78cfe8de5999ef78a6933e7a577a59318a52c7558b8923234217ecba1d0a13392648224b2fac328ceaf843cba

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9808e25e8fa7c87d8adba45bef860b45
SHA1 000327fd8ce02a427ba0efc2fa398eb489e94018
SHA256 2ed11b5755f326ccf5dec30ab27a1b76d48e3a900f96c074b02e4043399dfa88
SHA512 30daf62970021633fb52a811a1b75b666eec3a5da64f90412b55f0a8c7474fee3cefb10bca865263bcea880a9d8cf05b4a205379d205311b30265bd111804e94

memory/3112-45-0x00000000047D0000-0x00000000049DC000-memory.dmp

memory/3112-44-0x00000000047D0000-0x00000000049DC000-memory.dmp

memory/3112-118-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3112-134-0x00000000047D0000-0x00000000049DC000-memory.dmp