Analysis Overview
SHA256
7ce87873e4c97dff6d65e238cec88caff8780ac8edd9d264ce55b33498d27a9a
Threat Level: Shows suspicious behavior
The file AfinionSpace.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Enumerates processes with tasklist
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Event Triggered Execution: Accessibility Features
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Opens file in notepad (likely ransom note)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 11:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 11:39
Reported
2024-11-12 11:57
Platform
win11-20241007-en
Max time kernel
905s
Max time network
777s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ExtractionPart | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\BedsGeneration | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\SpermCommitments | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\NavigateCreator | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\ExtractionPart | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\SpermCommitments | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\TrialsTales | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\NavigateCreator | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\SpermCommitments | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\NavigateCreator | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\TrialsTales | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\TrialsTales | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\BedsGeneration | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\ExtractionPart | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\SpermCommitments | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\NavigateCreator | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\ExtractionPart | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\BedsGeneration | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\TrialsTales | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| File opened for modification | C:\Windows\BedsGeneration | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\CentralArabic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "287309825" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Windows\system32\control.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e00718000000000000000000000e1a40ed25739d211a40b0c50205241530000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" | C:\Windows\explorer.exe | N/A |
| Key created | \Registry\User\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\NotificationData | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\explorer.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\osk.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\osk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\control.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\control.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AfinionSpace.zip"
C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004E4
C:\Users\Admin\Desktop\CentralArabic.exe
"C:\Users\Admin\Desktop\CentralArabic.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 184505
C:\Windows\SysWOW64\findstr.exe
findstr /V "InspirationAspectsCPacks" Shades
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
Lolita.pif E
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Users\Admin\Desktop\CentralArabic.exe
"C:\Users\Admin\Desktop\CentralArabic.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 184505
C:\Windows\SysWOW64\findstr.exe
findstr /V "InspirationAspectsCPacks" Shades
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
Lolita.pif E
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\Desktop\CentralArabic.exe
"C:\Users\Admin\Desktop\CentralArabic.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 184505
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
