Malware Analysis Report

2025-01-22 23:09

Sample ID 241227-yj8ffaypam
Target 996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535
SHA256 996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535

Threat Level: Known bad

The file 996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload family

Banload

Renames multiple (222) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (184) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-27 19:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 19:50

Reported

2024-12-27 19:51

Platform

win7-20241023-en

Max time kernel

60s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A

Renames multiple (184) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Schema Migration Plugin" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\propsys.dll" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe

"C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe"

Network

N/A

Files

memory/2092-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2092-1-0x0000000003160000-0x000000000336C000-memory.dmp

memory/2092-8-0x0000000003160000-0x000000000336C000-memory.dmp

memory/2092-7-0x0000000003160000-0x000000000336C000-memory.dmp

memory/2092-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2092-13-0x0000000003160000-0x000000000336C000-memory.dmp

memory/2092-12-0x0000000000400000-0x0000000000616000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp

MD5 ae7bb55c57aff6c63d1b6f2e59679927
SHA1 0ce67d0556373aef5727cd491538beb314448b69
SHA256 8ad5372a233d470c25e414ae7f4967b4b7498b246bc08a7e55b1ad5cc710234b
SHA512 247b5824bb4cf62daff53bc21e3d7d19e874bc1053447902fc32cbb55a1f5bafa45a8e310273b12908f158891ff69980a49487df1511bd8d4cd6d14c8eec7426

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 ac758f570c442d992995cdac9f1ceee8
SHA1 3636249af95ae144441a8a79a14d6ea3075fd8ca
SHA256 b11b8f56cb399af9d8d436818aadbda5b72b1cfebaa8faf05b5ad6f3e6e6ba2d
SHA512 9d441c2f89868685ad5b9595caca803681c7a46c0cd68386817012e802bb61f9ecbcc6337951a8a89ef48826ae0b44ffb4e0e368aa55096854e6f3e911625161

memory/2092-25-0x0000000003160000-0x000000000336C000-memory.dmp

memory/2092-41-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2092-45-0x0000000003160000-0x000000000336C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-27 19:50

Reported

2024-12-27 19:51

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A

Renames multiple (222) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\BackupExpand.wma.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\BackupLock.cfg.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwresplm.dat.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrfralm.dat.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\7.0.5000.0\Assembly = "Microsoft.JScript, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\8.0.0.0 C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft.JScript.JSAuthor" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.JScript, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.JScript.JSAuthor" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v1.1.4322" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\7.0.5000.0\RuntimeVersion = "v1.1.4322" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgId C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29} C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mscoree.dll" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\7.0.5000.0 C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\7.0.5000.0\Class = "Microsoft.JScript.JSAuthor" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\8.0.0.0\Assembly = "Microsoft.JScript, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\8.0.0.0\Class = "Microsoft.JScript.JSAuthor" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\8.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgId\ = "Microsoft.JScript.JSAuthor" C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe

"C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/388-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/388-2-0x00000000049F0000-0x0000000004BFC000-memory.dmp

memory/388-9-0x00000000049F0000-0x0000000004BFC000-memory.dmp

memory/388-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/388-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/388-14-0x00000000049F0000-0x0000000004BFC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 e3b3254accf45910369e76b782613d00
SHA1 e42a953659ac7d9954a416ccf9430371f0675126
SHA256 75205c9164a31aa854447f5a5228cbb65734aadb03f7fd60c00e32dc5ca9ebc0
SHA512 823cdd77f1ebbb754abdc50bd9c16ec8b2d9a3d7008f1c675f874b9e21fdabbb5b2046063bd487378ab3643a120b84844e22161644da7bf5c546840b9bc2b4de

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 dd3bd1bdde5b7e474b74f0caed9e89cb
SHA1 29a9bc1f2ad26de58d3b40ed388efe39d9356213
SHA256 db5610e6028f97570907c7c64adb9685b692cf1987964aa5d88e051d184ed41f
SHA512 23f4d4f972721e34f2021613fb382d8b3df15dba912ed0ee2c1f972c12c2db6862148d2010bfa50d0b3818e5aa9317cff8d858aa534109657b90f595537940eb

memory/388-37-0x00000000049F0000-0x0000000004BFC000-memory.dmp

memory/388-36-0x00000000049F0000-0x0000000004BFC000-memory.dmp

memory/388-102-0x0000000000400000-0x0000000000616000-memory.dmp

memory/388-116-0x00000000049F0000-0x0000000004BFC000-memory.dmp