banload | f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Size

3.5MB
MD5

30a4f6d4a0e6c5187e1b03d37ff5fd70
SHA1

381ecea8734578b0109653daa726703b2908e4dd
SHA256

f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11
SHA512

25d027627be355eb9863531ad7ba57bcee98b081262e13ac69c955f76aa9e45ba983a83d569946b6499fa48f68a37f10a8dc44c28d0f0a66ad237ee0f7367a82
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvVPYOKQrgCGMxu3fFne4j4ZMljX:RF8QUitE4iLqaPWGnEv+OKQr8MAvFrX

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe

Renames multiple (211) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both"	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\2.0.0.0	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgId\ = "System.Runtime.InteropServices.COMException"	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\2.0.0.0\Assembly = "mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\2.0.0.0\RuntimeVersion = "v2.0.50727"	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgId	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "mscoree.dll"	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "System.Runtime.InteropServices.COMException"	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "System.Runtime.InteropServices.COMException"	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v1.1.4322"	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\2.0.0.0\Class = "System.Runtime.InteropServices.COMException"	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2536	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
Token: SeIncBasePriorityPrivilege	2536	f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe

C:\Users\Admin\AppData\Local\Temp\f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe
"C:\Users\Admin\AppData\Local\Temp\f49e78721c3e8f31e0e8ca174c13545d55cc79e1e2e5dd34b11d9678caf06e11N.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

Filesize
3.6MB

MD5
14144d0938ad4fcd70c88b5806aee7af

SHA1
c469e8c74f28b244f6e35996df62a74cb66330df

SHA256
3be59711e32280fa7ee4b280bd41a86134d05b8c6d4a639cb0c8336c3a539fa0

SHA512
7e6491eb1b176a9b9af0b48f7c6e4e1ad09116c65b0daca8b8281e1e5f27dda8b7c9bee22fdafa1508c686e83e015da7a993884d2bd00674122c6a95e97fd8d0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
3.6MB

MD5
c1c0dba955796d57763099ce47f604c5

SHA1
8ce06a3942e54246564e0609891ae89bcb4f18d1

SHA256
b7d216b6c61b902acef33635898469132c6d42be8f907b952aac390323f4c3cc

SHA512
a1c4e6ff8f75ec0895e055daf2a24ad12f872ab1b660f809eaa7007513e678d13c3bd2cfecd29c4421c0c77b292ce85720eb1dab0f499059ec605084f57dd22a

Download Submit
memory/2536-13-0x0000000003070000-0x000000000327C000-memory.dmp

Filesize
2.0MB

Download
memory/2536-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2536-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2536-8-0x0000000003070000-0x000000000327C000-memory.dmp

Filesize
2.0MB

Download
memory/2536-1-0x0000000003070000-0x000000000327C000-memory.dmp

Filesize
2.0MB

Download
memory/2536-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2536-26-0x0000000003070000-0x000000000327C000-memory.dmp

Filesize
2.0MB

Download
memory/2536-25-0x0000000003070000-0x000000000327C000-memory.dmp

Filesize
2.0MB

Download
memory/2536-43-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2536-49-0x0000000003070000-0x000000000327C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads