quasar | 4576693687b188ea748add6660d7eee2dd3bdb86a60a9cf8dc99c0d191d61303

Analysis

max time kernel
77s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2023 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa48fe6b5774a66cab06338fa55d17de.exe
Size

16.7MB
MD5

aa48fe6b5774a66cab06338fa55d17de
SHA1

a734431bb537225596ef3ea0674944b2ecd6fe22
SHA256

4576693687b188ea748add6660d7eee2dd3bdb86a60a9cf8dc99c0d191d61303
SHA512

9e7e64ce6c54ac98e54ee8f7eb576849bad99ec4281786023b948deb65067917929099a56f802079cda98761733184f7981a164a1200b5062a26fd3d176eb680
SSDEEP

393216:dRwHfrE1h2ye2vmGpEeaQrg8OUEsf3iCZOuko4xgWL74hwtG1ZtJRjHYX:8HfrEKgJeehrSW3NOVoudPliZtTHYX

Score

10^/10

quasar venomrat office04 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

smtp.yassine-bolard.nl:72

82.65.150.176:72

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
V8QkE5vrgV4DVybE2MTP
install_name
$77Discord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
Discord

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
behavioral2/memory/1756-63-0x00000000001F0000-0x0000000000286000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

$77-Venom.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	$77-Venom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	$77-Venom.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
behavioral2/memory/1756-63-0x00000000001F0000-0x0000000000286000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AdvancedRun.exeAdvancedRun.exeDiscord.exe$77Discord.exeaa48fe6b5774a66cab06338fa55d17de.exewindows_defender_bypass.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	$77Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	aa48fe6b5774a66cab06338fa55d17de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	windows_defender_bypass.exe

Executes dropped EXE 9 IoCs

Processes:

windows_defender_bypass.exeDiscord.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe$77-Venom.exe$77Discord.exe$77Discord.exe

pid	process
2920	windows_defender_bypass.exe
2964	Discord.exe
3372	AdvancedRun.exe
1884	AdvancedRun.exe
392	AdvancedRun.exe
2236	AdvancedRun.exe
1756	$77-Venom.exe
2276	$77Discord.exe
5048	$77Discord.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

$77-Venom.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	$77-Venom.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

$77Discord.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Windows\\SysWOW64\\Discord\\$77Discord.exe\""	$77Discord.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 ip-api.com

flow	ioc
47	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

$77-Venom.exe$77Discord.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Discord\$77Discord.exe	$77-Venom.exe
File opened for modification	C:\Windows\SysWOW64\Discord\$77Discord.exe	$77-Venom.exe
File opened for modification	C:\Windows\SysWOW64\Discord\$77Discord.exe	$77Discord.exe
File opened for modification	C:\Windows\SysWOW64\Discord	$77Discord.exe

Drops file in Program Files directory 17 IoCs

Processes:

Discord.exeaa48fe6b5774a66cab06338fa55d17de.exewindows_defender_bypass.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows_Defender\16384.rnd	Discord.exe
File opened for modification	C:\Program Files\Windows_Update	aa48fe6b5774a66cab06338fa55d17de.exe
File created	C:\Program Files\Windows_Update\Discord.exe	aa48fe6b5774a66cab06338fa55d17de.exe
File created	C:\Program Files\Windows_Update\Windows_Defender_Bypass.exe	aa48fe6b5774a66cab06338fa55d17de.exe
File opened for modification	C:\Program Files\Windows_Update\Windows_Defender_Bypass.exe	aa48fe6b5774a66cab06338fa55d17de.exe
File created	C:\Program Files\Windows_Defender\16384.rnd	Discord.exe
File opened for modification	C:\Program Files\Windows_Defender\Test.bat	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\AdvancedRun.exe	windows_defender_bypass.exe
File opened for modification	C:\Program Files\Windows_Defender\AdvancedRun.exe	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_240657265	Discord.exe
File created	C:\Program Files\Windows_Defender\$77-Venom.exe	Discord.exe
File opened for modification	C:\Program Files\Windows_Update\Discord.exe	aa48fe6b5774a66cab06338fa55d17de.exe
File opened for modification	C:\Program Files\Windows_Defender	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\Test.bat	windows_defender_bypass.exe
File opened for modification	C:\Program Files\Windows_Defender\$77-Venom.exe	Discord.exe
File created	C:\Program Files\Windows_Update\__tmp_rar_sfx_access_check_240655546	aa48fe6b5774a66cab06338fa55d17de.exe
File created	C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_240656906	windows_defender_bypass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1384 2276 WerFault.exe $77Discord.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

