quasar | 1329f5e409cf92386843f5d73a5dfe954604bf15763dba212440cec44a9f124c

Analysis

max time kernel
31s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2023 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpyNote_8.6/SpyNote_8.6.exe
Size

20.6MB
MD5

a85a3487b761469b8d2e412331d8d1c7
SHA1

7ee2a306d942b37baad5943a42ae40c673376161
SHA256

719d66cf2ffd53ffc2db32097433bf9bdc169d67e4d03474a5bd0c3bdf68f37d
SHA512

35af4f14d101f0bd01fbf87363cc03216a1258bcfdb33c5886d430b7fa7fd53c11729955128e516660306c0f15674144b347ad434b2682792e91d8812be4fac7
SSDEEP

393216:BnSbLcYDnp2+qKRLaS1GB6jMI/0s7bynxYnMHcBNvUqvvDY4g3X9w+ijU0UkL2Y:DYTpD7LaS1GVI8xmnM8BNvnNg6+KU0L

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

smtp.yassine-bolard.nl:72

82.65.150.176:72

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
oacDd8MguAxsN1YILaEK
install_name
$77Discord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord_Update
subdirectory
Discord_Updater

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral5/files/0x00070000000232ee-152.dat	disable_win_def
behavioral5/files/0x00070000000232ee-153.dat	disable_win_def
behavioral5/memory/4160-158-0x0000000000420000-0x00000000004B6000-memory.dmp	disable_win_def
behavioral5/files/0x00060000000232f0-168.dat	disable_win_def
behavioral5/files/0x00060000000232f0-169.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	$77-Venom72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	$77-Venom72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	$77-Venom72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	$77-Venom72.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral5/files/0x00070000000232ee-152.dat	family_quasar
behavioral5/files/0x00070000000232ee-153.dat	family_quasar
behavioral5/memory/4160-158-0x0000000000420000-0x00000000004B6000-memory.dmp	family_quasar
behavioral5/files/0x00060000000232f0-168.dat	family_quasar
behavioral5/files/0x00060000000232f0-169.dat	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Nirsoft 5 IoCs

resource	yara_rule
behavioral5/files/0x00060000000232ec-148.dat	Nirsoft
behavioral5/files/0x00060000000232ec-150.dat	Nirsoft
behavioral5/files/0x00060000000232ec-147.dat	Nirsoft
behavioral5/files/0x00060000000232ec-155.dat	Nirsoft
behavioral5/files/0x00060000000232ec-157.dat	Nirsoft

