Malware Analysis Report

2025-01-22 23:08

Sample ID 241219-g6l3aasmaz
Target 89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe
SHA256 89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8f
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8f

Threat Level: Known bad

The file 89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (223) files with added filename extension

Renames multiple (703) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-19 06:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-19 06:25

Reported

2024-12-19 06:27

Platform

win7-20240708-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A

Renames multiple (223) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\ado\msado25.tlb.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\handler.reg.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Equation 2.0" C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo\ = "{0002CE02-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\NotInsertable C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Equation.2" C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe

"C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe"

Network

N/A

Files

memory/2916-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2916-1-0x0000000002F00000-0x000000000310C000-memory.dmp

memory/2916-8-0x0000000002F00000-0x000000000310C000-memory.dmp

memory/2916-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2916-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2916-13-0x0000000002F00000-0x000000000310C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 57c5753a38d64f9c9aa71da2467faa00
SHA1 f6c768061fdabf3e6bbdfbdf97cd5a3874df4440
SHA256 385f75bf54e66673e7053bf4fc01957c0eea1f52ca26bb7973af4dac6868dcfc
SHA512 14feeca511edfedc1e315f0ef8e8e32981a82a9a7e6aec66de236b993af511b0dad481e593c41a22a6f21ca8b884a66796e708f07f0da645d0e5df1187081279

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 ae97e8e7be63c1610acb04a01579ea7d
SHA1 56748460ca036efb3ceade4043cf69978d538216
SHA256 a1651b1dd98fbe8276150bb4cb4f36b5e200acadf1f70516294f9bdf1c09582b
SHA512 1082b0e07b69b3fe83140059c2ad7524445de9fc304d894aaa7328db1a35bda910734a734454e6b73e36afb5aae1b6c5469d3b75c353ca4b8f1d6a7f8c1b7784

memory/2916-25-0x0000000002F00000-0x000000000310C000-memory.dmp

memory/2916-43-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2916-49-0x0000000002F00000-0x000000000310C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-19 06:25

Reported

2024-12-19 06:27

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A

Renames multiple (703) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\CompareUndo.tiff.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\AddUnblock.7z.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\Crashpad\settings.dat.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs\ = "{64818D11-4F9B-11CF-86EA-00AA00B929E8}" C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo\ = "{64818D11-4F9B-11CF-86EA-00AA00B929E8}" C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable\ C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PowerPoint.Slide.4" C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe

"C:\Users\Admin\AppData\Local\Temp\89eef529153c95944a83b90eef7ead1489d9298a5acd2e37c98c5a9640657e8fN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 155.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/2328-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2328-2-0x00000000044A0000-0x00000000046AC000-memory.dmp

memory/2328-9-0x00000000044A0000-0x00000000046AC000-memory.dmp

memory/2328-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2328-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2328-14-0x00000000044A0000-0x00000000046AC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp

MD5 578437ddf93f0facf514659577f8c828
SHA1 3be99b3a198293a558ae4d096510feb21aeb5034
SHA256 904eb3180dbfb26ab7292144167e74173bffffb9b6c1a54e77529a796f5fb3ca
SHA512 23f1d67dc4bc8cb143f3f3bc828d18d7430c091b2863372462049669711859d6f0884f37b1ee8f6d84e7d2da39a0dc8b69b22af09dad016555050f7168188f92

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 1a2d374b020d2c88d84ed5019926f2f7
SHA1 a123ec0b795d72e4bad8cd2d6f5cf8c4d9876275
SHA256 ec95de6d0d2cbfa8e698dcd30ecba194c029093c08dd35e917fcec0b62891ae7
SHA512 045b5a84fdccc1bf2d996bca89192e4e53d633c2f6bfade3dff32aed79e09c741d83ab237a42b8dac9ea212d85353e7c53d4900e789d68faf062919cbaf9738f

memory/2328-53-0x00000000044A0000-0x00000000046AC000-memory.dmp

memory/2328-52-0x00000000044A0000-0x00000000046AC000-memory.dmp

memory/2328-162-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2328-182-0x00000000044A0000-0x00000000046AC000-memory.dmp