Lolita.pif E
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\Desktop\CentralArabic.exe
"C:\Users\Admin\Desktop\CentralArabic.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Nightmare Nightmare.cmd & Nightmare.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 184505
C:\Windows\SysWOW64\findstr.exe
findstr /V "InspirationAspectsCPacks" Shades
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
Lolita.pif E
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004E4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Nightmare.cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nightmare.cmd" "
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\system32\cmd.exe
cmd /c md 184505
C:\Windows\system32\findstr.exe
findstr /V "InspirationAspectsCPacks" Shades
C:\Windows\system32\cmd.exe
cmd /c copy /b ..\Paper + ..\Chris + ..\Craps + ..\Costume + ..\Measure + ..\Inserted + ..\Wishes E
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
Lolita.pif E
C:\Windows\system32\choice.exe
choice /d y /t 5
C:\Windows\System32\6dmwvd.exe
"C:\Windows\System32\6dmwvd.exe" C:\Windows\System32\aadauthhelper.dll C:\Windows\System32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll
C:\Windows\System32\6dmwvd.exe
"C:\Windows\System32\6dmwvd.exe"
C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.66.74:443 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 2.18.66.74:443 | tcp | |
| GB | 2.18.66.74:443 | tcp | |
| GB | 92.123.128.132:443 | r.bing.com | tcp |
| GB | 92.123.128.132:443 | r.bing.com | tcp |
| GB | 92.123.128.132:443 | r.bing.com | tcp |
| GB | 92.123.128.132:443 | r.bing.com | tcp |
| GB | 92.123.128.132:443 | r.bing.com | tcp |
| GB | 92.123.128.132:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 92.123.128.157:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.128.123.92.in-addr.arpa | udp |
| US | 104.21.74.183:443 | thawbrekkny.cyou | tcp |
| US | 104.21.52.119:443 | thicktoys.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.135.173:443 | pull-trucker.sbs | tcp |
| US | 104.21.72.16:443 | 3xc1aimbl0w.sbs | tcp |
| US | 104.21.68.80:443 | bored-light.sbs | tcp |
| US | 8.8.8.8:53 | 16.72.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.68.21.104.in-addr.arpa | udp |
| US | 172.67.138.157:443 | 300snails.sbs | tcp |
| US | 104.21.96.94:443 | faintbl0w.sbs | tcp |
| US | 172.67.144.50:443 | crib-endanger.sbs | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.82.174:443 | marshal-zhukov.com | tcp |
| GB | 2.18.66.74:443 | tcp | |
| US | 8.8.8.8:53 | oVxopyMtHwhncB.oVxopyMtHwhncB | udp |
| US | 104.21.74.183:443 | thawbrekkny.cyou | tcp |
| US | 104.21.52.119:443 | thicktoys.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.135.173:443 | pull-trucker.sbs | tcp |
| US | 104.21.72.16:443 | 3xc1aimbl0w.sbs | tcp |
| US | 104.21.68.80:443 | bored-light.sbs | tcp |
| US | 172.67.138.157:443 | 300snails.sbs | tcp |
| US | 104.21.96.94:443 | faintbl0w.sbs | tcp |
| US | 172.67.144.50:443 | crib-endanger.sbs | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.82.174:443 | marshal-zhukov.com | tcp |
| US | 104.21.74.183:443 | thawbrekkny.cyou | tcp |
| US | 104.21.52.119:443 | thicktoys.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.135.173:443 | pull-trucker.sbs | tcp |
| US | 104.21.72.16:443 | 3xc1aimbl0w.sbs | tcp |
| US | 104.21.68.80:443 | bored-light.sbs | tcp |
| US | 172.67.138.157:443 | 300snails.sbs | tcp |
| US | 104.21.96.94:443 | faintbl0w.sbs | tcp |
| US | 172.67.144.50:443 | crib-endanger.sbs | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.82.174:443 | marshal-zhukov.com | tcp |
| US | 104.21.74.183:443 | thawbrekkny.cyou | tcp |
| US | 104.21.52.119:443 | thicktoys.sbs | tcp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 172.67.135.173:443 | pull-trucker.sbs | tcp |
| US | 104.21.72.16:443 | 3xc1aimbl0w.sbs | tcp |