Executes dropped EXE 11 IoCs

pid	Process
4748	Discord.exe
372	Spynote Cracked.exe
1256	Discord.exe
4212	Discord1.exe
1412	AdvancedRun.exe
328	AdvancedRun.exe
4160	$77-Venom72.exe
1732	AdvancedRun.exe
5044	AdvancedRun.exe
3276	$77Discord.exe
4464	$77-Venom72.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	$77-Venom72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SpyNote_8.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Discord1.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	$77-Venom72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	$77-Venom72.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe	$77-Venom72.exe
File opened for modification	C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe	$77-Venom72.exe
File opened for modification	C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe	$77Discord.exe
File opened for modification	C:\Windows\SysWOW64\Discord_Updater	$77Discord.exe
File created	C:\Windows\SysWOW64\Discord_Updater\r77-x64.dll	$77-Venom72.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\FileManager\.ota.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\al.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Battery\b100true.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\SMS\l.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Security\Discord1.exe	Discord.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\ch.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\ky.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\window\ww2.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Security\AdvancedRun.exe	Discord.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Phone\c.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\it.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\mg.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\ad.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\li.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\FileManager\.webp.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Battery\b40false.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\mc.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\wales.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\window\win\5.ico	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\hk.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\ps.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\so.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Security\Test.bat	Discord.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\RE	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\terminal	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\ed.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\qa.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\ai.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\rs.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\NetworkStatus\w1.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Screen\ScreenOn.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\tl.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\tm.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\FileManager\.pdf.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Battery\b50true.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\england.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Bar\normal.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Note\Nup.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\va.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Imports\opt.inf	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\bj.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\lk.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\play.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\zw.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\kz.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Bar\silent.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\FileBox\Videos.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\as.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\ci.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\AccountManager\com.twitter.android.auth.login.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Flags\gi.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\gt.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\window\ww1.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Imports\terminal\tr.inf	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\window\win\6.ico	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\Logo	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\pk.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\uz.png	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Imports\platform-tools	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\window\win\25.ico	SpyNote_8.6.exe
File opened for modification	C:\Program Files\Windows_Update\Resources\Icons\FileManager\.imy.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\be.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Icons\Flags\re.png	SpyNote_8.6.exe
File created	C:\Program Files\Windows_Update\Resources\Imports\Payload\apktool.ascii	SpyNote_8.6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4392	schtasks.exe
3432	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4884	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1412	AdvancedRun.exe
1412	AdvancedRun.exe
328	AdvancedRun.exe
328	AdvancedRun.exe
328	AdvancedRun.exe
328	AdvancedRun.exe
1412	AdvancedRun.exe
1412	AdvancedRun.exe
1732	AdvancedRun.exe
1732	AdvancedRun.exe
1732	AdvancedRun.exe
1732	AdvancedRun.exe
5044	AdvancedRun.exe
5044	AdvancedRun.exe
5044	AdvancedRun.exe
5044	AdvancedRun.exe
2108	powershell.exe
2108	powershell.exe
4160	$77-Venom72.exe
4160	$77-Venom72.exe
4160	$77-Venom72.exe
4160	$77-Venom72.exe
4160	$77-Venom72.exe
4160	$77-Venom72.exe
4160	$77-Venom72.exe
4464	$77-Venom72.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	AdvancedRun.exe
Token: SeDebugPrivilege	328	AdvancedRun.exe
Token: SeImpersonatePrivilege	328	AdvancedRun.exe
Token: SeImpersonatePrivilege	1412	AdvancedRun.exe
Token: SeDebugPrivilege	1732	AdvancedRun.exe
Token: SeImpersonatePrivilege	1732	AdvancedRun.exe
Token: SeDebugPrivilege	5044	AdvancedRun.exe
Token: SeImpersonatePrivilege	5044	AdvancedRun.exe
Token: SeDebugPrivilege	4160	$77-Venom72.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	3276	$77Discord.exe
Token: SeDebugPrivilege	3276	$77Discord.exe
Token: SeDebugPrivilege	4464	$77-Venom72.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4748	Discord.exe
1256	Discord.exe
4212	Discord1.exe
1412	AdvancedRun.exe
328	AdvancedRun.exe
3276	$77Discord.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4748	4780	SpyNote_8.6.exe	79
PID 4780 wrote to memory of 4748	4780	SpyNote_8.6.exe	79
PID 4780 wrote to memory of 4748	4780	SpyNote_8.6.exe	79
PID 4780 wrote to memory of 372	4780	SpyNote_8.6.exe	81
PID 4780 wrote to memory of 372	4780	SpyNote_8.6.exe	81
PID 4748 wrote to memory of 1256	4748	Discord.exe	82
PID 4748 wrote to memory of 1256	4748	Discord.exe	82
PID 4748 wrote to memory of 1256	4748	Discord.exe	82
PID 4748 wrote to memory of 4212	4748	Discord.exe	83
PID 4748 wrote to memory of 4212	4748	Discord.exe	83
PID 4748 wrote to memory of 4212	4748	Discord.exe	83
PID 1256 wrote to memory of 1412	1256	Discord.exe	84
PID 1256 wrote to memory of 1412	1256	Discord.exe	84
PID 1256 wrote to memory of 328	1256	Discord.exe	88
PID 1256 wrote to memory of 328	1256	Discord.exe	88
PID 4212 wrote to memory of 4160	4212	Discord1.exe	85
PID 4212 wrote to memory of 4160	4212	Discord1.exe	85
PID 4212 wrote to memory of 4160	4212	Discord1.exe	85
PID 328 wrote to memory of 1732	328	AdvancedRun.exe	86
PID 328 wrote to memory of 1732	328	AdvancedRun.exe	86
PID 1412 wrote to memory of 5044	1412	AdvancedRun.exe	87
PID 1412 wrote to memory of 5044	1412	AdvancedRun.exe	87
PID 4160 wrote to memory of 4392	4160	$77-Venom72.exe	91
PID 4160 wrote to memory of 4392	4160	$77-Venom72.exe	91
PID 4160 wrote to memory of 4392	4160	$77-Venom72.exe	91
PID 4160 wrote to memory of 3276	4160	$77-Venom72.exe	93
PID 4160 wrote to memory of 3276	4160	$77-Venom72.exe	93
PID 4160 wrote to memory of 3276	4160	$77-Venom72.exe	93
PID 4160 wrote to memory of 2108	4160	$77-Venom72.exe	94
PID 4160 wrote to memory of 2108	4160	$77-Venom72.exe	94
PID 4160 wrote to memory of 2108	4160	$77-Venom72.exe	94
PID 3276 wrote to memory of 3432	3276	$77Discord.exe	96
PID 3276 wrote to memory of 3432	3276	$77Discord.exe	96
PID 3276 wrote to memory of 3432	3276	$77Discord.exe	96
PID 4160 wrote to memory of 640	4160	$77-Venom72.exe	100
PID 4160 wrote to memory of 640	4160	$77-Venom72.exe	100
PID 4160 wrote to memory of 640	4160	$77-Venom72.exe	100
PID 640 wrote to memory of 4012	640	cmd.exe	102
PID 640 wrote to memory of 4012	640	cmd.exe	102
PID 640 wrote to memory of 4012	640	cmd.exe	102
PID 4160 wrote to memory of 1716	4160	$77-Venom72.exe	103
PID 4160 wrote to memory of 1716	4160	$77-Venom72.exe	103
PID 4160 wrote to memory of 1716	4160	$77-Venom72.exe	103
PID 1716 wrote to memory of 1312	1716	cmd.exe	106
PID 1716 wrote to memory of 1312	1716	cmd.exe	106
PID 1716 wrote to memory of 1312	1716	cmd.exe	106
PID 1716 wrote to memory of 4884	1716	cmd.exe	107
PID 1716 wrote to memory of 4884	1716	cmd.exe	107
PID 1716 wrote to memory of 4884	1716	cmd.exe	107
PID 1716 wrote to memory of 4464	1716	cmd.exe	111
PID 1716 wrote to memory of 4464	1716	cmd.exe	111
PID 1716 wrote to memory of 4464	1716	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\SpyNote_8.6\SpyNote_8.6.exe
"C:\Users\Admin\AppData\Local\Temp\SpyNote_8.6\SpyNote_8.6.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Program Files\Windows_Update\Discord.exe
  "C:\Program Files\Windows_Update\Discord.exe" -pKazutoSan72@$%
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Program Files\Windows_Security\Discord.exe
    "C:\Program Files\Windows_Security\Discord.exe" -pKazutoSan72@$%?:YB381
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Program Files\Windows_Security\AdvancedRun.exe
      "C:\Program Files\Windows_Security\AdvancedRun.exe" /EXEFilename Test.bat /RunAs 8 /Run
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Program Files\Windows_Security\AdvancedRun.exe
        
