Malware Analysis Report

2025-01-22 23:09

Sample ID 241217-zar8jaxkct
Target 2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9
SHA256 2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9

Threat Level: Known bad

The file 2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload family

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (973) files with added filename extension

Renames multiple (224) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-17 20:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-17 20:31

Reported

2024-12-17 20:33

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A

Renames multiple (224) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\OmdProject.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\ado\msado15.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\PipeTran.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{03837503-098b-11d8-9414-505054503030}" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PLA.LegacyTraceSessionCollection.1" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "PLA.LegacyTraceSessionCollection" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "both" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "LegacyTraceSessionCollection" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe

"C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe"

Network

N/A

Files

memory/2308-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2308-1-0x0000000003060000-0x000000000326C000-memory.dmp

memory/2308-8-0x0000000003060000-0x000000000326C000-memory.dmp

memory/2308-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2308-13-0x0000000003060000-0x000000000326C000-memory.dmp

memory/2308-12-0x0000000000400000-0x0000000000616000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 2241277c79c4637c77f8fba5d7ac18fc
SHA1 c1d0019bdf01a55c8a98dc7281dda70c012f0746
SHA256 303503c1b1195f7ce3d3eafda983c9abbda893c952656fe28a96be14d2b65f23
SHA512 6f29f36dfbec12100023218fe080d3629332d29e8471baa34bdc9c0a51d363c8eba291b9886808edd1fa7c9b4a7ca14fc008ad24bc55d2be593338d0eb9f9a11

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 12930536c95a1cf3843fc0309dd54654
SHA1 1a47a7a4d55eb04e00b55d692e4596b7e43df310
SHA256 82b997d438ec4674f59968070f220d231227e025c9786c0ddcd96e5b3deec1ec
SHA512 02741d0956ce2d5f0b343c4dc6163987f92a48006473e96a0464d003959a0532729479e7efe155ccc152a920c6ac6e4eb9b44015cb206328a3c848cb3a706283

memory/2308-27-0x0000000003060000-0x000000000326C000-memory.dmp

memory/2308-51-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2308-61-0x0000000003060000-0x000000000326C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-17 20:31

Reported

2024-12-17 20:33

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A

Renames multiple (973) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\ado\adovbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\ado\msado15.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Metadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\dotnet\LICENSE.txt.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrfralm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft DocProp Custom Draw Progress Control" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe

"C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/740-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/740-2-0x00000000043F0000-0x00000000045FC000-memory.dmp

memory/740-9-0x00000000043F0000-0x00000000045FC000-memory.dmp

memory/740-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/740-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/740-14-0x00000000043F0000-0x00000000045FC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 625b560c076de938509483563c4a2c7a
SHA1 3e34b6021e27f4d1703308ab30c0d0e3382dcbc4
SHA256 b55184a3ab337e7081b75e637aacb09d8573cc448000c6d84ef2c56575155e2f
SHA512 02d3c979a256cadb790891c109645d6249d0941ea2f78c12917e35f210768949bf6db9543e0b11049402f3bc0975b311fa2dfeeb3f10c4a39837e5c2625cd8b8

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 d2cb2ff8af847ad3b2724948bd5eb3be
SHA1 ca38496076014535172a6a0ca5c0358f7e2a4204
SHA256 2ba096bad56c9505fb68d33ff531a8c690a2d7fadb33fd76dddb8c7a55667df8
SHA512 d99c984ae1fb619fbebf3415c5c6c77074b811eb839290fd3fa948e5b13d15a4d9257b0a3a1145a752b6809b9a50d68a34312613d388e4bb26a8e4f1461377fe

memory/740-58-0x00000000043F0000-0x00000000045FC000-memory.dmp

memory/740-59-0x00000000043F0000-0x00000000045FC000-memory.dmp

memory/740-164-0x0000000000400000-0x0000000000616000-memory.dmp

memory/740-186-0x00000000043F0000-0x00000000045FC000-memory.dmp