| US | 172.67.192.57:443 | bored-light.sbs | tcp |
| US | 172.67.138.157:443 | 300snails.sbs | tcp |
| US | 172.67.176.72:443 | faintbl0w.sbs | tcp |
| US | 172.67.144.50:443 | crib-endanger.sbs | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.82.174:443 | marshal-zhukov.com | tcp |
| US | 8.8.8.8:53 | 72.176.67.172.in-addr.arpa | udp |
| GB | 2.18.66.74:443 | tcp | |
| GB | 2.18.66.74:443 | tcp | |
| GB | 2.18.66.57:443 | tcp | |
| US | 8.8.8.8:53 | oVxopyMtHwhncB.oVxopyMtHwhncB | udp |
| US | 104.21.74.183:443 | thawbrekkny.cyou | tcp |
| US | 8.8.8.8:53 | thicktoys.sbs | udp |
| US | 104.21.52.119:443 | thicktoys.sbs | tcp |
| US | 8.8.8.8:53 | fleez-inc.sbs | udp |
| US | 172.67.150.243:443 | fleez-inc.sbs | tcp |
| US | 8.8.8.8:53 | pull-trucker.sbs | udp |
| US | 104.21.7.31:443 | pull-trucker.sbs | tcp |
| US | 8.8.8.8:53 | 3xc1aimbl0w.sbs | udp |
| US | 104.21.72.16:443 | 3xc1aimbl0w.sbs | tcp |
| US | 172.67.192.57:443 | bored-light.sbs | tcp |
| US | 172.67.138.157:443 | 300snails.sbs | tcp |
| US | 8.8.8.8:53 | 31.7.21.104.in-addr.arpa | udp |
| US | 172.67.176.72:443 | faintbl0w.sbs | tcp |
| US | 8.8.8.8:53 | crib-endanger.sbs | udp |
| US | 172.67.144.50:443 | crib-endanger.sbs | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | marshal-zhukov.com | udp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| US | 8.8.8.8:53 | 80.160.67.172.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7f141080-da94-4c0f-ad25-abb98d2f0825.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
C:\Users\Admin\AppData\Local\Temp\7zE0FDC8948\jres\doc\lib\images\cursors\win32_LinkNoDrop32x32.gif
| MD5 | 1e9d8f133a442da6b0c74d49bc84a341 |
| SHA1 | 259edc45b4569427e8319895a444f4295d54348f |
| SHA256 | 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b |
| SHA512 | 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37 |
C:\Users\Admin\AppData\Local\Temp\Nightmare
| MD5 | 5be1a61a9f4798c739d6f3cbe7ea5748 |
| SHA1 | 96a5283481a57e9024673bc1b4a7f6bc1ac2a309 |
| SHA256 | 38c37cbb40080d407dd0e5df4184305ae8f1ac2c7647ded22109973ea87bac9c |
| SHA512 | 7af630fd7b49df79d6f0de0fd41966b2727a030c5ef609d69a0d65e4b258d0960d89fe2c33136e639de07e9e45b06369d20c51c9987e4bb86032c80a62bf748a |
C:\Users\Admin\AppData\Local\Temp\Shades
| MD5 | 1233620eece744aa93d7d2371452c880 |
| SHA1 | 5a6bb316a848eabb9503602e3900ba37d6f3a87a |
| SHA256 | 38538e40173ec10489b0a1f715fd8182f772e817600540f6699dc477be142848 |
| SHA512 | 6f007866b1bc16fb124ef2ed4072a97fbf425d8ff78ac3a6d604cd8d70cf30926ce705e940dc5ed0d2233de1a5dea2c489e34c0b5a4596d5d718a19ab5a975d1 |
C:\Users\Admin\AppData\Local\Temp\Suicide
| MD5 | 355b6edb86bd5173634fa844416d3a1a |
| SHA1 | 3ad0d11c5f088d993e4cfde52841d5a42c9821c8 |
| SHA256 | 8fb90ba9f9d9f62a67bf04cd08984f7adffbe5cb49526d58e434353c83048061 |
| SHA512 | b58f923d75685e8461eae408f1be38d96ae40c5f433feb66d70ecf6199a3b1bf21fa1f0fe9454744c7f67d5291a4ff73098c11f9b8d42c278ce55c2a7c2b2c09 |
C:\Users\Admin\AppData\Local\Temp\Chris
| MD5 | 8d45f386a648197a5543532983bc1995 |
| SHA1 | 40be6c5b05f9b917aecad76167489aff164130d4 |
| SHA256 | 8ce56aa0c7745cba7af8d16d468cf4a6f2344d896f2c7086503ad7addd33a765 |
| SHA512 | c288368fd5c0e7d0d84f74af1ae9d7cf8fe02e4c87eea71b6da26644c0809613f46b825caf0f7efb5b32136d3614271c4adba7afd13a78d2e01bdb2e2d187ab7 |
C:\Users\Admin\AppData\Local\Temp\Paper
| MD5 | 59d4bde743d02c60a0daf83ac4244046 |
| SHA1 | 911938158bda8ef5615535e834447cf368d432c3 |
| SHA256 | 2024c4be8a4caf84ae93982adb00f2067029542ffdb46ff8e10c3ce327067b56 |
| SHA512 | 5a9ceeb11212a05a1f4567675d46d3018dc3a22e18bbc4eb07fe4a5b47d3c1f4d1102bd554a277fda6108460968429f6480a4952dd926d9a1418f62b67c6216c |
C:\Users\Admin\AppData\Local\Temp\Craps
| MD5 | 072704f36ed86fc1c3202dc48d8934f8 |
| SHA1 | 5991c1f7a0341e020234b2097ccaaf793eb5359e |
| SHA256 | 3bd377435f6a14d74e00e388a00235509af975c0342a117347895952c8542f1f |
