quasar | 29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5

General

Target

29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exe
Size

615KB
MD5

76869ef841f2820d0bbadddc46fc3c9a
SHA1

e827d9b426e4ef75f31e6e9d81f47e70da3ac3a2
SHA256

29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5
SHA512

582047f529fae9eacf9b4c762904b21c1d430d219e77b9bc65730e89c00be5f666a452f95cd1b0af067480eb9abd4446bf9431aa4afe2a4f68ad8226d1c11995
SSDEEP

6144:QYhWwTVvvVDzRW1BHH3g1NWT+AKYEM+gW4SmSMX0zCVsVwX+v456/bT8GoaEKwae:dhHTVXFRW1ZpK2bNV0CgwuX8GmkAh

Score

10^/10

quasar venomrat rat evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_It9SqdFDNndEItXfKp

Attributes

encryption_key
txgQXKaATimN7DY8jnPH
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Microsoft

Signatures

Contains code to disable Windows Defender 9 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Defender Security.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	disable_win_def
behavioral1/memory/892-60-0x0000000000CA0000-0x0000000000D2C000-memory.dmp	disable_win_def
\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	disable_win_def
behavioral1/memory/472-67-0x0000000000FB0000-0x000000000103C000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Windows Defender Security.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Windows Defender Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Windows Defender Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Windows Defender Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Windows Defender Security.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 9 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Defender Security.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	family_quasar
behavioral1/memory/892-60-0x0000000000CA0000-0x0000000000D2C000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	family_quasar
behavioral1/memory/472-67-0x0000000000FB0000-0x000000000103C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 3 IoCs

Processes:

Windows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exe

pid process

892 Windows Defender Security.exe
472 Windows Defender Security.exe
1716 Windows Defender Security.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1472 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exeWindows Defender Security.exe

pid process

2020 29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exe
892 Windows Defender Security.exe

pid	process
892	Windows Defender Security.exe
472	Windows Defender Security.exe
1716	Windows Defender Security.exe

pid	process
1472	cmd.exe

pid	process
2020	29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exe
892	Windows Defender Security.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Windows Defender Security.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	Windows Defender Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Windows Defender Security.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1788 schtasks.exe
864 schtasks.exe

flow	ioc
1	ip-api.com

pid	process
1788	schtasks.exe
864	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Windows Defender Security.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Windows Defender Security.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Windows Defender Security.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1620 PING.EXE

pid	process
1620	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeWindows Defender Security.exe

pid	process
1664	powershell.exe
892	Windows Defender Security.exe
892	Windows Defender Security.exe
892	Windows Defender Security.exe
892	Windows Defender Security.exe
892	Windows Defender Security.exe
892	Windows Defender Security.exe
892	Windows Defender Security.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Windows Defender Security.exepowershell.exeWindows Defender Security.exe

description	pid	process
Token: SeDebugPrivilege	892	Windows Defender Security.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	472	Windows Defender Security.exe
Token: SeDebugPrivilege	472	Windows Defender Security.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Defender Security.exe

