Analysis

  • max time kernel
    905s
  • max time network
    777s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/11/2024, 11:39

General

  • Target

    AfinionSpace.zip

  • Size

    32.5MB

  • MD5

    058995d9a15d6573082b6b3d41307874

  • SHA1

    0629e1dcdb071095d749d684a769411996833b57

  • SHA256

    7ce87873e4c97dff6d65e238cec88caff8780ac8edd9d264ce55b33498d27a9a

  • SHA512

    8132e29ce2af7cc97993319e2d998ac83c393ae37eecd8aedaee1ba6a4cdc6583ee12b8dc71c22272b6c7f4fc1dbf4856ec50c30841297d845d7d9f2d2aac7c3

  • SSDEEP

    786432:lQG1UexEkLuBoFO2EF4tp6nRf+68OBqCzRx7C:lQm5DiwsRfz1qgx7C

Malware Config

Signatures

  • Executes dropped EXE 9 IoCs
  • Enumerates processes with tasklist 1 TTPs 10 IoCs
  • Drops file in Windows directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

  • System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 39 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AfinionSpace.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:3568
  • C:\Windows\system32\osk.exe
    "C:\Windows\system32\osk.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:4840
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:3588
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004E4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3088
  • C:\Users\Admin\Desktop\CentralArabic.exe
    "C:\Users\Admin\Desktop\CentralArabic.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3928
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2860
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:420
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1052
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 184505
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5052
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "InspirationAspectsCPacks" Shades
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4600
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4656
      • C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
        Lolita.pif E
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1424
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4976
  • C:\Windows\system32\control.exe
    "C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:716
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2436
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      2⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1316
  • C:\Users\Admin\Desktop\CentralArabic.exe
    "C:\Users\Admin\Desktop\CentralArabic.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4664
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1184
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3256
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1620
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 184505
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1280
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "InspirationAspectsCPacks" Shades
        3⤵
        • System Location Discovery: System Language Discovery
        PID:992
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1420
      • C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
        Lolita.pif E
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:232
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4784
  • C:\Users\Admin\Desktop\CentralArabic.exe
    "C:\Users\Admin\Desktop\CentralArabic.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2232
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3048
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4644
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4040
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3364
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 184505
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2976
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1368
      • C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
        Lolita.pif E
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SendNotifyMessage
        PID:1604
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5084
  • C:\Users\Admin\Desktop\CentralArabic.exe
    "C:\Users\Admin\Desktop\CentralArabic.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:4624
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2088
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1492
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:648
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3408
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2748
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 184505
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1964
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "InspirationAspectsCPacks" Shades
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4900
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1412
      • C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
        Lolita.pif E
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3508
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1020
  • C:\Windows\system32\osk.exe
    "C:\Windows\system32\osk.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:5004
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004E4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4616
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:752
    • C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Nightmare.cmd
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:4892
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nightmare.cmd" "
      1⤵
        PID:4668
        • C:\Windows\system32\tasklist.exe
          tasklist
          2⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4532
        • C:\Windows\system32\findstr.exe
          findstr /I "wrsa opssvc"
          2⤵
            PID:1656
          • C:\Windows\system32\tasklist.exe
            tasklist
            2⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2460
          • C:\Windows\system32\findstr.exe
            findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
            2⤵
              PID:384
            • C:\Windows\system32\cmd.exe
              cmd /c md 184505
              2⤵
                PID:4000
              • C:\Windows\system32\findstr.exe
                findstr /V "InspirationAspectsCPacks" Shades
                2⤵
                  PID:3956
                • C:\Windows\system32\cmd.exe
                  cmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E
                  2⤵
                    PID:2932
                  • C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
                    Lolita.pif E
                    2⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2092
                  • C:\Windows\system32\choice.exe
                    choice /d y /t 5
                    2⤵
                      PID:4908
                  • C:\Windows\System32\6dmwvd.exe
                    "C:\Windows\System32\6dmwvd.exe" C:\Windows\System32\aadauthhelper.dll C:\Windows\System32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll
                    1⤵
                      PID:3412
                    • C:\Windows\System32\6dmwvd.exe
                      "C:\Windows\System32\6dmwvd.exe"
                      1⤵
                        PID:3684
                      • C:\Windows\System32\DataExchangeHost.exe
                        C:\Windows\System32\DataExchangeHost.exe -Embedding
                        1⤵
                          PID:4316

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                                Filesize

                                28KB

                                MD5

                                c5d808ccedff4a58af2e05b4fcf2de4c

                                SHA1

                                2adc6d7e7fbcc4e096049acf67e2074b2c035481

                                SHA256

                                e09a280a6a31bea9108d7efe6f87d5deaea5dfd2e1bed9881374fba767e1dfa3

                                SHA512

                                e5a9c684b87515354e4cb5668fe01ba315b10788937cda2e49f37ce39d27b3e0ed24caf2a377a9238aa801e63c635696e9d3991e22c03ade5329357a8d74bb22

