Malware Analysis Report

2025-01-22 23:09

Sample ID 241227-yryafayqer
Target 73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2
SHA256 73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2

Threat Level: Known bad

The file 73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (107) files with added filename extension

Renames multiple (216) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-27 20:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 20:01

Reported

2024-12-27 20:02

Platform

win7-20240903-en

Max time kernel

60s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A

Renames multiple (107) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Core.CustomXMLSchemaCollectionClass" C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Assembly = "office, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Core.CustomXMLSchemaCollectionClass" C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0 C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "office, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe

"C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe"

Network

N/A

Files

memory/1836-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1836-1-0x0000000002FC0000-0x00000000031CC000-memory.dmp

memory/1836-8-0x0000000002FC0000-0x00000000031CC000-memory.dmp

memory/1836-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1836-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1836-13-0x0000000002FC0000-0x00000000031CC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 398988f8914ecf86b7a417ac1507fd60
SHA1 5064664bdda5fcd115a420a325100f7c7e10f452
SHA256 4d7be4c1ffeb47a785ac90c9ce8f11fd14a232ae8b94ab5dd595fe0019375625
SHA512 cfedd7af4b7823538232ad6de75499503bd8ab2e3026bc57a9715c838eaf5db6a19e42440b87fb19e7015e25b901ff9cf1ada6017231adf603939219d94eb28e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 edefc5994e13a691144c6bea79f86453
SHA1 11664ac0c0064a0fa893031b5da3b2669eacbe9a
SHA256 1edc996656e4e1458710affcbad948767df7be6e5229b47f93dea787966bb747
SHA512 29d1fb1041fdefa8ffeea09815c3eea968f2842d000c3dd8d5ac61236cd16a07111019bd831806a4f5dad6545a91106ec47baa10719af8e9a3a985e305f680bf

memory/1836-25-0x0000000002FC0000-0x00000000031CC000-memory.dmp

memory/1836-37-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1836-43-0x0000000002FC0000-0x00000000031CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-27 20:01

Reported

2024-12-27 20:02

Platform

win10v2004-20241007-en

Max time kernel

59s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A

Renames multiple (216) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\BackupResize.jpeg.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\ClearImport.dot.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Remove Properties Drop Target" C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe

"C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp

Files

memory/4972-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4972-2-0x0000000004430000-0x000000000463C000-memory.dmp

memory/4972-9-0x0000000004430000-0x000000000463C000-memory.dmp

memory/4972-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4972-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4972-14-0x0000000004430000-0x000000000463C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 0a03cf2a455303c7d33033a9d3a47693
SHA1 10d50c458104c79d097c6ae0ae0b82b5cb68d856
SHA256 fddb447f37f4296193051e80008bd6dabb15eb74c8f8baadd63ec7bd501b818c
SHA512 138caed2f36de7af15cce738b425765457e67939b41290b022161caffed498d666abd2746081a39d16344ed4b73c309d78c316b5a5ad84264ed75d9e7ef26da8

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 a65b9157ee26267160a1a93e219a9877
SHA1 6c9282f382cf959c751fda3b0ce3116f3499ec18
SHA256 8afcb614704cab1a918a62ee99c9f8be5be9e32c23deb944a10a1df87eb3c564
SHA512 a74bdc2bea05cdb7f72f3d955b96ad932b98ebd8ccdcb25f511b72b762f813026b4ecf3e8f79a4e61a35b46418439198fbadff7e16732cbe83d8134cc1befb0f

memory/4972-34-0x0000000004430000-0x000000000463C000-memory.dmp

memory/4972-35-0x0000000004430000-0x000000000463C000-memory.dmp

memory/4972-80-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4972-88-0x0000000004430000-0x000000000463C000-memory.dmp