Malware Analysis Report

2025-01-22 23:09

Sample ID 241202-qpfcva1kgq
Target f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
SHA256 f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8

Threat Level: Known bad

The file f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (520) files with added filename extension

Renames multiple (214) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 13:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 13:25

Reported

2024-12-02 13:28

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Renames multiple (214) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\AddExit.gif.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PSFactoryBuffer" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"

Network

N/A

Files

memory/2084-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2084-1-0x0000000002FA0000-0x00000000031AC000-memory.dmp

memory/2084-8-0x0000000002FA0000-0x00000000031AC000-memory.dmp

memory/2084-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2084-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2084-13-0x0000000002FA0000-0x00000000031AC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 aca248dd384f050e935fb0e9cbe477d8
SHA1 abd83777609cfe602280bcd699d0bc9a9cd1dedf
SHA256 124244b402f7c78a709a3f6a1e9f965ce1542f5b36b65697bcea27e96b92ff46
SHA512 3363c8709d3e5ec6b05a5d28d363164339f1c0f31b8ee828f1ea067b60bed1ad7e21e2ca9d39cde0dc403b395e2e02e1a89a3a807c4522b4852fc30a44409fdd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 1221b775869ca223d729d693ef2c427a
SHA1 d7e5939224597d6d474def861620834c2d3a7a01
SHA256 cc471550c48abef36d80480e076d6cc991463226892b25e0ed72402d9cc27816
SHA512 8eb50e7b23d28db264780080ab7d4549792a64426c38a99eb94ea408a15dfa4305130c09b64a84901f55ac81c33d28ea8090b1a80192a972540df8a82706a670

memory/2084-25-0x0000000002FA0000-0x00000000031AC000-memory.dmp

memory/2084-43-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2084-49-0x0000000002FA0000-0x00000000031AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 13:25

Reported

2024-12-02 13:28

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Renames multiple (520) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Crashpad\metadata.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrfralm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mscoree.dll" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "System.Globalization.IdnMapping" C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2420-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2420-2-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/2420-9-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/2420-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2420-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2420-14-0x0000000004960000-0x0000000004B6C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 e40a2f9817cbf911008f7b3aa904d18e
SHA1 528d02eef642d17eefd8b930ad6a4d42d734c338
SHA256 1698bb22cdfc00046670a935a25742d70d47ab6d67b3c85fe449c559bf91a19a
SHA512 86bf5565281f5b75f5d5a0c02528881e9fe5765f1d80adb2150940925ce709e6574f1facd3deb5c7eb8f4a3ba8ad7fd21e6b86c2ccdd2931f32049842c436790

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 32d5188366d79f0845944456bba720f7
SHA1 9b825ee0097901862cd12fa8b781bf337ffd2769
SHA256 3f3f8615f4469fa802db90a3851b33da1e9370d35e795f958dcd511ffacdd8d6
SHA512 0ba3cc3efe95a49b8cbbd0632e1169a09114d964f67d34248f64dcf1674df0b48d67f075c7062eb3c10fd2d3ea0ff776bb12801547bf68ea038e8f6f66ae9c93

memory/2420-46-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/2420-47-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/2420-130-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2420-148-0x0000000004960000-0x0000000004B6C000-memory.dmp