        "C:\Program Files\Windows_Security\AdvancedRun.exe" /SpecialRun 14001f2b0 1412
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
  - - C:\Program Files\Windows_Security\AdvancedRun.exe
      "C:\Program Files\Windows_Security\AdvancedRun.exe" /EXEFilename Test.bat /RunAs 8 /Run
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:328
- - C:\Program Files\Windows_Security\Discord1.exe
    "C:\Program Files\Windows_Security\Discord1.exe" -pKazutoSan72@$%?:YB381
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Program Files\Windows_Apps\$77-Venom72.exe
      "C:\Program Files\Windows_Apps\$77-Venom72.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Checks computer location settings
      Windows security modification
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Discord_Update" /sc ONLOGON /tr "C:\Program Files\Windows_Apps\$77-Venom72.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:4392
    - - C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe
        
        "C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Discord_Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:3432
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        6⤵
        
        PID:4012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n41aihJMhWG2.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1312
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:4884
      - C:\Program Files\Windows_Apps\$77-Venom72.exe
        
        "C:\Program Files\Windows_Apps\$77-Venom72.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
- C:\Program Files\Windows_Update\Spynote Cracked.exe
  "C:\Program Files\Windows_Update\Spynote Cracked.exe"
  2⤵
  - Executes dropped EXE
  PID:372

C:\Program Files\Windows_Security\AdvancedRun.exe
"C:\Program Files\Windows_Security\AdvancedRun.exe" /SpecialRun 14001f2b0 328
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows_Apps\$77-Venom72.exe

Filesize
576KB

MD5
80495befd515f6af32389c1cfb3e8c5b

SHA1
29ec599e91edffe758d0613540fa02da686f1746

SHA256
775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b

SHA512
bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f

Download Submit
C:\Program Files\Windows_Apps\$77-Venom72.exe

Filesize
576KB

MD5
80495befd515f6af32389c1cfb3e8c5b

SHA1
29ec599e91edffe758d0613540fa02da686f1746

SHA256
775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b

SHA512
bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f

Download Submit
C:\Program Files\Windows_Security\AdvancedRun.exe

Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Security\AdvancedRun.exe

Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Security\AdvancedRun.exe

Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Security\AdvancedRun.exe

Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Security\AdvancedRun.exe

Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Security\Discord.exe

Filesize
339KB

MD5
7982a3c8d157fab1222054474d772332

SHA1
f134d7ce11e37e30e07a73f0d8c7bc0a87c04492

SHA256
7dc4ae41a5820fbdfc912cd1ef586f7ad80e77ca0b4f6c364255cfb01dac648c

SHA512
182bd93ebd698850bd112779f4e06f1b561edbdcb6243d5df5112fedb95a267f47a548d3b9e0fde7ae3ed1fbdb72881405757b7ea7326810d42ea78123562d97

Download Submit
C:\Program Files\Windows_Security\Discord.exe

Filesize
339KB

MD5
7982a3c8d157fab1222054474d772332

SHA1
f134d7ce11e37e30e07a73f0d8c7bc0a87c04492

SHA256
7dc4ae41a5820fbdfc912cd1ef586f7ad80e77ca0b4f6c364255cfb01dac648c

SHA512
182bd93ebd698850bd112779f4e06f1b561edbdcb6243d5df5112fedb95a267f47a548d3b9e0fde7ae3ed1fbdb72881405757b7ea7326810d42ea78123562d97

Download Submit
C:\Program Files\Windows_Security\Discord1.exe

Filesize
541KB

MD5
dead320a00168f6625dd7be9b6b70e20

SHA1
51624ff21ffaf610c8655826ca17ea833fa611f7

SHA256
1d5053b75e4199446b32a86f358928669397c5fb2cf17049e1e9241cb1b1b7c5

SHA512
713f32bce99fbf09164a53e18506ae260c5ac12efea5420eb81510ebb27309e8f7cbdc4e001c8b28de1cb83c51f0014458cb060c64dcc0fd1a5b2a29d8455218

Download Submit
C:\Program Files\Windows_Security\Discord1.exe

Filesize
541KB

MD5
dead320a00168f6625dd7be9b6b70e20

SHA1
51624ff21ffaf610c8655826ca17ea833fa611f7

SHA256
1d5053b75e4199446b32a86f358928669397c5fb2cf17049e1e9241cb1b1b7c5

SHA512
713f32bce99fbf09164a53e18506ae260c5ac12efea5420eb81510ebb27309e8f7cbdc4e001c8b28de1cb83c51f0014458cb060c64dcc0fd1a5b2a29d8455218

Download Submit
C:\Program Files\Windows_Update\CoreAudioApi.dll

Filesize
24KB

MD5
6a009b7c4b252788d80d4e40adcf51ce

SHA1
9302cd4f00fa70b768feec2a49505052cd4bd13e

SHA256
df6115987161ee1238f9564bd10c998d9016f582e5b7b9d23d21a74d6955bdd3

SHA512
7a27bc38249b293fbfb9389cac3365bf64e9536281c347939192e6b151b4e574bd9743df81721dc4e6beca0ab0a5784436b7f7bff780fdddef4c7c26b02cc354

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
790KB

MD5
ffbf8505009dcfee149e8a8c240ef82f

SHA1
f07334436f15956c5078a5cfeb9a4305819e220d

SHA256
308a6e24a3eeb14fdd7038566460b55db3bfe81ede2721a0128f1e142aeb41cb

SHA512
307eac44f3c052603aa1126a24986ac3bc2cccde81379d229ed29a23f1936a917942a4967b07c266b7b6ec546e31707dad0a94f5adddac0707453927f4f8a8d8

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
790KB

MD5
ffbf8505009dcfee149e8a8c240ef82f

SHA1
f07334436f15956c5078a5cfeb9a4305819e220d

SHA256
308a6e24a3eeb14fdd7038566460b55db3bfe81ede2721a0128f1e142aeb41cb

SHA512
307eac44f3c052603aa1126a24986ac3bc2cccde81379d229ed29a23f1936a917942a4967b07c266b7b6ec546e31707dad0a94f5adddac0707453927f4f8a8d8

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\-1.png

Filesize
400B

MD5
c609be5c33f6f915bc29748c953c17d3

SHA1
61e44893f7aa2839951909667d0c7f9d218a8657

SHA256
a46b437d58f99ab76c6f5a8dd36202084afb236007cbf268528eafefa47be42e

SHA512
373f095a12333bc2ea08e28300dd9a507d42354ce21ca2625a98f7824fcdee666c597b741b4a51f15bbb14d30102863ae845481381f64c6068a3f7a66a8bae67

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\ad.png

Filesize
643B

MD5
cc750844215aed20b2b05c10d6082b0d

SHA1
48fe2e042a75efb26c8b1822b51a8c9ab44bc4af

SHA256
8adee4d665c8119ec4f5ad5c43a9a85450e0001c275b6a0ee178ffbf95c4c043

SHA512
ff5a1141d9a3de908416f50bc184713e3cd340b100742726b86b03a8e826bf1324348cc2a02c81027f263347aa4944f5af7d59af6a35fb48cb6e37b93de3d53b

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\ae.png

Filesize
408B

MD5
7391e6b6df7b181d51ffeb2a5a6d7bd4

SHA1
e442abb4c7713078983da019502d070f38c12e26

SHA256
6f20d866841c4514782a46142df22b70b8da9783c513e3d41d8f3313483fe38d

SHA512
0a642f43a40e2c75249abe5bc41fc76489e6766f8f8ed1f075ccb66beae6da1e3362dc5ab97747395e35560d5accc4cf6cc5a480655657f6d2c63379205b8105

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\af.png

Filesize
604B

MD5
ae7c58272ae46cde945ccc4bed00fe9e

SHA1
a2b715b803d7ee6bb2b3827e09912c9ad7fbee43

SHA256
c1054fb8d9595948aa96bc57c9ab6fb6b3770d2ee7e09ba7e46b09b21bf51bcd

SHA512
aa0df3c684f97b47dbe2b0f51d271814d48b411e3cc9e82b681e9e8d43c35eef1e1d2295b5fcd999dfba56658fdf46ce2200cc853051421284ef5161423c1d86

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\ag.png

Filesize
591B

MD5
390af4c36d462bbf2627a1182946825a

SHA1
3bd00dff1ac2a305320f31048389fe1c57d67e70

SHA256
0dfb5c39e2a3eebe18b431cf41c8c892ab5f1249caa09d43fa1dd7394d486cd7

SHA512
3a8768da603e5a7f1b92b75133a68f4cc776aedf9750d1d388fc23511797b86348dff3bfcd837e1f561fa052666cba05a53e272405e1555055956209a2ec388e

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\ai.png

Filesize
643B

MD5
08cf0788a582710062140f69887300fc

SHA1
55094d8c1c4461a2b49f2815726bda895c7c5809

SHA256
721542818b00e197fea04303b0afc24763017c14b8cd791dfaf08411d9a99cae

SHA512
b16c87d694cd0ac9d94afc619754f46ad3c4dafcd155494da6ee2cc5c0f6869784e310711d12cb73b58ab7d7a48b6e08bc60c6885774a56dc89fcf5b358db541

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\al.png

Filesize
600B

MD5
7c5bc720b2cf3047c9fab800e271eec9

SHA1
a8e31ed33613d407953b976ad42b3994b283b46c

SHA256
3f7278c0c4272b6ff65293c18cdbb7e2e272f59dabe16619c22051d319ef44e0

SHA512
2fd48b6c49d6902bc749d1028b14d00044374f144aacf0f6155cf226b2d3024170ee6ae37928b889e0fe9791ffe52040e6c1932280c4e672196ee66f5f1b771c

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\am.png

Filesize
497B

MD5
fd5d9d1d864ea76406afec5e11f2632f

SHA1
1d65a04d04fe6acc226f51521048745aaba27455

SHA256
e34d4e7961e7e994775dddfa994e4d9f709876634d36facff6bac70155597c23

SHA512
17f6b1bf5337103f5463204c37d13fd7c09a45e05442b8907dfddea210d28bf020fcacb044ec31bb80838c613af4fcd3268f783021c3d63094b39f37db5d3cb2

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\an.png

Filesize
488B

MD5
7d7d682a9dc9f2a26a6dea1fdb87334f

SHA1
3e14814df061e038b586544045bdaf6b598f9318

SHA256
4c9bd8548dfa58fdf9e6ac703f94c8b96d8136c42b06fbdc8e2d8817e592ffde

SHA512
b740ec275b1e82813e0ca0ad33258dd78111f37abb1ca42db8c393f2d91eb1fd19783e3d9cf66e2cd51c905ad66d22217e49f161c83249290c9e94109784ed8c

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\ao.png

Filesize
428B

MD5
41a8aa1e11f7086d2413d8d9a777680b

SHA1
7669fc0f93de2266e504c5d341c34cdc1bd14c32

SHA256
49b0a50005440417bd679d03d4d78f9ba0d1c457285c97e94f36e56b1e8b623b

SHA512
5ee0853320a1122eddd3df7076f02d31e03088274ddcfee9488dac56db90b6fc2dcee7a3b2b77f73399d25a7cd5399032bf141834a4ca951b36332bbc5abee20

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\ar.png

Filesize
506B

MD5
2fa357868e66f1aec9c4c4230baa45b3

SHA1
4c849a943c12cf8d1cac1190b04ec82cd68483fb

SHA256
776fbb0600f99ccdc44e2ee7f8b6559988c443f3a754792585b1b7008aaedb91

SHA512
811a0b184ab99c7d2fa41b9f3794465d18896bc6cae3aa286044d78f4279aa8dbec72a5810c029f028028a7014944d0e77d65075e5ab8f920dbce177c657feed

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\as.png

Filesize
647B

MD5
96e49204e758277b6720584c4d844ecc

SHA1
0628b4658024559820d908dc541b16676225f43c

SHA256
3ef7f1b82b2f28cae0c7df163c5ce9227ef37244da85118374869fc5f2e05868

SHA512
16363fae8431677648eb0357d30bef20d10a625d5beddc4da7ea77caa66a07fe98abb24a446374f468dc0a7564050a93dd857c7b87a97e309d0320fdcbf5d2ee

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\at.png

Filesize
403B

MD5
62bf1a5653692b34b2ee1f734a59b062

SHA1
56dced18c23f60ee643fc024952a22a4df96d521

SHA256
a3acc39d4b61f9cc1056c19176d1559f0dacbb0587a700afdbe4d881040ccd52

SHA512
35b772e4867d22d70b01564fad66fcadaa02729fe9e7f1687411185c8cd6f36e8d8926fafcccde6c86791b7ceeaea4f1be947f8f8bdd6f8211a8a441b04dec24

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\au.png

Filesize
673B

MD5
2fba49c88880e9ffcff947015cb7ab9c

SHA1
20361b7e4d3cf488c5e6330b6abdb1efcaa9e866

SHA256
a7f9683bc4240ef940ee3d4aaf127515add30d25b0b2179a6cdec23944635603

SHA512
6d826ac84a3ba2f845a1092c75a4416f170fca0e74122de5d031095942d51f2c1b53604589a8960a3d48319f3040361d9b66f1733de19a5fd2b18f07fe6a29ff

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\aw.png

Filesize
524B

MD5
6e82279ceb4702171f345fead7ff3e35

SHA1
d65c98f09c2aaa4ea7b80cd0194fa5c2b2139803

SHA256
2dc58a1fcd65957140fa06ba9b2f1bd1b3643724cef0905e23e1561a5b3dfa5b

SHA512
b2b8f49882b977571bd3ba5b6f601d292c52699e2cdcb767217061cc5c1feaecdd37ea0f7b1604ad810a6bfbe718cc360a2bdda1565847641fb4f166b9412e33

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\ax.png

Filesize
663B

MD5
27708378fcc025e375fd3c303fc1cbd6

SHA1
80f2cae567c864f698e995b85c315c081a923a6d

SHA256
3f38a42fd54e4c7cb1154026f734bc444f9cc942b8b91f099cc65dccf6c7f431

SHA512
a328121605cead5dbcb9fe46e37f70236b388832ab3c217602a10da5be19e685c9d38df9b4cfcbb162264bf647565a50e56e5ace56c5602ce4d49c83d7829f60

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\az.png

Filesize
589B

MD5
d63f5c99e25eca9de2a97f63161f38e6

SHA1
c983ba7753a911badfee041c7080760754ab8e45

SHA256
45da74f4c8a50cfc13ff612e9052a7df77fae155e20c2b67ec34c4e3d46dcebe

SHA512
083368f19aeca2b40d30d471026dfa677e759a467c70e3210455188f76b002ef342839370a8d9eae1f662c9c022b99f44e085256d4df982f8b0929d5fe7fc11b

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\Flags\ba.png

Filesize
593B

MD5
cbb6ce46c69e14bbd8d2c8fd91680d33

SHA1
40dab3c90fa2fabee16fa59ecafc129a104f7ac1

SHA256
8aab9c83759b1a121043ae5526d7bd4174d6612c7d0c697609731e9f7b819b6b

SHA512
a357a26bf7b21290c9d03be41861260989a43201ed9bf1a18bc70b325290d3e9b7c80ac1bfc033b2a2e334c12986654250bf01c072679e42d850b1c80a18ddca

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ToolStrip\Add.png

Filesize
220B

MD5
8e183934a32657976f4647fab9555734

SHA1
bb312d6ddbb44df9611e081ad6dd1667ddbd17f3

SHA256
85436dd3cb7980564a3b5daf376ee7a540b018abc62c1b2edc2bc8791045a6ad

SHA512
a789c570c5893a85adaa89ba9b413a379b41f3b36e67adb377a97ad0b90b15777e882f63e62288fb5f5dc5f8cca781cbc15c5b99534dc69fb3b68601adc33994

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ToolStrip\AutoDelete.png

Filesize
2KB

MD5
7e6417c121f329dd06dede840f4e63f5

SHA1
a25b12079206b72e1a052fede797c18f79447b8f

SHA256
66edce77199a6dfa638cc2e784b074bdae713ee7c6fa478347bf3bf5d7754de1

SHA512
c7b5aac8d45ca137f747271341fe1fb5efd1393ae4f2eda96a8745ba93f1494c255dd664f31d64682d83ea24ee2ea040a4510862373d973339aebc06a3e8f70b

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ToolStrip\Delete.png

Filesize
305B

MD5
58e72ff920e182c666e5e39d3857f864

SHA1
27d884cb45b3a08d09b8f5c457d8d95d984e1a63

SHA256
b23bd41d31dcc2b4f3c2ad8c73560f7b1abbd6c50c9a03fcce011a92ca75eb07

SHA512
4012dd2b124150f3c4829b69131d5d912edd33e10d94e542a1eebe3e33c34740520d14d7f3110f6ca6c229fdfb5474d248b048f8ab6faef38f1ce77cd9e8611f

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ToolStrip\DeleteAll.png

Filesize
397B

MD5
899fbee6c4b83d4440d3cd915850fa5f

SHA1
c1c734902e820d7dc72d6b2b877016c5b227a620

SHA256
56fd86fa0add90d3f0fb63eb7e32978b614a5d745fb430091f6e35a8a46a76bd

SHA512
26bf0554ba36667e28ed5b046345f2fff318291790d6097dec2b910946dd64509f011aa5f7ada71a634d4ddeb6254a71b5e4d332bf7be780c6aa52ba5240e912

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ToolStrip\Down.png

Filesize
258B

MD5
09bc1d5353b26bf96ad3168f8370948a

SHA1
70075d14c57b97c8a555bda54246b3444568d1b1

SHA256
39ce52c02d20558989325692febe1cf58085a6b97423e2ecf192d03cb6b94bec

SHA512
ffd51513286b90f834c474b8ddf2fcbf36e1a2e8ebc502d0ef0baf6975621ea9932055202682794b4e8950588d98159e440e87e828db3b829390a6d914cd5ee4

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ToolStrip\Refresh.png

Filesize
2KB

MD5
3d7830e1f145dcd9f7f20e74249fa8b2

SHA1
500e8959d2e519db4daa112b7a2680f6ca8006bb

SHA256
2cf2c3f43b8a70ea258944033d21410cc358be6e6114f48db7d5fdc3aaaccc9f

SHA512
cb948775495990f953ba89958317254a68204f7a93fb16ccfea8c0e825e200438e44ba75e734a9b873bcec7e579652b69e448b805a27c2f12603af1fe62ce7a9

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\acc.png

Filesize
2KB

MD5
1cf5e6842ccf4830376cd826eb537db3

SHA1
09c46796c33a80b0aa4c09380b330264fcb8f089

SHA256
ebcc5ecab57d3e9ceb036b924b8facf11164fd253630d41c0d8fdf216ab1fcdb

SHA512
726b91e848c06f20a218fba24ee4998d4e34e067155a70808fba21b5fb30dd7d8ce300013d1e06cd950cb0fbcd8184fa9b4400f81a2f60fa82ec193cfa623fcd

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\b.png

Filesize
2KB

MD5
b8491a47e1ce9b14efae19ea94de671f

SHA1
fe5544224bdda6195086a2d361fbe91c18943063

SHA256
cd9128b776b39ace8aa84a1cd88c13aaabbc311a9c98bebf8d9c0ce53004d5a6

SHA512
1a35bac26eb4eb0d6ee71393c379933b12c94a91059b246be61f7b55d1acd13a250914d0cee91a772394a751aa43863a1f39d041c785037f2c5c6a9da8039285

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\c.png

Filesize
2KB

MD5
777ca468d56049e5d8e9669a4f05574e

SHA1
73d8f8c797ea9ab39c5b271dde06002909cb5369

SHA256
dee9494941b73c77876f24a5f06a1d09f64fc63c0fbb342b28198298279a9748

SHA512
479676c169e11e8c9af9bd02a527a548ced634d3074d04910bb391aaef1d146ede02d690ed03d4c4a8024b6df97a28dbab48df653f4a30928370dfbb2e78c6b8

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\ca.png

Filesize
2KB

MD5
23c35bfeb5a45395ddca3a9ddd363454

SHA1
c6bada50ab232a26a6738b754120a2953d61bccf

SHA256
eb6917b8ff7de24dd63f22d7455aef1d1bb169e60ba8f5503334fcba668ebd9b

SHA512
9e8d7b22c2f040b175480f82ff86af12b42d86d693ca98bf87cad65b363cda51b4c0c1e1dda418c840a8c2d60a89e11934544e1c553fc5393e920a4154363e4d

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\ch.png

Filesize
2KB

MD5
3599b71e7d93f9c143ad38e622fe131a

SHA1
264b93c72cb26fead8d8aefd16f39bb384b94f71

SHA256
08e43a6ff816c8c13e0ade0be5cc1e2edfe8bc3bd9ab456de78e451b43476c57

SHA512
91d2ccfe737a2429cbcee6cff9215de38f544083f468bd84a23eacc376e36d035e9596c35205b2d0cbc4c70b5c9e20713cad9c36a9b61d1da27cfc12ba08dde0

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\f.png

Filesize
2KB

MD5
f3bace88da12c1a6d2ad411b9ce0f3c1

SHA1
d15f06486359fc7bed9a2f6f5da5b424e3662b31

SHA256
3054382699ff373beb77fc56319cd818e8ea3944e292368fdb6466a7076a7bd7

SHA512
9f16335b12d0b1b78a1934a30d24f5327167f2f4ecc10a4a5e1c9d95387b6bdf9e795faba5d76812ae0a26eed037219622911bc32524f1cdf7a3c87d177d1092

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\fun.png

Filesize
240B

MD5
4d45d84970efa5ada701b684024ffd5e

SHA1
05400ff26e2f77da51df6fd65e25a94d94cf4629

SHA256
a9dce68d119e8701b0af386d425b152beaa66fa12882f1ce67cfa5e8f9393015

SHA512
af259c30621b959b9d9f3151f5610364410cc06119a434aeee7f0479466a35ee3f8bb61a748d402168b6bf1257c23ccebd5129e6c8b9a1668a3a2235acaaabab

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\k.png

Filesize
2KB

MD5
0839470bcefd61598779256476575d7c

SHA1
9ef5381038789475fc8c9c916c50c6f3a8b2dc75

SHA256
63491fc40deec306c9dbd159a1672fb57718225ece2c4b1944dffd5c81e6fd4a

SHA512
07bf985d80ce921d7c9a539554dd033a432691c3849507099facf2ecbb9f273f742fc01be6e708e4b404036e95a05843d3a42fa979369bc42b4f9dc90786f8fb

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\loc.png

Filesize
3KB

MD5
d1d3f42dcb9b9d31cb64a32b2230a1fc

SHA1
c3c7d6f7d9b70709a67a360015ff8058286b77e9

SHA256
1b50028fe1f198ef0d768205da898195cdc5fbfc8922deacba66218903e23abb

SHA512
a85f17ff69f1b130bf05f3574033eef886f31d3aeb866b305d9af569729580ec601b538bb45ae6737e2e44598ca10854bdfb37019d7c35330ac7e2a0bbe89bd6

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\mc.png

Filesize
3KB

MD5
d704a3c1a92c928fa42975ab336c2525

SHA1
85ad8fe91a230247764c088a5609d5578f931c50

SHA256
a8da599d2edc08081b539610f3925c5d473b89c60aaab1bc547a1481d6f550dc

SHA512
4bafdf31c42664048ae287e6850ac87519a69c4856e053c0d4a8d92de3981c85033c37afe4ac703043209a206e6b63a78c9916afb84b17a88cea7915c05316a9

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\ph.png

Filesize
2KB

MD5
8656e5c7906f69487520f2c8f88a07f6

SHA1
7feaae2fdeecc08e5a93630b57ab4ed17f5d78fd

SHA256
da44138fa550395ef7feb575d5dc839d3d31ceb9612f63715b5bcad567c3b184

SHA512
c2c8e5a27d0d1c0c0c45959a400e74b16506297abed2a21d363671b0ca398bd99e6f8682c74f6c07e248d476d97f194c74d41d4acb026deb088e14aefe86b89f

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\prg.png

Filesize
2KB

MD5
afe612007711b613cdebaae848ff11f2

SHA1
b1240e5969e7e7e234a68a8e0fb3b70e5ee4ba22

SHA256
509228e4672c63497c710d988dde01abe51380d1bb8067a82d80e88e1630b781

SHA512
959c09f37a9e3fe9326dcf5479c55f130cc65c66a9cf9dcb17249713ea2ec815b3eb075922e992db307147695ba0bfe6d4c2e622bb2132e13e8556f562902880

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\s.png

Filesize
2KB

MD5
ff8980e2be70e7daf9fe0a380eeca4cd

SHA1
c9169bfa48e68ecd9daf7861749ab453697e717b

SHA256
95c8447b14c558c2a42becb59bc21d9687dd26881315c52323b9727a68a777bd

SHA512
9de58ca0f165c3d4ae97df9a229e65e31173000ca026093d857ab9a93a28d1474e9e0f95a3d5b0e1311cd3f7648ad18b393d6baf0982a16b6289f1ffb7d151aa

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\set.png

Filesize
3KB

MD5
223bb92858d10e815f0ccc41fe9b1d35

SHA1
32f1ce2f4808b56da6d4a61bdea7dfbe6c2761b7

SHA256
23753c13cac75df9d96cf03cef00d31bd9f38c10542c698dfe3e52948bac1743

SHA512
71b3d14e562e56de669a885e24e271fcff8e8f2fb0985de23ecbef732f654529dfe06e5ed8211eb5f0b94748e9739aa3aed33f1e6e5f3ae080400c6d4c00d62e

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\t.png

Filesize
2KB

MD5
f41b5ef056b1060cafeb3330f5aabc60

SHA1
605a739e0b0423a1bd8614c1ee904747da6fa2e4

SHA256
c49b1abb780dfc6c5b1bbb1ee4318ccc664b43ee95f336fdfcf44801066ff472

SHA512
461672faf6666235e3b45e16d7d25600d5ab41bfcc73ed1aeb59f57bbc38cecfc70a018c35062434f7759044351de3ec54a46a21e6b3dc23c409d032b2d73f8d

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\ctx_menu\v.png

Filesize
216B

MD5
163af385a94a9135b32dd3c559ed8aa9

SHA1
00a831f96c53bc5470acef7c05ccc928f0505ad3

SHA256
f355e6339a02b894aae631a665c3d8661b4df1df62adb34118ed234744cc5a85

SHA512
5ce569a0d56aaf5307ae513b2712287e9201dc2c92f6698e69cc8a40b53cfada583f007dee5bed4822515a5dbdd946b6d01f48a83614cfe4510aebbe5a75d656

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\window\w0.png

Filesize
186B

MD5
1c6d8f736ad7977ec119427fdec2457d

SHA1
b9a2514a0576aa24916f6af4773f9cb2f1be8f9e

SHA256
def2a94927c53112ad11ce37474fc78ab394fb087a5eddf793255a090818a6c4

SHA512
96ea1e9453b3923f81bc0f9d2c406c5812711c3682a4c29448062b844481abee9611a9e7061c4cfc2ec7682ecd5f89b1c4f6f19d68b3cb301e5a0b2efcdf3165

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\window\w2.png

Filesize
306B

MD5
28fe5092f09010b71307bbfff42b08a8

SHA1
8613fbf0f0454ff6c057122ccf5e759a8ed54ce3

SHA256
6dc91f8ace48ee0aabc935a2422ffb9278289203955baf7e0c6efb14082cdd85

SHA512
efa0175ef410d2a4cff20d0723ada62d85047f77708920c8d38f18fa41e3c0ea504e04730d1c4f523d3b4228a7907f35a84ef9428f4ad16d901a6aaa9bc003d7

Download Submit
C:\Program Files\Windows_Update\Resources\Icons\window\win\0.ico

Filesize
22KB

MD5
129abe6c59d4a66e9a5e4af4a90ddb4f

SHA1
db54e9256cf69ff01cca7a63ca10f45ddcabff1d

SHA256
0b6fd8ed3238c47529a03f8df7a5eda6c6b6d3117f3e7aeb889c490c65f6e8f4

SHA512
908fe2942a1594fa28aefc0ded9ed451e4e15c857fcaab2be07926f97705154c3db4e3d2176d1b62c0c41d646f2ac2fb47bad246a4f5425d5223b81cfc32f106

Download Submit
C:\Program Files\Windows_Update\Resources\Imports\Xml\Settings\SpyNote.xml

Filesize
602B

MD5
ae277724edfeb6e15b494d01a5653dda

SHA1
db6abb178c4ef49ecf64f067273974a69c347221

SHA256
01ab3d64415235b1a4cbffb83a09f9b333a208164939b7a01b2e630152dea1a5

SHA512
3b0f9b9ad51f0b39dbc39794c2e93cafa3b6f4d3db528108c3c7360355aa88ae012e010b479b1abe3d121a156d9a315a0399a5995ebdbead40289f89c359b4b2

Download Submit
C:\Program Files\Windows_Update\Resources\Imports\opt.inf

Filesize
95B

MD5
1f5511a315fe6684177eebcf8ebde04a

SHA1
83c296d3aec584d0845b047331a83a8ffb018b43

SHA256
b0e6c24d35a9154cf1e40a6fcf0bb2439fe4b32a0481f6b05a52e30890f1523e

SHA512
497dbe6c9af2c5a9d4f379b848ef12e4dc6a5cbd7f1f2ef0c90c1bfd21932204909c4deda74734c476e7a39de10dcf437e296f7a640980c04b3ed11bb2bf3d57

Download Submit
C:\Program Files\Windows_Update\Resources\imports\GeoIP\GeoIP.dat

Filesize
1.1MB

MD5
2fbec46d430f57befcde85b86c68b36e

SHA1
3ff9829e3242deb69a7fde0832b7d9345b925afc

SHA256
681ede512fe7ac21e976c754bfc1e1a75a9e02c3d931ce6849cfaa9d4080338a

SHA512
42036af6f57e446fec194ce71fa634dee9f4c77342f64a867fca8730d76349190960a7e7a5967ea59c250ca1b220d4845b4911dd63ee870f5620d9eb513b91d6

Download Submit
C:\Program Files\Windows_Update\SpyNote Cracked.exe

Filesize
6.1MB

MD5
b4bb4a074169545d22ad0278e66ec96b

SHA1
c386177d35f0959fa55606df1bb6995b46030c61

SHA256
b3ca2f2cc15a16fc390172a9507337dc1f73d3501b46e2c761238171456654ae

SHA512
c0374732df1bdc15fac5229019d2962485d9a221b970690c1d2e6eb0af6401b0c98fc5d9e1584b7896e28c122afb1faa196ae5ba441f234a522c2746c5931998

Download Submit
C:\Program Files\Windows_Update\Spynote Cracked.exe

Filesize
6.1MB

MD5
b4bb4a074169545d22ad0278e66ec96b

SHA1
c386177d35f0959fa55606df1bb6995b46030c61

SHA256
b3ca2f2cc15a16fc390172a9507337dc1f73d3501b46e2c761238171456654ae

SHA512
c0374732df1bdc15fac5229019d2962485d9a221b970690c1d2e6eb0af6401b0c98fc5d9e1584b7896e28c122afb1faa196ae5ba441f234a522c2746c5931998

Download Submit
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe

Filesize
576KB

MD5
80495befd515f6af32389c1cfb3e8c5b

SHA1
29ec599e91edffe758d0613540fa02da686f1746

SHA256
775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b

SHA512
bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f

Download Submit
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe

Filesize
576KB

MD5
80495befd515f6af32389c1cfb3e8c5b

SHA1
29ec599e91edffe758d0613540fa02da686f1746

SHA256
775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b

SHA512
bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f

Download Submit
memory/372-138-0x0000016E5DE10000-0x0000016E5E430000-memory.dmp

Filesize
6.1MB

Download
memory/372-162-0x0000016E5E750000-0x0000016E5E75C000-memory.dmp

Filesize
48KB

Download
memory/372-145-0x00007FF8B3D60000-0x00007FF8B4821000-memory.dmp

Filesize
10.8MB

Download
memory/372-232-0x00007FF8B3D60000-0x00007FF8B4821000-memory.dmp

Filesize
10.8MB

Download
memory/2108-221-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/2108-233-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/2108-174-0x0000000005B20000-0x0000000005B42000-memory.dmp

Filesize
136KB

Download
memory/2108-176-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/2108-172-0x00000000053F0000-0x0000000005A18000-memory.dmp

Filesize
6.2MB

Download
memory/2108-234-0x00000000078D0000-0x00000000078D8000-memory.dmp

Filesize
32KB

Download
memory/2108-171-0x00000000029C0000-0x00000000029F6000-memory.dmp

Filesize
216KB

Download
memory/2108-231-0x00000000077E0000-0x00000000077EE000-memory.dmp

Filesize
56KB

Download
memory/2108-230-0x0000000007820000-0x00000000078B6000-memory.dmp

Filesize
600KB

Download
memory/2108-229-0x0000000007610000-0x000000000761A000-memory.dmp

Filesize
40KB

Download
memory/2108-228-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/2108-227-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/2108-226-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/2108-225-0x000000006FE40000-0x000000006FE8C000-memory.dmp

Filesize
304KB

Download
memory/2108-224-0x00000000068B0000-0x00000000068E2000-memory.dmp

Filesize
200KB

Download
memory/3276-223-0x00000000067C0000-0x00000000067CA000-memory.dmp

Filesize
40KB

Download
memory/4160-165-0x0000000005F80000-0x0000000005FBC000-memory.dmp

Filesize
240KB

Download
memory/4160-164-0x00000000053A0000-0x00000000053B2000-memory.dmp

Filesize
72KB

Download
memory/4160-163-0x0000000004F30000-0x0000000004F96000-memory.dmp

Filesize
408KB

Download
memory/4160-160-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/4160-159-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/4160-158-0x0000000000420000-0x00000000004B6000-memory.dmp

Filesize
600KB

Download