Malware Analysis Report

2025-01-22 23:04

Sample ID 241202-1k46hszpbr
Target 3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe
SHA256 3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a

Threat Level: Known bad

The file 3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload family

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (436) files with added filename extension

Renames multiple (195) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 21:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 21:43

Reported

2024-12-02 21:45

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Renames multiple (195) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\PEOPLE~1.DLL" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "MsoPeopleDataHandler.PeopleDataProvider.1" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "MsoPeopleDataHandler.PeopleDataProvider" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe

"C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe"

Network

N/A

Files

memory/2332-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2332-1-0x0000000003040000-0x000000000324C000-memory.dmp

memory/2332-8-0x0000000003040000-0x000000000324C000-memory.dmp

memory/2332-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2332-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2332-13-0x0000000003040000-0x000000000324C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

MD5 a0653a79cf90944b67f283d6fd7d1755
SHA1 d07a1ad427aac065b3d249f763ef4aa436f73306
SHA256 59b64158eafb95b5fc7c29b00612f719489e44bdc03064bd71cce89640f82aa3
SHA512 f8c3c42bae2ec3513b1fb5f8ff36bbf2e673d8049f84eed1bf9f6953b1a3086470ef5e1591fb8682c1d84009a836a46e6b8c5565f6696b7a2fa5a0777e2dbd9b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 9e2ef83a450a4fff55826d7d4a2f7382
SHA1 70b8e7a145da9b1decb4b5e5c6997fbced57b723
SHA256 5b2864caf9c6cb6bca6266a6732415859b94502086433e025ceb9b92947f067e
SHA512 7c7f4de4c361048f3a7c60ca33dfdc680ad6dee1aeae1d3fc42d0bb60229f3f2469e4383db28bfbf953e7969472da33387a96a9734d0296e4aa7f7e16dc4fece

memory/2332-25-0x0000000003040000-0x000000000324C000-memory.dmp

memory/2332-41-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2332-45-0x0000000003040000-0x000000000324C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 21:43

Reported

2024-12-02 21:45

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Renames multiple (436) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "&Address" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MenuTextPUI = "@explorerframe.dll,-13137" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{00021492-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\explorerframe.dll" C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe

"C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/636-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/636-2-0x0000000004980000-0x0000000004B8C000-memory.dmp

memory/636-9-0x0000000004980000-0x0000000004B8C000-memory.dmp

memory/636-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/636-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/636-14-0x0000000004980000-0x0000000004B8C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 19cd93d73475b17897c6357a36114ae3
SHA1 05298a3c505a3fb1a863fe8eacc4d5ac9e4d48b4
SHA256 9dee26500f27b39df676ba348f6d29564c86a39f21d65875e737e0760a4863d7
SHA512 9b065d4c202f2be98d2229d871847e49d562803393535ecdc1b8a957f73d405661811ab47630ca28303faf49630f789c53f136ec1cdd6192fc6c9fd45108d49a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 0ff1f7121d40188f1bb8125083cd82c6
SHA1 660a6254b5db279bd8d6de84c6a9bb7725dae09a
SHA256 4faa7b81b40b4ee7d12134d03e39d5167f83ac12153b56f62cfbfbebde5e920a
SHA512 b75955a8d759797eec8fe423e64d94485ce51e3f82043e6bbebc6b65f0fa87218ed9755995ebdfe0df836f4b496929d928806aaf9226177c579399257caf8145

memory/636-42-0x0000000004980000-0x0000000004B8C000-memory.dmp

memory/636-43-0x0000000004980000-0x0000000004B8C000-memory.dmp

memory/636-116-0x0000000000400000-0x0000000000616000-memory.dmp

memory/636-132-0x0000000004980000-0x0000000004B8C000-memory.dmp