Malware Analysis Report

2025-01-22 23:09

Sample ID 241227-yez89symhk
Target 7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580
SHA256 7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580

Threat Level: Known bad

The file 7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload family

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (54) files with added filename extension

Renames multiple (221) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-27 19:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 19:42

Reported

2024-12-27 19:43

Platform

win7-20241010-en

Max time kernel

60s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A

Renames multiple (54) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "ScriptletHandler.Behavior" C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Constructor for Scriptlet Behavior Handler" C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrobj.dll" C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe

"C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe"

Network

N/A

Files

memory/1668-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1668-8-0x0000000002E70000-0x000000000307C000-memory.dmp

memory/1668-1-0x0000000002E70000-0x000000000307C000-memory.dmp

memory/1668-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1668-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1668-13-0x0000000002E70000-0x000000000307C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 9848a98e98027969f2197e87cec64fb7
SHA1 dbbde067da3ad9b5726127322a6ed90fcbd3c1b6
SHA256 271dc6a655dc2f9b0a94c3739d614bb98a4bf7969851e67ff62e784ded86887c
SHA512 0f51c6b45b2ceabf9f748c0ca857fbee422b952216ef31c8d7f0730bc04d1a11f762d62107ccb3e6ef074345b293eb29638b3ea79a10d3b0abcec6a362a8402b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 4db4655704266b3298535fb7ae6045d4
SHA1 003d73a4cecd3f47dba9fc73b165486b3643f93f
SHA256 c9076a9bd33c2e3ec4f347dc981b9237ba9db8f6740d890fb76ec9e3b83f0aff
SHA512 d5f325780cf9bd41534e1b40daee2ba9f968f21f7d596cfab216bbe8675587d3505b27541f3f9bd7d83aab2d67675ab27772082aa8de72d3962d5745ab485b1b

memory/1668-21-0x0000000002E70000-0x000000000307C000-memory.dmp

memory/1668-29-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1668-31-0x0000000002E70000-0x000000000307C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-27 19:42

Reported

2024-12-27 19:43

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A

Renames multiple (221) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}" C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Windows Script Host Network Object" C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "WScript.Network.1" C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "WScript.Network" C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\wshom.ocx" C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Programmable C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe

"C:\Users\Admin\AppData\Local\Temp\7c2322cd1f10e1df8ff5976947281954014a260348d8790d3d6a5138bda45580.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp

Files

memory/3252-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3252-2-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/3252-9-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/3252-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3252-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3252-14-0x0000000004960000-0x0000000004B6C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 1d8a45c4547f786d9dd4e76f37e3afe4
SHA1 ee09f2833e335440313f8779204a68424e7ffa94
SHA256 9c490f91d787dad83eac92f59acc87611fc011fd6945e7dbf5d6ea8e44ba54d6
SHA512 4f3faefae1e16f1f08122cf1b6498b85b96d780ffb6d28e95e3848955fb61a61ed6f38add075836df312306ae0ca4e43573462938fd394b9f139cd6869c5038a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 e2770f9d1ad044a044052fb147677c56
SHA1 2af96d298d7259e977ae9c8d11e48924f9d359a9
SHA256 dcdaecf684f0c1ba348a9b61447c8f3dd40b119ac10bb0813b85ca3e24df6020
SHA512 04443cfe2626d443504fdba9377e1ac0d3fcbe175c31f5aa19b576392a81ca9c2e2150f97d5d49c9eb7f036fd693435ce5bac2f84d253adab4e069a81d1fae89

memory/3252-46-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/3252-47-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/3252-122-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3252-140-0x0000000004960000-0x0000000004B6C000-memory.dmp