Malware Analysis Report

2025-01-22 23:10

Sample ID 241205-akvnzaylbw
Target 8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69
SHA256 8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69

Threat Level: Known bad

The file 8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (200) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (231) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 00:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 00:16

Reported

2024-12-05 00:19

Platform

win7-20240729-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A

Renames multiple (200) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\BlockRedo.ttf.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo\ = "{64818D10-4F9B-11CF-86EA-00AA00B929E8}" C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PowerPoint.Show.4" C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs\ = "{64818D10-4F9B-11CF-86EA-00AA00B929E8}" C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe

"C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe"

Network

N/A

Files

memory/2264-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2264-1-0x0000000003430000-0x000000000363C000-memory.dmp

memory/2264-8-0x0000000003430000-0x000000000363C000-memory.dmp

memory/2264-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2264-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2264-13-0x0000000003430000-0x000000000363C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 a4056149a6949e7651f04132fd3b82b7
SHA1 f21637cfa95c0053c35885b0eb67cb68da07c433
SHA256 0d2b272b1950b3921fe6cbb73cd898155b97fb34e0f6826499dfb46b561ffa3a
SHA512 30bdd25149eecd576c96cb62c0264d805ce5a96fe0cbe95a979ed4836e37d1a1779d063ac1dd71f62dba020e80e27e212ed344ec70f1c5f95d49bd5d48e71d7a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0138bbae4655d92c2515686868c1f901
SHA1 8dfb965c1609e20683fa819319ae959e929ce128
SHA256 bb30e5f01a08142f07cafdf382c5138af756816eeea19f837aaf09cd27602a92
SHA512 8bd9b0931faee8f09fdcd4d97d6464476d96117e170418ca0def108688b09035833d03d281232a15113d697181612dd089eda78704df305381b825ab84c1199e

memory/2264-25-0x0000000003430000-0x000000000363C000-memory.dmp

memory/2264-35-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2264-41-0x0000000003430000-0x000000000363C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 00:16

Reported

2024-12-05 00:19

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A

Renames multiple (231) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalizedString = "@%systemroot%\\system32\\appwiz.cpl,-184" C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation\IconReference = "@%SystemRoot%\\system32\\appwiz.cpl,-1507" C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\appwiz.cpl" C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "ARP CBS Uninstaller Proxy" C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{0da7bfdf-c0a0-44eb-be82-b7a82c4721de}" C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation\Enabled = "1" C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe

"C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4016-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4016-2-0x0000000004920000-0x0000000004B2C000-memory.dmp

memory/4016-9-0x0000000004920000-0x0000000004B2C000-memory.dmp

memory/4016-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4016-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4016-14-0x0000000004920000-0x0000000004B2C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 10a8c03de70345104b2777e81e9990d3
SHA1 4a479b93368905524e67967de2b3f326bd9925f6
SHA256 1dd175971a80c3f8f674e0371d9ce16c8b66a1c580e3a94b77e1b73de24968e6
SHA512 bdd866c3fb23d0cdce5656593187ea4d100524d83e078d85ea09bba4766b94f2dfe6559cbac231e94766d119cdebe18f3ad0e3ec4b93045a0d39504db7d18986

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 f8a5724e6b8de6414778295dec5b3b06
SHA1 d76f390096d68ab4573de951888fa61b28d41fc5
SHA256 f893db16f9eb625ef46cdf63aca6ec9d0d6a0ca7134c58ae8598283b897983ef
SHA512 a232fe88272456d80a7c4bb5561cbb1a678b05d76eccb229203473e79b21e4da2ba53820116faee1ac82989c9e0fddbc32d83b75050c589154153bd2e547e2c7

memory/4016-28-0x0000000004920000-0x0000000004B2C000-memory.dmp

memory/4016-29-0x0000000004920000-0x0000000004B2C000-memory.dmp

memory/4016-62-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4016-70-0x0000000004920000-0x0000000004B2C000-memory.dmp