Malware Analysis Report

2025-01-22 23:11

Sample ID 241205-bvcrks1mfv
Target a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58
SHA256 a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58

Threat Level: Known bad

The file a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (354) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (198) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 01:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 01:27

Reported

2024-12-05 01:30

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A

Renames multiple (198) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\ClearCheckpoint.vsd.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\msscp.dll" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PSFactoryBuffer" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe

"C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe"

Network

N/A

Files

memory/1620-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1620-1-0x00000000030A0000-0x00000000032AC000-memory.dmp

memory/1620-8-0x00000000030A0000-0x00000000032AC000-memory.dmp

memory/1620-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1620-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1620-13-0x00000000030A0000-0x00000000032AC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 f6fe8385d95098010eac831cec09c7d9
SHA1 a66b6974038c6b687071e286ccaf8c2e3dab9b66
SHA256 614a03cd2fe4bb0259076d61d9f50ada563a03837b24af1dd98f9deee298cb64
SHA512 d4e8cd6ef4a48f1b247f9119cdb1674ed65d70d6260f81860c06498f328b57b8ca8f0fc95b5e0df63ce9dc150a76f89fcc642ad3ca2709a6ad6be72382626763

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 fb6d90e6447ecfee4d232343c8f72735
SHA1 86adc15a8f2e64629e45be3a7161af32eca0630f
SHA256 dc9c7fc04e6c316d559eea266905a5aed57f31c47dbd246ba7f7784e3edc98ea
SHA512 0e2400bbbf21ccb3e74c697df43bc2666ded9ae88cd52b289823d252f0f1d21aa5d5cdc46f753f550f5e29801614e3e384753612673d558b8c8f8f049625c901

memory/1620-26-0x00000000030A0000-0x00000000032AC000-memory.dmp

memory/1620-25-0x00000000030A0000-0x00000000032AC000-memory.dmp

memory/1620-37-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1620-43-0x00000000030A0000-0x00000000032AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 01:27

Reported

2024-12-05 01:30

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A

Renames multiple (354) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\ConvertFromWait.sql.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\CompressSuspend.edrwx.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\System\ado\msado28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{03837503-098b-11d8-9414-505054503030}" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "TraceDataProvider" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "both" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PLA.TraceDataProvider.1" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "PLA.TraceDataProvider" C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe

"C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4828-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4828-2-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/4828-9-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/4828-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4828-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4828-14-0x00000000048F0000-0x0000000004AFC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 898ce13322d9f4a440f05ff60e391d34
SHA1 15ecad2539556eeaf45a0ed86a4b9be18b0a1845
SHA256 09e31213c880dc41264029ae27a69fe297b57179d9603285aa0e6f8a660adbe2
SHA512 5afbe54118fa40d2afb96a389f0bd683ecd0fa613d760cbe72ed8f95264a608da1807c733a8e13b65a9976947fcfab3e10749a67969ce9384ce3b30da456a867

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 e79af2eb2d8ef60dac50e3404dbad23e
SHA1 0fd3ca8521289a0855f4c985b386a538f59f2b47
SHA256 c4084fdfee8e12b5a27acb27668a7030a164e1425e06286fb0d9ab3eeaf3e6b0
SHA512 e9c22d14a2baaaecaf6fecd7a2d149b47142fed37882390843969b8b40f82bc69e35475ab64338f6fe3e3c689886d1efe74f125e546f7ebc9eed43ab41aed560

memory/4828-35-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/4828-34-0x00000000048F0000-0x0000000004AFC000-memory.dmp

memory/4828-80-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4828-90-0x00000000048F0000-0x0000000004AFC000-memory.dmp