                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7f141080-da94-4c0f-ad25-abb98d2f0825.down_data

                                Filesize

                                555KB

                                MD5

                                5683c0028832cae4ef93ca39c8ac5029

                                SHA1

                                248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                                SHA256

                                855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                                SHA512

                                aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                              • C:\Users\Admin\AppData\Local\Temp\184505\E

                                Filesize

                                460KB

                                MD5

                                0b7c1007d2058647d271612b92d31979

                                SHA1

                                75adadc761a879e3b39aae75ad8bfdc5f5181507

                                SHA256

                                754257fdf6f4c5f3230d7e1220193a9a11bcf886ee0ef7569aadc6bb075180a1

                                SHA512

                                af00b9a9c84ceb548297f7b97c654eb741fc2df71b9cdf8d10cfef52e28f3a6f3decbb89c89d0402148cd9fc6e40be6e65f064921ae6b524787b30530e5c5d19

                              • C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif

                                Filesize

                                11KB

                                MD5

                                4b022009735384c31beb9d149294c70e

                                SHA1

                                fe8629594cfd84edef2a69af50ca7af6735e79be

                                SHA256

                                06ceca7b781ffda2bcbd6b15f950cf07d1784567065067a27ceb5d131cc1de58

                                SHA512

                                a2f38937766210386a3855c4015db4e8e30b2718129a87d54704165b07e632257fa09fec0554c9a837a9653e3936b132b06b020bc4a8d674240346d831782d84

                              • C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif

                                Filesize

                                921KB

                                MD5

                                78ba0653a340bac5ff152b21a83626cc

                                SHA1

                                b12da9cb5d024555405040e65ad89d16ae749502

                                SHA256

                                05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

                                SHA512

                                efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

                              • C:\Users\Admin\AppData\Local\Temp\7zE0FDC8948\jres\doc\lib\images\cursors\win32_LinkNoDrop32x32.gif

                                Filesize

                                153B

                                MD5

                                1e9d8f133a442da6b0c74d49bc84a341

                                SHA1

                                259edc45b4569427e8319895a444f4295d54348f

                                SHA256

                                1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

                                SHA512

                                63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

                              • C:\Users\Admin\AppData\Local\Temp\Chris

                                Filesize

                                66KB

                                MD5

                                8d45f386a648197a5543532983bc1995

                                SHA1

                                40be6c5b05f9b917aecad76167489aff164130d4

                                SHA256

                                8ce56aa0c7745cba7af8d16d468cf4a6f2344d896f2c7086503ad7addd33a765

                                SHA512

                                c288368fd5c0e7d0d84f74af1ae9d7cf8fe02e4c87eea71b6da26644c0809613f46b825caf0f7efb5b32136d3614271c4adba7afd13a78d2e01bdb2e2d187ab7

                              • C:\Users\Admin\AppData\Local\Temp\Costume

                                Filesize

                                75KB

                                MD5

                                fbdfd758f036132a599352591e398970

                                SHA1

                                8b03c69f3eaac10a1f7483582bb48a437470ae01

                                SHA256

                                9839d8f498cd16e217a83409c3dcff7589d6a5e4d3a3abd0514a0ed178f2c887

                                SHA512

                                487bac38c911bc866068b8aa0b5d0f97fca14046fc2d3f3a07a66666293def444068e435c5c9b2ebe6f2d98ad05761f3b0410a2f16d43a58bbd97f83eeb248de

                              • C:\Users\Admin\AppData\Local\Temp\Craps

                                Filesize

                                79KB

                                MD5

                                072704f36ed86fc1c3202dc48d8934f8

                                SHA1

                                5991c1f7a0341e020234b2097ccaaf793eb5359e

                                SHA256

                                3bd377435f6a14d74e00e388a00235509af975c0342a117347895952c8542f1f

                                SHA512

                                2751157140cdfc43c579a2ce07892d5212a9623e409da4326a3db9c7ff115637e59d70e97255c93cf8f0c90d6cd3b18b83823c270f35ef728a18854e5dbd4c23

                              • C:\Users\Admin\AppData\Local\Temp\Inserted

                                Filesize

                                52KB

                                MD5

                                3a5bec7bb24a4653ca89dec18a86a76d

                                SHA1

                                2238cb5005af83e4ce98fa2a59acc20fdea1bc30

                                SHA256

                                f751fad6cac01e4337469d5d82f1962af8d1e46dbe5c413de00b65fc35fea785

                                SHA512

                                831072bdd6eb0c15b7533daab8be4221909188f54bf2b6427a4a91cddaa9a65bd09e1996ac77ec61569e46fe8f36f8148b95a3bd3d165d594ffb336744c12c65

