Malware Analysis Report

2025-01-22 23:08

Sample ID 241227-ydaxzsykh1
Target 79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d
SHA256 79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d
Tags
banload discovery downloader dropper evasion trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d

Threat Level: Known bad

The file 79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion trojan ransomware

Banload

Banload family

Renames multiple (155) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-27 19:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 19:39

Reported

2024-12-27 19:40

Platform

win7-20241010-en

Max time kernel

59s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "ADOX.User.6.0" C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "ADOX.User.6.0" C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%CommonProgramFiles%\\System\\ado\\msadox.dll" C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "ADOX.User.6.0" C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe

"C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe"

Network

N/A

Files

memory/1256-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1256-1-0x0000000003090000-0x000000000329C000-memory.dmp

memory/1256-8-0x0000000003090000-0x000000000329C000-memory.dmp

memory/1256-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1256-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1256-13-0x0000000003090000-0x000000000329C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 5ebace0ab0100663a6ae00d9249d6785
SHA1 4635438a37263967d118abcdec6300b39d69e67a
SHA256 ca9c52b0b5a15f018501a854ddb5059da4086e2ef23b44801445476cd0cb42cf
SHA512 e13f4fbdbe2a07416d714a0d564a84ddc616be429f8ee50161aa7f8456794306dbdc112d0f54df73f1e5d551733bcd15c94165ab9a0bbd2995b044f6d89b9c4e

memory/1256-17-0x0000000003090000-0x000000000329C000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 ce40dc3cacc226fb880933496449afdf
SHA1 6d20d230e2e999a7a1c137e78351792765967381
SHA256 4597fb86b24c25cc5714b6919a00f76a12d922054fdd40f252267a90c2d13916
SHA512 7db34b8d0aba5f260e4c05a576a0b4bea0c9ae23f64b1cfab4068a99946da67a8f6630676127cdef1aa542b62a30c551e68661f65965ad3a254890b4f0ef1ccd

memory/1256-25-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1256-27-0x0000000003090000-0x000000000329C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-27 19:39

Reported

2024-12-27 19:40

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A

Renames multiple (155) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\inetcomm.dll" C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "MHTML Asynchronous Pluggable Protocol Handler" C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe

"C:\Users\Admin\AppData\Local\Temp\79703b07bfc8ca14a2b170305685558c6037f558443e6080124388d3cf38819d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp

Files

memory/4732-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4732-2-0x00000000049D0000-0x0000000004BDC000-memory.dmp

memory/4732-9-0x00000000049D0000-0x0000000004BDC000-memory.dmp

memory/4732-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4732-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4732-14-0x00000000049D0000-0x0000000004BDC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 291858290feb4c679276d93b51efdf0a
SHA1 4485f77ff316bef83bf81d72fd91ed93fd924ef0
SHA256 a00b2d60b14b458f746a6d20fed09d1a1910f8a86718ff3985d37b15e1ac2401
SHA512 edb0cca9096d94bb0f1277dae8700cf270a07ed58156446ec65f0b0d3dac067e8dac9b641016189d7b03559d1b41f1a30de77f81bd9fc0f1948183d9c9ecedae

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 3cd1f344b41c12c5d415b65ecf9e0ee3
SHA1 c312fdb10ad97b04706fe45102649ac044017127
SHA256 a049a54c13066d653f6f7f5840c26f309ba1c0453ebc990ca20defd024ba9908
SHA512 f1fea954b1b04dd45a8675cf64658efb82defde6cc19ed6465df502b8e51c16a2dae68a866f38c19b3c75b3d80435df1cc8f3020d5068f4db62b5ec44ced17f9

memory/4732-26-0x00000000049D0000-0x0000000004BDC000-memory.dmp

memory/4732-27-0x00000000049D0000-0x0000000004BDC000-memory.dmp

memory/4732-56-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4732-62-0x00000000049D0000-0x0000000004BDC000-memory.dmp