Malware Analysis Report

2025-01-22 23:08

Sample ID 241227-ynkvyayphj
Target 76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0
SHA256 76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0

Threat Level: Known bad

The file 76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (220) files with added filename extension

Renames multiple (182) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-27 19:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-27 19:55

Reported

2024-12-27 19:57

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A

Renames multiple (220) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.2" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "Biff8" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultExtension C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Open,0,2" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "1,1,1,1" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DocObject\ = "16" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}\ C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0\ = "3,1,32,1" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "NotesDocInfo,1,1,1" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "Biff8,ExcelWorksheet,ExcelML12,Biff12" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Excel 97-2003 Worksheet" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Excel 2003" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DocObject C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Excel.Sheet.8" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\ReadWritable\Main C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\ReadWritable\Main\ = "Biff8,ExcelML12,Biff12" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "2,1,16,1" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE\"" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\XLICONS.EXE,1" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Interop.Excel.WorksheetClass" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.WorksheetClass" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable\ C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{00020813-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4\ = "NoteshNote,-1,1,1" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "Worksheet" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\ReadWritable C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4 C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe

"C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/4944-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4944-2-0x00000000043F0000-0x00000000045FC000-memory.dmp

memory/4944-9-0x00000000043F0000-0x00000000045FC000-memory.dmp

memory/4944-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4944-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4944-14-0x00000000043F0000-0x00000000045FC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 14434684a038d535255983fbe492633c
SHA1 865a23a899532df5a49b1271e36230fee44dc2b1
SHA256 40184a56ff08027232718fe023ceb79dc4453ebfbcc67baea696e10dac492e12
SHA512 dd17d243682f7e69a3f26331b6b0812d2cb5d345b952d18944a99089663fa81b6d2788c3662f3ade8bb5a3647a509055a716b612109df6adf2f07477398127bf

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9c1ada100328fece670e68960792fdbe
SHA1 802921df10b189e5822373d801d5267879ff050b
SHA256 fdda11f6df565074496f5b12bfd71a277e892a25cca0c9475a938460da6023c9
SHA512 320fda7111b392395976e79410a62605179b0b477a440f584cce0a872460904ee8b40152f52ec98fdde49a561bb1b3d1271d89e996b25eeb7a3b9d90b00231ac

memory/4944-38-0x00000000043F0000-0x00000000045FC000-memory.dmp

memory/4944-39-0x00000000043F0000-0x00000000045FC000-memory.dmp

memory/4944-108-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4944-121-0x00000000043F0000-0x00000000045FC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 19:55

Reported

2024-12-27 19:57

Platform

win7-20241010-en

Max time kernel

60s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A

Renames multiple (182) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Null persistent handler" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentAddinsRegistered C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}\ = "{c3278e90-bea7-11cd-b579-08002b30bfeb}" C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe

"C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe"

Network

N/A

Files

memory/2288-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2288-1-0x0000000002F60000-0x000000000316C000-memory.dmp

memory/2288-8-0x0000000002F60000-0x000000000316C000-memory.dmp

memory/2288-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2288-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2288-13-0x0000000002F60000-0x000000000316C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

MD5 ea5d9c957ddbc555ea2c43ef61865186
SHA1 d3f1e540db35f0e6fa22fdefeb599e5388d0274a
SHA256 a145150e12a22a04a310c9626abdce73836ec948ca9fbae827d54e33e78f0f79
SHA512 a9c41e2109f1a2bf4537c2bdf2babb835617965c4824de0488a80d57f4a7421d4c7b0b3db338b3ab3c7fdbe40c236aecb02e092b32403c8d75843bacb4efd228

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 d44c882d5648da5d0bd5ba50dbe58062
SHA1 998d66cdaea5bfe1fc9ee81eaa94207e4cdc9947
SHA256 93fe54ee0e81bf67393a439ecd8cdaf112cf356b8b192a9e06b5c8e9e9194ad0
SHA512 a02458a37f86870b3bd3a86185931a0d71bf3318a52a6bafcefdcd69a8da7cd7f8a4a4671be5c8b7062735966f890f87028fbfb536fa58c2acde442a4e22e5b5

memory/2288-25-0x0000000002F60000-0x000000000316C000-memory.dmp

memory/2288-39-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2288-43-0x0000000002F60000-0x000000000316C000-memory.dmp