| SHA512 | 2751157140cdfc43c579a2ce07892d5212a9623e409da4326a3db9c7ff115637e59d70e97255c93cf8f0c90d6cd3b18b83823c270f35ef728a18854e5dbd4c23 |
C:\Users\Admin\AppData\Local\Temp\Costume
| MD5 | fbdfd758f036132a599352591e398970 |
| SHA1 | 8b03c69f3eaac10a1f7483582bb48a437470ae01 |
| SHA256 | 9839d8f498cd16e217a83409c3dcff7589d6a5e4d3a3abd0514a0ed178f2c887 |
| SHA512 | 487bac38c911bc866068b8aa0b5d0f97fca14046fc2d3f3a07a66666293def444068e435c5c9b2ebe6f2d98ad05761f3b0410a2f16d43a58bbd97f83eeb248de |
C:\Users\Admin\AppData\Local\Temp\Measure
| MD5 | e0fcd934294f3deb0c21008fb28dfd8d |
| SHA1 | 7098ed2119795de43d29b6e9336713c1642cc7c3 |
| SHA256 | f1e3b977433f07f818cad332035dd395e2c155e7aeef4cfd002918833557586c |
| SHA512 | e617bbb7c92785aed8a3635f61e31d9faf7c924de9e6f2be732929c390186448a06e8df17dccf8c13676b2acdc0bf2d9ce818929ee34140386c2bde812ca5e49 |
C:\Users\Admin\AppData\Local\Temp\Inserted
| MD5 | 3a5bec7bb24a4653ca89dec18a86a76d |
| SHA1 | 2238cb5005af83e4ce98fa2a59acc20fdea1bc30 |
| SHA256 | f751fad6cac01e4337469d5d82f1962af8d1e46dbe5c413de00b65fc35fea785 |
| SHA512 | 831072bdd6eb0c15b7533daab8be4221909188f54bf2b6427a4a91cddaa9a65bd09e1996ac77ec61569e46fe8f36f8148b95a3bd3d165d594ffb336744c12c65 |
C:\Users\Admin\AppData\Local\Temp\Wishes
| MD5 | 75683076ef4c58222df20180f1f4a0e6 |
| SHA1 | 0a56aad3b4b6972d140d68228f1dbd32a82d10ec |
| SHA256 | 125f330f2e8d3c7350519ef01c265b928713d95a2cac2218dd036b4a80d26b49 |
| SHA512 | 0c8c748a62a99b994e9f158b2c755d80a51a5028f6b8a03bfc6f7b6075c179016366b9d3137e04888e658b93ed8c01256f56b42f064c9c6cf1c1d851af39a1fb |
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\184505\E
| MD5 | 0b7c1007d2058647d271612b92d31979 |
| SHA1 | 75adadc761a879e3b39aae75ad8bfdc5f5181507 |
| SHA256 | 754257fdf6f4c5f3230d7e1220193a9a11bcf886ee0ef7569aadc6bb075180a1 |
| SHA512 | af00b9a9c84ceb548297f7b97c654eb741fc2df71b9cdf8d10cfef52e28f3a6f3decbb89c89d0402148cd9fc6e40be6e65f064921ae6b524787b30530e5c5d19 |
memory/1424-823-0x0000000004DD0000-0x0000000004E29000-memory.dmp
memory/1424-824-0x0000000004DD0000-0x0000000004E29000-memory.dmp
memory/1424-825-0x0000000004DD0000-0x0000000004E29000-memory.dmp
memory/1424-826-0x0000000004DD0000-0x0000000004E29000-memory.dmp
memory/1424-828-0x0000000004DD0000-0x0000000004E29000-memory.dmp
memory/1424-827-0x0000000004DD0000-0x0000000004E29000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | c5d808ccedff4a58af2e05b4fcf2de4c |
| SHA1 | 2adc6d7e7fbcc4e096049acf67e2074b2c035481 |
| SHA256 | e09a280a6a31bea9108d7efe6f87d5deaea5dfd2e1bed9881374fba767e1dfa3 |
| SHA512 | e5a9c684b87515354e4cb5668fe01ba315b10788937cda2e49f37ce39d27b3e0ed24caf2a377a9238aa801e63c635696e9d3991e22c03ade5329357a8d74bb22 |
memory/1316-830-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp
memory/1316-832-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp
memory/1316-831-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp
memory/1316-836-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp
memory/1316-842-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp
memory/1316-841-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp
memory/1316-840-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp
memory/1316-839-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp
memory/1316-838-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp
memory/1316-837-0x000002C4E85B0000-0x000002C4E85B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\184505\Lolita.pif
| MD5 | 4b022009735384c31beb9d149294c70e |
| SHA1 | fe8629594cfd84edef2a69af50ca7af6735e79be |
| SHA256 | 06ceca7b781ffda2bcbd6b15f950cf07d1784567065067a27ceb5d131cc1de58 |
| SHA512 | a2f38937766210386a3855c4015db4e8e30b2718129a87d54704165b07e632257fa09fec0554c9a837a9653e3936b132b06b020bc4a8d674240346d831782d84 |
C:\Users\Admin\AppData\Local\Temp\Suicide
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |