Malware Analysis Report

2025-01-22 23:08

Sample ID 241219-blsrfa1mgj
Target b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
SHA256 b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058

Threat Level: Known bad

The file b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (229) files with added filename extension

Renames multiple (698) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-19 01:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-19 01:14

Reported

2024-12-19 01:16

Platform

win7-20241023-en

Max time kernel

120s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A

Renames multiple (229) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\BackupDisable.jfif.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\BackupUnblock.m3u.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Free" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "SppComApi.ModemActivation.1" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "SppComApi.ModemActivation" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "ModemActivation Class" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{6D9A7A40-DDCA-414E-B48E-DFB032C03C1B}" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\sppcomapi.dll" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{B0C2A63F-AFF8-40E3-B42D-8A542DC909EC}" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe

"C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe"

Network

N/A

Files

memory/2464-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-1-0x0000000003190000-0x000000000339C000-memory.dmp

memory/2464-8-0x0000000003190000-0x000000000339C000-memory.dmp

memory/2464-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-13-0x0000000003190000-0x000000000339C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp

MD5 0a02469d154c41b0ef5263667c6b9f37
SHA1 89836acb61b0eae1fc5b586f36b0d4d827c1e726
SHA256 70b8f1ca3c858ec299d1dd1950e1f7482eefb35a1a400d72a5f82b71f4cca793
SHA512 34e2834d9894701d4658841c107d6b20cab8495783d52d2a25b5bf3418986bc93e991419e8534c6539b12cb743b6595765f1e00bf2cc9f73beece1a361b8c3fc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 61beed968c39cebbc8593d091f077cec
SHA1 5b6694bd578f74d3e0013a4bc138fd127f1ca95a
SHA256 4241221bbfcdeb82d24d24b10ea0ac826add2145af2b06d993d5c2df94c85619
SHA512 5a08936c6f3c4445420ab653fc52e1bcebd0e33b817a79fdd01a112c15c083ebfabb1c47f221be400d3d81a72f2a17363887cd7f694c6b1078d2a366d10ba82c

memory/2464-25-0x0000000003190000-0x000000000339C000-memory.dmp

memory/2464-41-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2464-45-0x0000000003190000-0x000000000339C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-19 01:14

Reported

2024-12-19 01:16

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A

Renames multiple (698) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\CompareSwitch.pptx.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\ClearConfirm.jpe.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "TraceSessionCollection" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "both" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "PLA.TraceSessionCollection" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PLA.TraceSessionCollection.1" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{03837503-098b-11d8-9414-505054503030}" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe

"C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/2452-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2452-2-0x0000000004920000-0x0000000004B2C000-memory.dmp

memory/2452-9-0x0000000004920000-0x0000000004B2C000-memory.dmp

memory/2452-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2452-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2452-14-0x0000000004920000-0x0000000004B2C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 f847a9fea8d1cfad5a48e0acacd01c5e
SHA1 6e3a0ec1710eb96f48e46fc270134d904adab49a
SHA256 9781eb9463fc1e3b94ae1f369e71758ae9b3533a867c58bee0f7f8075ba4cec9
SHA512 71b51dff854915c44a91d8396f552411e4fb3d5aae7d1ab13f585a9761eef22ea0ef34c149fa61d3b6c1f38d5e938d62955f02849d66644c257e1a350b37dc40

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 3200aed53b6a1df1b86fd95a8ff98e98
SHA1 7aee91fb73a69cbe61ab0160ee8fc11ade445aea
SHA256 e3f837a1d6261902f49da6b3546dfe81055a217c6dc41c7882eaddbb64772081
SHA512 303d337e458c67d04f97d6ef913c92469fe89e4baadec044a5b722c5542ef4fbaa9934ddee2543cef0e6eaa4451c1048960ef28789b9eafa7bb369ea1aebb9be

memory/2452-58-0x0000000004920000-0x0000000004B2C000-memory.dmp

memory/2452-59-0x0000000004920000-0x0000000004B2C000-memory.dmp

memory/2452-168-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2452-190-0x0000000004920000-0x0000000004B2C000-memory.dmp