Malware Analysis Report

2025-01-22 23:08

Sample ID 241227-ycfrvaykg1
Target 846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7
SHA256 846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7

Threat Level: Known bad

The file 846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (197) files with added filename extension

Renames multiple (221) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-27 19:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 19:38

Reported

2024-12-27 19:39

Platform

win7-20240903-en

Max time kernel

60s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A

Renames multiple (197) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs\ = "{D3E34B21-9D75-101A-8C3D-00AA001A1652}" C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PBrush" C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Bitmap Image" C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "512" C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Ole1Class C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Ole1Class\ = "PBrush" C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "8" C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe

"C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe"

Network

N/A

Files

memory/268-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/268-1-0x00000000030B0000-0x00000000032BC000-memory.dmp

memory/268-8-0x00000000030B0000-0x00000000032BC000-memory.dmp

memory/268-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/268-13-0x00000000030B0000-0x00000000032BC000-memory.dmp

memory/268-11-0x0000000000400000-0x0000000000616000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 0f84535435a139e2b3de6e655179fc34
SHA1 6b3eaac0cc8dbe6154eb478285be1ac6938081b1
SHA256 2897862117fb5287e42743db61f47dca3e3669f0f9028894f2b3f073679c5fdd
SHA512 e723c23e8e4d66b68703ca6fad0d7e30478ca1b4c6c9a4a6a51beadc57a31979860ae55cab07167271440262ed60b2346ea0be4dc3f5b1226710d372f7b9e738

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 a8bfbdda45439fc8eeed9bfc781dbd1e
SHA1 bf77916cab8886c87456761f9f48378a88369f0f
SHA256 934a70e77960017f8bed67e8bbbda0b96b5762c2930bded9644ab1ecd3a898a8
SHA512 fa75f2b37b98a04ea9bc14ef856ccb60a0335915b7ba3ee801fca45f081d1164dd58b35753d93ddb56a43218cb4c120a42f9c40e1991df2e30306423db13fcb5

memory/268-25-0x00000000030B0000-0x00000000032BC000-memory.dmp

memory/268-43-0x0000000000400000-0x0000000000616000-memory.dmp

memory/268-51-0x00000000030B0000-0x00000000032BC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-27 19:38

Reported

2024-12-27 19:39

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A

Renames multiple (221) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll.tmp C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Scriptlet.Context" C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Object under which scriptlets may be created" C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrobj.dll" C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe

"C:\Users\Admin\AppData\Local\Temp\846e4863e5e6ec0908b1b65f3b30cbe3a55e69e90f85c82bc566fd94998d66f7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp

Files

memory/2152-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2152-2-0x0000000004900000-0x0000000004B0C000-memory.dmp

memory/2152-9-0x0000000004900000-0x0000000004B0C000-memory.dmp

memory/2152-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2152-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2152-14-0x0000000004900000-0x0000000004B0C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 984a0cf32ed46dbdc607d6078c5333f2
SHA1 4d8e463ae560a3f9fd2f37ec0ab77670f13703a6
SHA256 14a90eb92d59933a5573dab9932767d47f724a94698418bc02e6006b24e16546
SHA512 229336d82003e6251de0d8878e664ffce027882b9ddb2142bcbc2853b9123adb275d9a57e92f1d924332f0f4dbbad9b5c53559d1f05c896f571f4351cdb9e8ee

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 08696e2c7e1bab15e8608742f26c2728
SHA1 297153f7d653b233c1ae416a472644198c9b4cba
SHA256 a2593dd3acfc4da405fa683ca2f5be6bba0b8ac74fb459f882be52d8b1f291f0
SHA512 dc9653b7f78fd8f767a88ec1251e7bf87bbd1f2701662f1a06e3e56c470b8b9ade375c1a002741ee887893450838cb0c3ec98158536011136f8e6ddf6bbe7d89

memory/2152-48-0x0000000004900000-0x0000000004B0C000-memory.dmp

memory/2152-49-0x0000000004900000-0x0000000004B0C000-memory.dmp

memory/2152-132-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2152-150-0x0000000004900000-0x0000000004B0C000-memory.dmp