Malware Analysis Report

2025-01-22 23:09

Sample ID 241204-2gs5hszrem
Target b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe
SHA256 b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4

Threat Level: Known bad

The file b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload family

Banload

Renames multiple (608) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (225) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-04 22:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 22:33

Reported

2024-12-04 22:35

Platform

win7-20240903-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A

Renames multiple (225) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "DataCollectorSet" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "PLA.DataCollectorSet" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "both" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PLA.DataCollectorSet.1" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{03837503-098b-11d8-9414-505054503030}" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe

"C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe"

Network

N/A

Files

memory/2464-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-1-0x00000000030F0000-0x00000000032FC000-memory.dmp

memory/2464-8-0x00000000030F0000-0x00000000032FC000-memory.dmp

memory/2464-7-0x00000000030F0000-0x00000000032FC000-memory.dmp

memory/2464-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-13-0x00000000030F0000-0x00000000032FC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

MD5 a6b740f22a2bf2dfd722035d082a8a80
SHA1 e3232158bf4690648178d49e4a544af3a8020011
SHA256 6b6aa9c4602b4ad43bc810292b048c06cbe1a426b8b6eb8b59ac6fca4ca62c1e
SHA512 b2d26a380dadcaa1a2c2616775db1b2081effccbd1c0ba40947bbf3916bd4c6d06f329b5999389cd2dd3170c8f7fea077fa21ca57cf2e0a6a18f137f70c55741

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 4aa57d4441beecd7c1819d7a182880f9
SHA1 d365abeb289b48922bb59408709cf747b24068b2
SHA256 84b95cdbf8cc1e05fd7322239cc8032fc151261c0f0903decacc019c181e7f5e
SHA512 ffa0e581bc34c0334cce54693366fb5385f1147e5f14198a634b17e16f64790ebb7db300c6d0b167aadeb1e12684b78e2d6a267f3c39ad90e7513f41467693a0

memory/2464-25-0x00000000030F0000-0x00000000032FC000-memory.dmp

memory/2464-43-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-53-0x00000000030F0000-0x00000000032FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-04 22:33

Reported

2024-12-04 22:35

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A

Renames multiple (608) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\System\ado\msado28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "C:\\Windows\\SysWOW64\\ole32.dll" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msi.dll" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgId\ = "WindowsInstaller.Installer" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{000C1092-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Windows Installer" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgId C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe

"C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4812-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4812-2-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/4812-9-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/4812-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4812-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4812-14-0x00000000048F0000-0x0000000004AFC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 7f4c5cae1ae79d7ab59e3756e33dcd46
SHA1 e57a294c4d4df697e72ee1866f7d0824bc6033e6
SHA256 80868c3d31448387c206c953bfc4a39d519b2c90d9a537d8232a4bb4be51904a
SHA512 8b3617294bdf1a10defc5d2bfd0b98d9bcdae378073f208a5f2e9b03cc591f9f7c2f332baa8ae0688ad439dad0c1008efd777abb49265eb5f10f5eec4c9df1cb

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 acf1bba7ea751fe536663ccaa187d20c
SHA1 8d7aed9c8cd00a5ae5005f71c03fd9a25ed271fc
SHA256 0f1041a0222f4af22c8e6e8a62378c7edf1c54f9d782db29476c284a8908b140
SHA512 1443f06a522c033d620d742aef365dc658e8f5d97ada6690f18e38ce981426564b98ba1e9bfd7d49f96fb6aa61985f3c8857227df0250baf218cbb2ecd550ac2

memory/4812-56-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/4812-57-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/4812-152-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4812-170-0x00000000048F0000-0x0000000004AFC000-memory.dmp