Malware Analysis Report

2025-01-22 23:09

Sample ID 241203-ygncgs1jdx
Target f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe
SHA256 f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748

Threat Level: Known bad

The file f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload family

Banload

Renames multiple (212) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (498) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 19:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 19:45

Reported

2024-12-03 19:47

Platform

win7-20240729-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A

Renames multiple (212) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\NaturalLanguage6.dll" C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe

"C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe"

Network

N/A

Files

memory/2688-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2688-1-0x0000000003490000-0x000000000369C000-memory.dmp

memory/2688-8-0x0000000003490000-0x000000000369C000-memory.dmp

memory/2688-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2688-13-0x0000000003490000-0x000000000369C000-memory.dmp

memory/2688-11-0x0000000000400000-0x0000000000616000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 6e86b3b181c2bc1340cfba6f6bc26297
SHA1 2749157f15cdee266a847f7fa76de7c8c68a27a6
SHA256 e8e91b343d384a062c79fa266d860fe95ddd7f96a81a97821d59d37da228a648
SHA512 b2ec3dc6a3dd07ce08b188be41bffe642356b18f33bc79fc2ad5d1a44cba2ae021422f829a4812e61af10bbaa8be1061105290f4c2319ec9845f555e54823264

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 a6d5bbf4ae957fe6f7e5a2d65f56b597
SHA1 cfdaf6a51d1bf1f5a5df582d82d8518a8a6c0012
SHA256 d5f017b9de88d91d75c882962b36cc80412d2c2d1156936a0787edfbeebbf620
SHA512 105c9d7df4fe15087e998be6131de0cd0eac39e1ae73166fd32dab7d62e5bf33993a1530f15ea5a40d3fed4a5f94791821b9bdf3a784439d02efd975cb600ac3

memory/2688-25-0x0000000003490000-0x000000000369C000-memory.dmp

memory/2688-26-0x0000000003490000-0x000000000369C000-memory.dmp

memory/2688-41-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2688-47-0x0000000003490000-0x000000000369C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 19:45

Reported

2024-12-03 19:47

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A

Renames multiple (498) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado25.tlb.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\BlockJoin.rle.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%systemroot%\\SysWow64\\comuid.dll" C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PSFactoryBuffer" C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe

"C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1964-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1964-2-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/1964-9-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/1964-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1964-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1964-14-0x0000000004960000-0x0000000004B6C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

MD5 a485096c19d859e4f2a85af366082579
SHA1 0f83b9aee6fd1bc833176305753fd2380573a6cc
SHA256 c2439ffe7efcd6a62d103273b82d5f76bb3b5210ca8a8d63f3fa35adedc039c8
SHA512 aa28e77b59f7c1d535996645998df05c80dbc4e30d2d603ea8b96c18e524d33e67f92892c4d1ddabdebe7be47b801213edfcbd623648073ad8dda194a80b6186

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 5423de43c0c2a5ed8a2e9e6e0a2c6cff
SHA1 229fc01233a39a551327bacc18c5cb164790cca9
SHA256 4523fd552baf0cfad2f65bd5865e054b34d3ddc1b79d052222814f90b336ff91
SHA512 62d9264bafee47e0037f83c6340a1b4a1fb67a3b41537f915b1d718750f860040ad9ccdc7fff74453d37fdbb983ed785fdba20bb079917a778e7ce86077f0df2

memory/1964-48-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/1964-49-0x0000000004960000-0x0000000004B6C000-memory.dmp

memory/1964-128-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1964-144-0x0000000004960000-0x0000000004B6C000-memory.dmp