quasar | d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

Analysis

max time kernel
130s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Size

655KB
MD5

c6b8dff8c0e4204c318dc7e349d5f531
SHA1

af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3
SHA256

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc
SHA512

6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f
SSDEEP

12288:QNlD5ZS/1WEJOAqRSEM3Sy21LVbK89elrrJ56m:QKIDAEQSy2TbKuKN

Score

10^/10

quasar venomrat ajith evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

ajith

23.105.131.178:7812

Mutex

VNM_MUTEX_NdVd2sPSSqFdo7I35g

Attributes

encryption_key
jyerms3KOWmt3C9DBFuq
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 7 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1036-60-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1036-61-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1036-62-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1036-63-0x0000000000486C4E-mapping.dmp	disable_win_def
behavioral1/memory/1036-65-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1036-67-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1676-83-0x0000000000486C4E-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/1036-60-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1036-61-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1036-62-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1036-63-0x0000000000486C4E-mapping.dmp	family_quasar
behavioral1/memory/1036-65-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1036-67-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1676-83-0x0000000000486C4E-mapping.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 2 IoCs

pid	Process
632	Windows Defender Security.exe
1676	Windows Defender Security.exe

Loads dropped DLL 1 IoCs

pid	Process
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	27
PID 632 set thread context of 1676	632	Windows Defender Security.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1096	schtasks.exe
1436	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
564	powershell.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1676	Windows Defender Security.exe
Token: SeDebugPrivilege	1676	Windows Defender Security.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1676	Windows Defender Security.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	27
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	27
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	27
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	27
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	27
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	27
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	27
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	27
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	27
PID 1036 wrote to memory of 1096	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	29
PID 1036 wrote to memory of 1096	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	29
PID 1036 wrote to memory of 1096	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	29
PID 1036 wrote to memory of 1096	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	29
PID 1036 wrote to memory of 632	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	31
PID 1036 wrote to memory of 632	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	31
PID 1036 wrote to memory of 632	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	31
PID 1036 wrote to memory of 632	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	31
PID 1036 wrote to memory of 564	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	32
PID 1036 wrote to memory of 564	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	32
PID 1036 wrote to memory of 564	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	32
PID 1036 wrote to memory of 564	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	32
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	34
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	34
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	34
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	34
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	34
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	34
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	34
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	34
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	34
PID 1676 wrote to memory of 1436	1676	Windows Defender Security.exe	35
PID 1676 wrote to memory of 1436	1676	Windows Defender Security.exe	35
PID 1676 wrote to memory of 1436	1676	Windows Defender Security.exe	35
PID 1676 wrote to memory of 1436	1676	Windows Defender Security.exe	35
PID 1036 wrote to memory of 912	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	37
PID 1036 wrote to memory of 912	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	37
PID 1036 wrote to memory of 912	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	37
PID 1036 wrote to memory of 912	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	37
PID 912 wrote to memory of 1632	912	cmd.exe	39
PID 912 wrote to memory of 1632	912	cmd.exe	39
PID 912 wrote to memory of 1632	912	cmd.exe	39
PID 912 wrote to memory of 1632	912	cmd.exe	39
PID 1036 wrote to memory of 1728	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	40
PID 1036 wrote to memory of 1728	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	40
PID 1036 wrote to memory of 1728	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	40
PID 1036 wrote to memory of 1728	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	40
PID 1728 wrote to memory of 1964	1728	cmd.exe	42
PID 1728 wrote to memory of 1964	1728	cmd.exe	42
PID 1728 wrote to memory of 1964	1728	cmd.exe	42
PID 1728 wrote to memory of 1964	1728	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
"C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
  "C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Loads dropped DLL
  - Windows security modification
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1096
- - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1436
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCfCHWwUnnjq.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xCfCHWwUnnjq.bat

Filesize
261B

MD5
13ebfc24a45ce1fde1b19b6da2568ca2

SHA1
ece19d6e3500c9d313700279cbc70aa61d7a6e4b

SHA256
dd39833ee59624c68a5b76fa6d57001666bf439d5e317671ccdf34c4d1c19e45

SHA512
169e4c23b04041fb2c0e0174cadcee99b0923f77f02adceb1bae8bb1c2af1052c9f6c9a4fea4270144cd29792a71c229d4e12fceed6fe06378497f1e9f3859ec

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe

Filesize
655KB

MD5
c6b8dff8c0e4204c318dc7e349d5f531

SHA1
af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

SHA256
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

SHA512
6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe

Filesize
655KB

MD5
c6b8dff8c0e4204c318dc7e349d5f531

SHA1
af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

SHA256
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

SHA512
6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe

Filesize
655KB

MD5
c6b8dff8c0e4204c318dc7e349d5f531

SHA1
af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

SHA256
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

SHA512
6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe

Filesize
655KB

MD5
c6b8dff8c0e4204c318dc7e349d5f531

SHA1
af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

SHA256
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

SHA512
6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

Download Submit
memory/564-92-0x000000006EBF0000-0x000000006F19B000-memory.dmp

Filesize
5.7MB

Download
memory/564-90-0x000000006EBF0000-0x000000006F19B000-memory.dmp

Filesize
5.7MB

Download
memory/632-75-0x0000000000860000-0x000000000090A000-memory.dmp

Filesize
680KB

Download
memory/1036-62-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-58-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-67-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-61-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1340-54-0x0000000000010000-0x00000000000BA000-memory.dmp

Filesize
680KB

Download
memory/1340-56-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/1340-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download