pid process

472 Windows Defender Security.exe

pid	process
472	Windows Defender Security.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exeWindows Defender Security.exeWindows Defender Security.execmd.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 892	2020	29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exe	Windows Defender Security.exe
PID 2020 wrote to memory of 892	2020	29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exe	Windows Defender Security.exe
PID 2020 wrote to memory of 892	2020	29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exe	Windows Defender Security.exe
PID 2020 wrote to memory of 892	2020	29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exe	Windows Defender Security.exe
PID 892 wrote to memory of 1788	892	Windows Defender Security.exe	schtasks.exe
PID 892 wrote to memory of 1788	892	Windows Defender Security.exe	schtasks.exe
PID 892 wrote to memory of 1788	892	Windows Defender Security.exe	schtasks.exe
PID 892 wrote to memory of 1788	892	Windows Defender Security.exe	schtasks.exe
PID 892 wrote to memory of 472	892	Windows Defender Security.exe	Windows Defender Security.exe
PID 892 wrote to memory of 472	892	Windows Defender Security.exe	Windows Defender Security.exe
PID 892 wrote to memory of 472	892	Windows Defender Security.exe	Windows Defender Security.exe
PID 892 wrote to memory of 472	892	Windows Defender Security.exe	Windows Defender Security.exe
PID 892 wrote to memory of 1664	892	Windows Defender Security.exe	powershell.exe
PID 892 wrote to memory of 1664	892	Windows Defender Security.exe	powershell.exe
PID 892 wrote to memory of 1664	892	Windows Defender Security.exe	powershell.exe
PID 892 wrote to memory of 1664	892	Windows Defender Security.exe	powershell.exe
PID 472 wrote to memory of 864	472	Windows Defender Security.exe	schtasks.exe
PID 472 wrote to memory of 864	472	Windows Defender Security.exe	schtasks.exe
PID 472 wrote to memory of 864	472	Windows Defender Security.exe	schtasks.exe
PID 472 wrote to memory of 864	472	Windows Defender Security.exe	schtasks.exe
PID 892 wrote to memory of 1524	892	Windows Defender Security.exe	cmd.exe
PID 892 wrote to memory of 1524	892	Windows Defender Security.exe	cmd.exe
PID 892 wrote to memory of 1524	892	Windows Defender Security.exe	cmd.exe
PID 892 wrote to memory of 1524	892	Windows Defender Security.exe	cmd.exe
PID 1524 wrote to memory of 1472	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 1472	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 1472	1524	cmd.exe	cmd.exe
PID 1524 wrote to memory of 1472	1524	cmd.exe	cmd.exe
PID 892 wrote to memory of 988	892	Windows Defender Security.exe	cmd.exe
PID 892 wrote to memory of 988	892	Windows Defender Security.exe	cmd.exe
PID 892 wrote to memory of 988	892	Windows Defender Security.exe	cmd.exe
PID 892 wrote to memory of 988	892	Windows Defender Security.exe	cmd.exe
PID 988 wrote to memory of 1700	988	cmd.exe	chcp.com
PID 988 wrote to memory of 1700	988	cmd.exe	chcp.com
PID 988 wrote to memory of 1700	988	cmd.exe	chcp.com
PID 988 wrote to memory of 1700	988	cmd.exe	chcp.com
PID 988 wrote to memory of 1620	988	cmd.exe	PING.EXE
PID 988 wrote to memory of 1620	988	cmd.exe	PING.EXE
PID 988 wrote to memory of 1620	988	cmd.exe	PING.EXE
PID 988 wrote to memory of 1620	988	cmd.exe	PING.EXE
PID 988 wrote to memory of 1716	988	cmd.exe	Windows Defender Security.exe
PID 988 wrote to memory of 1716	988	cmd.exe	Windows Defender Security.exe
PID 988 wrote to memory of 1716	988	cmd.exe	Windows Defender Security.exe
PID 988 wrote to memory of 1716	988	cmd.exe	Windows Defender Security.exe

C:\Users\Admin\AppData\Local\Temp\29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exe
"C:\Users\Admin\AppData\Local\Temp\29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1788

C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
4⤵
- Deletes itself
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9irOw3yCWRRg.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1700

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1620

C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
4⤵
- Executes dropped EXE
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9irOw3yCWRRg.bat
Filesize
219B

MD5
33f95c0680fbbd64aa2ddcb50eeda69d

SHA1
11c36fcfd2736f7d955b44491f54429afb78b977

SHA256
8f94c9e366aed3ed7c9c765c241162d35d3ecab01e4e9b4a76e5de91f9a0edd2

SHA512
4e3ab4719c419186a3c7cf73ee9d3baeb84228ed6107c2ad79542429f06ea478eb4728669c7f4aaadf8b8e41994ef88b2def848f8c89d51a4fe6f016f3d6e64f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
\Users\Admin\AppData\Roaming\Windows Defender Security.exe
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
memory/472-67-0x0000000000FB0000-0x000000000103C000-memory.dmp

Filesize
560KB

Download
memory/472-64-0x0000000000000000-mapping.dmp

Download
memory/864-72-0x0000000000000000-mapping.dmp

Download
memory/892-60-0x0000000000CA0000-0x0000000000D2C000-memory.dmp

Filesize
560KB

Download
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/988-75-0x0000000000000000-mapping.dmp

Download
memory/1472-74-0x0000000000000000-mapping.dmp

Download
memory/1524-73-0x0000000000000000-mapping.dmp

Download
memory/1620-78-0x0000000000000000-mapping.dmp

Download
memory/1664-69-0x0000000000000000-mapping.dmp

Download
memory/1664-71-0x000000006EC70000-0x000000006F21B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-77-0x0000000000000000-mapping.dmp

Download
memory/1716-79-0x0000000000000000-mapping.dmp

Download
memory/1788-62-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/2020-59-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads