Malware Analysis Report

2025-01-22 23:09

Sample ID 241203-xybvcazja1
Target 32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe
SHA256 32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c

Threat Level: Known bad

The file 32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (200) files with added filename extension

Renames multiple (247) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 19:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 19:15

Reported

2024-12-03 19:17

Platform

win7-20240729-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A

Renames multiple (200) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\ClearSend.contact.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\BlockExpand.ogg.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "1,32,1" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0047005200410050004800460069006c00650073003e0050004e006b004f002900500077006b002500410078003d003300720045007000580049007300330000000000 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "MSGraph.Chart.8" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "Chart" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\graph.ico,0" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Open,0,2" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.3" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Graph Chart" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "1,16,1" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GRAPH.EXE" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Typelib C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "1" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Typelib\ = "{00020802-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable\Main C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "1,1,1" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Graph Chart" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "GBiff5,MSGraph" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "MSGraph.Chart" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable\Main\ = "GBiff5" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "GBiff5" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe

"C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe"

Network

N/A

Files

memory/2904-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2904-1-0x00000000035E0000-0x00000000037EC000-memory.dmp

memory/2904-8-0x00000000035E0000-0x00000000037EC000-memory.dmp

memory/2904-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2904-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2904-13-0x00000000035E0000-0x00000000037EC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 457743cb4c42e014a835a0c40d021aa5
SHA1 7a0dc2924bc837eb06338233e2e8dfd42ff676a7
SHA256 f751940751a8bebcc52f408908425784d36fda0b3e839f8d9818565a629b0622
SHA512 51679c980b792f5a47fd57349bb503ad5e90bb97ed560bb13267e13f827241eeb5b01be1527c33f625e211a22b8b541a769b0113abf1d2348d8272fd277e7ce4

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 716af9d36928f24d10876bb1339c326e
SHA1 3cf69e0574a9a446311422d33ac96a4215cd9b67
SHA256 68042a4156bfd07f0517d9bf2cd84ae31c479de67c943e9429628bd4e9761d0c
SHA512 d05e0b64b6c1e0a911b4679140c3df950a7d05382643ddc5a8434bc543ddd11c74cedf33e7ef6b3d1ad488c69ae00faf78f4f38a8f0de53add66b55198ad308c

memory/2904-25-0x00000000035E0000-0x00000000037EC000-memory.dmp

memory/2904-37-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2904-43-0x00000000035E0000-0x00000000037EC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 19:15

Reported

2024-12-03 19:17

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A

Renames multiple (247) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\ClearTest.jpe.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\AddGroup.xps.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PLA.LegacyDataCollectorSet.1" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "LegacyDataCollectorSet" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "both" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "PLA.LegacyDataCollectorSet" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{03837503-098b-11d8-9414-505054503030}" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe

"C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2364-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2364-2-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/2364-8-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/2364-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2364-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2364-13-0x00000000048F0000-0x0000000004AFC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 3d13719855758a947f8a38c798b36fc3
SHA1 55bd1525f712b2af32d26c7170604135a29dc9df
SHA256 a25b3c129b130c5a8c4bc70dcd83965df5be7b5d89d6bc4ba29516a26c42a340
SHA512 a1ea8d512c0568006319ff2e781dbb7ae0d84e5052b54042f3c43e0c482f2fa6cc72ee57ca10c9ae9dc7b003e8baa0bbcbed1ba94ac1d6bacde7aba76d76f8f7

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 1f652eac2adfb192e0d838e8ea9c193f
SHA1 cd6e42747dbf8bfa8aa32c02cb734350723b92bf
SHA256 24a50802e0ce0bcf3e7790341718ea88f0177fe2debfb6316a0f22a9c4e4ad78
SHA512 77814d7ae4689e0bb936377c9700a4f5cada23d45b0f2475e7ccfafa38100c48279e284d8c18f5cff0b29f8beed88450072402799e89631ca1298038e305c89e

memory/2364-34-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/2364-33-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/2364-85-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2364-95-0x00000000048F0000-0x0000000004AFC000-memory.dmp