                              • C:\Users\Admin\AppData\Local\Temp\Measure

                                Filesize

                                84KB

                                MD5

                                e0fcd934294f3deb0c21008fb28dfd8d

                                SHA1

                                7098ed2119795de43d29b6e9336713c1642cc7c3

                                SHA256

                                f1e3b977433f07f818cad332035dd395e2c155e7aeef4cfd002918833557586c

                                SHA512

                                e617bbb7c92785aed8a3635f61e31d9faf7c924de9e6f2be732929c390186448a06e8df17dccf8c13676b2acdc0bf2d9ce818929ee34140386c2bde812ca5e49

                              • C:\Users\Admin\AppData\Local\Temp\Nightmare

                                Filesize

                                14KB

                                MD5

                                5be1a61a9f4798c739d6f3cbe7ea5748

                                SHA1

                                96a5283481a57e9024673bc1b4a7f6bc1ac2a309

                                SHA256

                                38c37cbb40080d407dd0e5df4184305ae8f1ac2c7647ded22109973ea87bac9c

                                SHA512

                                7af630fd7b49df79d6f0de0fd41966b2727a030c5ef609d69a0d65e4b258d0960d89fe2c33136e639de07e9e45b06369d20c51c9987e4bb86032c80a62bf748a

                              • C:\Users\Admin\AppData\Local\Temp\Paper

                                Filesize

                                61KB

                                MD5

                                59d4bde743d02c60a0daf83ac4244046

                                SHA1

                                911938158bda8ef5615535e834447cf368d432c3

                                SHA256

                                2024c4be8a4caf84ae93982adb00f2067029542ffdb46ff8e10c3ce327067b56

                                SHA512

                                5a9ceeb11212a05a1f4567675d46d3018dc3a22e18bbc4eb07fe4a5b47d3c1f4d1102bd554a277fda6108460968429f6480a4952dd926d9a1418f62b67c6216c

                              • C:\Users\Admin\AppData\Local\Temp\Shades

                                Filesize

                                11KB

                                MD5

                                1233620eece744aa93d7d2371452c880

                                SHA1

                                5a6bb316a848eabb9503602e3900ba37d6f3a87a

                                SHA256

                                38538e40173ec10489b0a1f715fd8182f772e817600540f6699dc477be142848

                                SHA512

                                6f007866b1bc16fb124ef2ed4072a97fbf425d8ff78ac3a6d604cd8d70cf30926ce705e940dc5ed0d2233de1a5dea2c489e34c0b5a4596d5d718a19ab5a975d1

                              • C:\Users\Admin\AppData\Local\Temp\Suicide

                                Filesize

                                910KB

                                MD5

                                355b6edb86bd5173634fa844416d3a1a

                                SHA1

                                3ad0d11c5f088d993e4cfde52841d5a42c9821c8

                                SHA256

                                8fb90ba9f9d9f62a67bf04cd08984f7adffbe5cb49526d58e434353c83048061

                                SHA512

                                b58f923d75685e8461eae408f1be38d96ae40c5f433feb66d70ecf6199a3b1bf21fa1f0fe9454744c7f67d5291a4ff73098c11f9b8d42c278ce55c2a7c2b2c09

                              • C:\Users\Admin\AppData\Local\Temp\Wishes

                                Filesize

                                43KB

                                MD5

                                75683076ef4c58222df20180f1f4a0e6

                                SHA1

                                0a56aad3b4b6972d140d68228f1dbd32a82d10ec

                                SHA256

                                125f330f2e8d3c7350519ef01c265b928713d95a2cac2218dd036b4a80d26b49

                                SHA512

                                0c8c748a62a99b994e9f158b2c755d80a51a5028f6b8a03bfc6f7b6075c179016366b9d3137e04888e658b93ed8c01256f56b42f064c9c6cf1c1d851af39a1fb

                              • memory/1316-836-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1316-840-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1316-837-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1316-838-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1316-830-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1316-832-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1316-831-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1316-839-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1316-842-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1316-841-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1424-828-0x0000000004DD0000-0x0000000004E29000-memory.dmp

                                Filesize

                                356KB

                              • memory/1424-825-0x0000000004DD0000-0x0000000004E29000-memory.dmp

                                Filesize

                                356KB

                              • memory/1424-826-0x0000000004DD0000-0x0000000004E29000-memory.dmp

                                Filesize

                                356KB

                              • memory/1424-827-0x0000000004DD0000-0x0000000004E29000-memory.dmp

                                Filesize

                                356KB

                              • memory/1424-824-0x0000000004DD0000-0x0000000004E29000-memory.dmp

                                Filesize

                                356KB

                              • memory/1424-823-0x0000000004DD0000-0x0000000004E29000-memory.dmp

                                Filesize

                                356KB