Malware Analysis Report

2025-01-22 23:11

Sample ID 241207-j85nhstqcy
Target df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe
SHA256 df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c

Threat Level: Known bad

The file df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload family

Banload

Renames multiple (479) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (198) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-07 08:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-07 08:21

Reported

2024-12-07 08:23

Platform

win7-20240708-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A

Renames multiple (198) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs\ = "{64818D11-4F9B-11CF-86EA-00AA00B929E8}" C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo\ = "{64818D11-4F9B-11CF-86EA-00AA00B929E8}" C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PowerPoint.Slide.4" C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe

"C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe"

Network

N/A

Files

memory/2032-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2032-1-0x0000000002F90000-0x000000000319C000-memory.dmp

memory/2032-8-0x0000000002F90000-0x000000000319C000-memory.dmp

memory/2032-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2032-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2032-13-0x0000000002F90000-0x000000000319C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 29c8c71bb69b4436fbd70030cda8e3c4
SHA1 af9dc3b7b3f6bd3230ba1ff535b1dae05cd2bd2b
SHA256 f2bcafed07723ec34f7008d36fa61babb90da3813e93b4971ad2740ac8ccd8e7
SHA512 c7573b880db9da2ccd8c4c33bad48a488c541ec3435c8b436951315ca0a29edfab3350fb1b146cc3948901d7c56a692556d25ae47e257e73aef9c03e56fa741c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 3c9017fb14c58bc82db5304d1aca3d69
SHA1 feccdb8d883ff60ea45ea5a2d368419a3992e0f4
SHA256 c4c3f444e3cb94a164a6147cc591c1462e0bbb6f5a717a2ce3a759eb618197f5
SHA512 596c091feaad2c83359238cf7436eece4bff27a4acfaad9abb8e44c5d48a981e4d4093f458105aef40e5bd40814b03128b7882f1a1733b50e7bf13c2797ece14

memory/2032-26-0x0000000002F90000-0x000000000319C000-memory.dmp

memory/2032-25-0x0000000002F90000-0x000000000319C000-memory.dmp

memory/2032-35-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2032-39-0x0000000002F90000-0x000000000319C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-07 08:21

Reported

2024-12-07 08:23

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A

Renames multiple (479) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft DocProp Inplace Droplist Combo Control" C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe

"C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 138.179.15.23.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp

Files

memory/2992-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2992-2-0x0000000004360000-0x000000000456C000-memory.dmp

memory/2992-9-0x0000000004360000-0x000000000456C000-memory.dmp

memory/2992-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2992-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2992-14-0x0000000004360000-0x000000000456C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 41779652075011666c1384634c5531fb
SHA1 b8a0ee6ccb0a41cca4852c88206c2616d79a23f9
SHA256 631689ccabac4fb7203b94e2bef2cde69ad69d9cfd177ac7df45e40294383832
SHA512 49267b582222cdd616e975ff2864336ba28331bf5bcb00f594fd445de6233383a9bb3dc1e92eb262c45ef54797ba0c8383a8cd91977b31976534eeb7316c1eff

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 8d2c9065febc86437d2ca8f4bad2b799
SHA1 6cb15705c70f0e472aeda1786f7d796090cd1ecb
SHA256 cd31b53e0509d27a3baa8b5103dad9940c95af06f6ff1f994c9aaab55dbd85a5
SHA512 6a6b67ca3b8caf4cfbb8faa1fa2804685652a038d4897fb62a7894584de55d8754f9786994e8f0d9219bc89988840d5393a2dfd34d365a877009de7e36d56c62

memory/2992-39-0x0000000004360000-0x000000000456C000-memory.dmp

memory/2992-38-0x0000000004360000-0x000000000456C000-memory.dmp

memory/2992-96-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2992-110-0x0000000004360000-0x000000000456C000-memory.dmp