Malware Analysis Report

2025-01-22 23:09

Sample ID 241205-fjlbsswjdp
Target de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe
SHA256 de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13b
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13b

Threat Level: Known bad

The file de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (555) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (213) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 04:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 04:54

Reported

2024-12-05 04:56

Platform

win7-20240729-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A

Renames multiple (213) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\CheckpointSelect.mp2v.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.OneNote, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\12.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\ONENOTE.EXE" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\12.0.0.0\Class = "Microsoft.Office.Interop.OneNote.ApplicationClass" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Application Class" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "OneNote.Application.12" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{F2A7EE29-8BF6-4a6d-83F1-098E366C709C}" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.OneNote.ApplicationClass" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\12.0.0.0 C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\12.0.0.0\Assembly = "Microsoft.Office.Interop.OneNote, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe

"C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe"

Network

N/A

Files

memory/2076-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2076-1-0x0000000003530000-0x000000000373C000-memory.dmp

memory/2076-8-0x0000000003530000-0x000000000373C000-memory.dmp

memory/2076-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2076-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2076-13-0x0000000003530000-0x000000000373C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 1ce4a87377d4586220cd9683527d0ef4
SHA1 b6e7cd3536f4ae17aeb3f6e4f645e3e5196a7aa7
SHA256 f08ef14a17b5383a33654e52e5a8b0409c59960974a8b479f79fa09de18358a3
SHA512 d8e3a7b4f6a1c95b2e2450583039ee02cde4b255796614ad6ce576719de5866f8673fad9ff0392ee67008ca3e9967f9669458f683fb6d22ce783b95cd6cbfb9b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 8fefa50e38794fca9604cdf1bbf001e7
SHA1 3c03bee06c2307f98b9623ea454d1561a9299d52
SHA256 09b59e341e1d31eabaa72550a796df37fd03b3a7dd829a7ad39ad74e8c2a0581
SHA512 47b078ac54948fd5678c574c2f00c1a9b7c0639611ad212221ae9b188df45d4a71e57f4814e212aa844f32544ef1cd8307bca1f49dbc98b645de1963bf662872

memory/2076-25-0x0000000003530000-0x000000000373C000-memory.dmp

memory/2076-43-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2076-53-0x0000000003530000-0x000000000373C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 04:54

Reported

2024-12-05 04:56

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A

Renames multiple (555) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\LICENSE.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\4.0.30319\ = "4.0.30319" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "CorSymReader_SxS" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Server C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\2.0.50727 C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\2.0.50727\ = "2.0.50727" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Server\ = "diasymreader.dll" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\4.0.30319 C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\2.0.50727\ImplementedInThisVersion C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\4.0.30319\ImplementedInThisVersion C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "NDP SymReader" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mscoree.dll" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe

"C:\Users\Admin\AppData\Local\Temp\de15232955fd62ad0131e5480164f6d62e3569f041cbbc6d2adf6bf013aef13bN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/728-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/728-2-0x00000000045D0000-0x00000000047DC000-memory.dmp

memory/728-9-0x00000000045D0000-0x00000000047DC000-memory.dmp

memory/728-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/728-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/728-14-0x00000000045D0000-0x00000000047DC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp

MD5 5a4ab19acf1ca04545cf4c231e4b33ae
SHA1 28b47f3eee7790e03c1174ab910123ce9e09c44c
SHA256 7b7834e28e4a24fe2d475e0261abe2070f87804a4ea94b8c28b5f7c6f840e577
SHA512 5f4ddec3e5a035716d4b9aa30cb6f46ec09f3c6cea1f7433bbac52394b46914bb0b5fce065fac3a53d177f3797c878ac151aac358c02ff41266d49a061965fab

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 4128b1644307a06e60cceac7149d4c1a
SHA1 822e52695140be34e851d5bb0c7e4fe29c53a092
SHA256 635d85c040ea3b7fc243ab9ea3a6297389041ad374e50bb9b7d367a385401ded
SHA512 c261ea2b43a71e9b9f9ff1f8ba20154a1bca0095e17061ee5c838335215313a01a8b326f8f294e0f31cbdfbaeb0f856204d07c2feca64aa742aa96ee598572bb

memory/728-51-0x00000000045D0000-0x00000000047DC000-memory.dmp

memory/728-50-0x00000000045D0000-0x00000000047DC000-memory.dmp

memory/728-136-0x0000000000400000-0x0000000000616000-memory.dmp

memory/728-156-0x00000000045D0000-0x00000000047DC000-memory.dmp