Overview

overview

10

Static

static

10

OhioTax.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    102s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-12-2024 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OhioTax.exe

  • Size

    356KB

  • MD5

    c7b696a87ebd99919eb5ad685c38e565

  • SHA1

    b405dc2e87089b0294debdcaeb445a09d3bc2247

  • SHA256

    608ffc0b1e989e29b454389a9807e3721c075a2334d7d51765b5adad589fa0ef

  • SHA512

    94e1711f62755e1a838d4c03530111054bd4a5b58b47660d2fc46fe059e1e7997dc6d5042afd8d3273e64d6fd258f0fc3ffd6120308a96fc09a9c0b79973e80e

  • SSDEEP

    6144:URq9gVZ8CMci9haFy43XbyvtDAwz4e/VE/YbFwrSMiinNzP4U:U7SZciTaw4Hbyhz4uVEgbFQzPx

Score
10/10
chaosdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\OhioTax.exe
    "C:\Users\Admin\AppData\Local\Temp\OhioTax.exe"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3724
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:3384
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2192
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2820
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3748
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1120
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:3824
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:6764
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4652
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:412
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1516
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:1792
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:6972
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      1⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:4444
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
      1⤵
      • Drops file in Windows directory
      PID:2692
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\StopSubmit.xhtml
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcf7433cb8,0x7ffcf7433cc8,0x7ffcf7433cd8
        2⤵
          PID:640
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,590203993732381923,15654321359810268779,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
          2⤵
            PID:4244
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,590203993732381923,15654321359810268779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1828
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,590203993732381923,15654321359810268779,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
            2⤵
              PID:3600
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,590203993732381923,15654321359810268779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
              2⤵
                PID:5180
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,590203993732381923,15654321359810268779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
                2⤵
                  PID:5196
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,590203993732381923,15654321359810268779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3752
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:1036
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:1756

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Command and Scripting Interpreter

                  1
                  T1059

                  Windows Management Instrumentation

                  1
                  T1047

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Defense Evasion

                  Direct Volume Access

                  1
                  T1006

                  Indicator Removal

                  3
                  T1070

                  File Deletion

                  3
                  T1070.004

                  Modify Registry

                  2
                  T1112

                  Credential Access

                  Credentials from Password Stores

                  1
                  T1555

                  Credentials from Web Browsers

                  1
                  T1555.003

                  Unsecured Credentials

                  1
                  T1552

                  Credentials In Files

                  1
                  T1552.001

                  Discovery

                  Browser Information Discovery

                  1
                  T1217

                  Peripheral Device Discovery

                  2
                  T1120

                  Query Registry

                  4
                  T1012

                  System Information Discovery

                  4
                  T1082

                  System Location Discovery

                  1
                  T1614

                  System Language Discovery

                  1
                  T1614.001

                  Lateral Movement

                  Collection

                  Data from Local System

                  1
                  T1005

                  Command and Control

                  Exfiltration

                  Impact

                  Defacement

                  1
                  T1491

                  Inhibit System Recovery

                  4
                  T1490

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OhioTax.exe.log
                    Filesize

                    1KB

                    MD5

                    b4e91d2e5f40d5e2586a86cf3bb4df24

                    SHA1

                    31920b3a41aa4400d4a0230a7622848789b38672

                    SHA256

                    5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

                    SHA512

                    968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    c03d23a8155753f5a936bd7195e475bc

                    SHA1

                    cdf47f410a3ec000e84be83a3216b54331679d63

                    SHA256

                    6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

                    SHA512

                    6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    3d68c7edc2a288ee58e6629398bb9f7c

                    SHA1

                    6c1909dea9321c55cae38b8f16bd9d67822e2e51

                    SHA256

                    dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

                    SHA512

                    0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    5KB

                    MD5

                    3312421114b90a8c545dcb013bca9cb5

                    SHA1

                    ccfa34c912550987bc32c16520ef2b0325f97c15

                    SHA256

                    d9268c8497311349211149a07462ae15150c0944a8eb9d610d3b9c5de3d226fe

                    SHA512

                    09cb4224fb5d7a296e1342e0066596ad58b99c6c7a7206bdc198e3ec46c623be5c525858697b0d900e754530d819d6cd07e43241a08d4f3dd7d6487297153fa4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    5KB

                    MD5

                    c4f680fdb10cbb9bce2e26694ada4895

                    SHA1

                    b680347625785ba35f634852ee14d15d1218554c

                    SHA256

                    e46b3203b508dd7b4e59a91f9d7e7ee984e053ced15052f744ce93958a08553d

                    SHA512

                    793d29fcf766a18de2c99f62e4b1d7edcb2de58cc382248917bc74e52310e184ba8857c5eb00a98c00397f919c08fd9553c7c628c8f223e4c93a0375f99d9e29

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                    Filesize

                    16B

                    MD5

                    6752a1d65b201c13b62ea44016eb221f

                    SHA1

                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                    SHA256

                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                    SHA512

                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                    Filesize

                    10KB

                    MD5

                    35bce4d84309de5464b490aedf14bff9

                    SHA1

                    9339b1e0a6c959802907b7b1450919efa4668498

                    SHA256

                    878733205df14c35c34cb5acb936988dfced8d71605fcfc829dc91e5d93dc6c6

                    SHA512

                    2c68da41585965d888dfc0d3d946145534bce0e1b05db0b0bad055cf0a6bb18a38e649167a54a344d6c2937da9329a113d38d7ac59721c07a6ddce0b5c324f07

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                    Filesize

