Malware Analysis Report

2025-01-03 08:36

Sample ID 240611-cm1zwazfqb
Target b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a
SHA256 b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a

Threat Level: Likely malicious

The file b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (3635) files with added filename extension

Renames multiple (5187) files with added filename extension

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 02:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 02:12

Reported

2024-06-11 02:14

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe"

Signatures

Renames multiple (3635) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jre7\bin\awt.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jre7\lib\security\blacklist.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jre7\bin\glass.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Asuncion.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Samara.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\es-ES\Minesweeper.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe

"C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp

MD5 75c085d3572b2ff88b2501935d13cebb
SHA1 8758125a329ff6cf5893cb30058278a6eebfd8fe
SHA256 324ed218b4adc31fe6346abcc57838679a22a9b27e261398998392aa82815a38
SHA512 da6ed4e5b4d2259b15e080b136471e1486e1d60b5901e9bc8e332ad68100fcf60213f04c08a9e0562c12511d7a14d221c44270923277983fc0e254e5e63f24cd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 474fdea90b15b76234ec2cd7bf5173f0
SHA1 4acc62965a0a719d772f5f0b765b24d498312013
SHA256 da4d816bdff6b64f3fbf9fcfa1e3395b3d8095fa51d0e0a79d582ae3c6f55056
SHA512 0c647f698bbf49937c8e80f4583789fd99ff1ebe96e7dd45e389ad8f6e67579889bb0729fada3023716111b35ea4fdfe255f0c6b47445407cfbba064a7e674e8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 02:12

Reported

2024-06-11 02:14

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe"

Signatures

Renames multiple (5187) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.POWERPNT.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_100_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe

"C:\Users\Admin\AppData\Local\Temp\b1af6d26e7e55230331d26ab5c21b3408d15f976dfadd47287e07e30cfb93e1a.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp

MD5 0bc20fad162bafa9aa9899d3b3b818a0
SHA1 5135daa5d5a00cc0de0b1c9de959fc54844a97fa
SHA256 e9a212a97a37b9850638da17fae4a3d0246d72b7844a33fa961ec383ba3789f7
SHA512 0767d31ede0c7cd8366a39369e9483b389a81c37f3a127ca61617822708e9e5a2cb90e9309926f2aebd1f9759b501981516f4745ed0224bde0f16745f3ebc62d

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 01a5e617e32137877e8a781ca53dba30
SHA1 13f1fc3caf9ed91c541b86465d3e3ef74d5cf5b2
SHA256 66df3fb7173b9f71cdfb372b7451427ed0bbc7062552dd7a02cf60bf4fc605f3
SHA512 1dccea5f39a762eeed4e05c6ce1761837ab9190d9a4c4b4f757f6c13373023f11dbc9001b8ef27b4191b02711c200f274a9667301af961cf81e4df718222b21b