                    256KB

                    MD5

                    f0a455f6fdbec5bc0b33073270b27142

                    SHA1

                    a67e2940242db9acd02dd68bec71351027b370aa

                    SHA256

                    b7a5768a56a14fa1408a508b247abf669de6781fd36db5406d166dc73a184814

                    SHA512

                    8ddd3f7eea483e45ca10bf7ca33e7f9df5e04ccdbcaa3e65f2566cbe280ee416bb89b4fb1abcc81a71efc751affe001859883ac6c732687e2ab3589860bb7220

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                    Filesize

                    1024KB

                    MD5

                    012bd7d04f5eea466bd970f5822522a6

                    SHA1

                    a1c2537d0c39c68ea3b54350684ff33c3625238a

                    SHA256

                    761b1667b88e70dee5d0c6fdd1d031ff027f4aa10668a9f64d361f8bf69c2ffc

                    SHA512

                    fbb8a620f0fadea64630b02d06878bdb17ff55d93e418476b6c402739f946b8a3de96450803e80ed11cab7abf299806ad1617c14d4126aed48f2993801bc155d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
                    Filesize

                    498B

                    MD5

                    90be2701c8112bebc6bd58a7de19846e

                    SHA1

                    a95be407036982392e2e684fb9ff6602ecad6f1e

                    SHA256

                    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

                    SHA512

                    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
                    Filesize

                    9KB

                    MD5

                    7050d5ae8acfbe560fa11073fef8185d

                    SHA1

                    5bc38e77ff06785fe0aec5a345c4ccd15752560e

                    SHA256

                    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                    SHA512

                    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                    Filesize

                    10KB

                    MD5

                    d6d3499e5dfe058db4af5745e6885661

                    SHA1

                    ef47b148302484d5ab98320962d62565f88fcc18

                    SHA256

                    7ec1b67f891fb646b49853d91170fafc67ff2918befd877dcc8515212be560f6

                    SHA512

                    ad1646c13f98e6915e51bfba9207b81f6d1d174a1437f9c1e1c935b7676451ff73a694323ff61fa72ec87b7824ce9380423533599e30d889b689e2e13887045f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
                    Filesize

                    1KB

                    MD5

                    d6b4fd81eca394083d3effdf5197836c

                    SHA1

                    daabc522d49f26abce2d246af375ceff4ce3b4f3

                    SHA256

                    d517aed70cacad75d61bafc5a0bbd56f81faf02b0fc248198bc3e87d9b16a21b

                    SHA512

                    72a8f4898465d375c573ca6d823a903caf0f4713e4f0ee656ec93e51e41956fc1482ced22cc47db58080774caf230d222b4a88e02a06fb8f5051e718d19becda

                    Download Submit

                  • C:\Users\Admin\AppData\Local\read_it.txt
                    Filesize

                    582B

                    MD5

                    ed5cc52876db869de48a4783069c2a5e

                    SHA1

                    a9d51ceaeff715ace430f9462ab2ee4e7f33e70e

                    SHA256

                    45726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36

                    SHA512

                    1745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
                    Filesize

                    1KB

                    MD5

                    05df2a2332c86634f51ab5ecde9dc436

                    SHA1

                    5e52bdf91a896cab0ca50b55f2720114d331dc64

                    SHA256

                    46ba8e8dba5defe3fe95b57b06bd57575085110983f7969c8a3911789308f43c

                    SHA512

                    d7a4e49d88ac12666a30f16192c848a6acb4f677ae3ffcc696242db2c21c0b5b06943b62de5f2bd95e7411c6fea2703bc91e6f321ae49a359dfa13832010e0c9

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
                    Filesize

                    3KB

                    MD5

                    55c8e5cb167b319b7a785d3aca0bd48d

                    SHA1

                    c76d4f2dc8b2f04008847a51369a89164589cc9d

                    SHA256

                    27ff0885706b0d9b0c4fed989fea1625bee7c46defa28a39fc968e4228b5b0e3

                    SHA512

                    af03b3e68993781250f3168bfc8aeae2110ae4bd3d534a93a9b2e8e032c61c64f8529e818767aa2f08f5b484f483cb6c0dc4ffb7670853187bead24957a601ee

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\svchost.exe
                    Filesize

                    356KB

                    MD5

                    c7b696a87ebd99919eb5ad685c38e565

                    SHA1

                    b405dc2e87089b0294debdcaeb445a09d3bc2247

                    SHA256

                    608ffc0b1e989e29b454389a9807e3721c075a2334d7d51765b5adad589fa0ef

                    SHA512

                    94e1711f62755e1a838d4c03530111054bd4a5b58b47660d2fc46fe059e1e7997dc6d5042afd8d3273e64d6fd258f0fc3ffd6120308a96fc09a9c0b79973e80e

                    Download Submit

                  • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools.lnk
                    Filesize

                    1B

                    MD5

                    d1457b72c3fb323a2671125aef3eab5d

                    SHA1

                    5bab61eb53176449e25c2c82f172b82cb13ffb9d

                    SHA256

                    8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

                    SHA512

                    ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

                    Download Submit

                  • memory/2164-16-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2164-1199-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4040-15-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4040-2-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4040-1-0x00000000004B0000-0x0000000000510000-memory.dmp

                    Filesize

                    384KB

                    Download

                  • memory/4040-0-0x00007FFCFBEF3000-0x00007FFCFBEF5000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/4408-1234-0x0000000006E50000-0x0000000006E60000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4408-1242-0x000000000A050000-0x000000000A060000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4408-1241-0x000000000A050000-0x000000000A060000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4408-1236-0x000000000A050000-0x000000000A060000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4408-1237-0x000000000A050000-0x000000000A060000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4408-1240-0x000000000A050000-0x000000000A060000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4408-1239-0x000000000A050000-0x000000000A060000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4408-1238-0x000000000A050000-0x000000000A060000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4408-1235-0x000000000A050000-0x000000000A060000-memory.dmp

                    Filesize

                    64KB

                    Download