436 schtasks.exe
3624 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4120 PING.EXE

pid	pid_target	process	target process
1384	2276	WerFault.exe	$77Discord.exe

pid	process
436	schtasks.exe
3624	schtasks.exe

pid	process
4120	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepowershell.exe

pid	process
1884	AdvancedRun.exe
1884	AdvancedRun.exe
1884	AdvancedRun.exe
3372	AdvancedRun.exe
3372	AdvancedRun.exe
3372	AdvancedRun.exe
3372	AdvancedRun.exe
1884	AdvancedRun.exe
1884	AdvancedRun.exe
392	AdvancedRun.exe
392	AdvancedRun.exe
2236	AdvancedRun.exe
2236	AdvancedRun.exe
392	AdvancedRun.exe
392	AdvancedRun.exe
2236	AdvancedRun.exe
2236	AdvancedRun.exe
4652	powershell.exe
4652	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe$77-Venom.exepowershell.exe$77Discord.exe

description	pid	process
Token: SeDebugPrivilege	1884	AdvancedRun.exe
Token: SeDebugPrivilege	3372	AdvancedRun.exe
Token: SeImpersonatePrivilege	3372	AdvancedRun.exe
Token: SeImpersonatePrivilege	1884	AdvancedRun.exe
Token: SeDebugPrivilege	392	AdvancedRun.exe
Token: SeDebugPrivilege	2236	AdvancedRun.exe
Token: SeImpersonatePrivilege	392	AdvancedRun.exe
Token: SeImpersonatePrivilege	2236	AdvancedRun.exe
Token: SeDebugPrivilege	1756	$77-Venom.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	2276	$77Discord.exe
Token: SeDebugPrivilege	2276	$77Discord.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

windows_defender_bypass.exeDiscord.exeAdvancedRun.exeAdvancedRun.exe$77Discord.exe

pid process

2920 windows_defender_bypass.exe
2964 Discord.exe
1884 AdvancedRun.exe
3372 AdvancedRun.exe
2276 $77Discord.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

aa48fe6b5774a66cab06338fa55d17de.exewindows_defender_bypass.exeAdvancedRun.exeAdvancedRun.exeDiscord.exe$77-Venom.exe$77Discord.execmd.exe

description	pid	process	target process
PID 3152 wrote to memory of 2920	3152	aa48fe6b5774a66cab06338fa55d17de.exe	windows_defender_bypass.exe
PID 3152 wrote to memory of 2920	3152	aa48fe6b5774a66cab06338fa55d17de.exe	windows_defender_bypass.exe
PID 3152 wrote to memory of 2920	3152	aa48fe6b5774a66cab06338fa55d17de.exe	windows_defender_bypass.exe
PID 3152 wrote to memory of 2964	3152	aa48fe6b5774a66cab06338fa55d17de.exe	Discord.exe
PID 3152 wrote to memory of 2964	3152	aa48fe6b5774a66cab06338fa55d17de.exe	Discord.exe
PID 3152 wrote to memory of 2964	3152	aa48fe6b5774a66cab06338fa55d17de.exe	Discord.exe
PID 2920 wrote to memory of 3372	2920	windows_defender_bypass.exe	AdvancedRun.exe
PID 2920 wrote to memory of 3372	2920	windows_defender_bypass.exe	AdvancedRun.exe
PID 2920 wrote to memory of 1884	2920	windows_defender_bypass.exe	AdvancedRun.exe
PID 2920 wrote to memory of 1884	2920	windows_defender_bypass.exe	AdvancedRun.exe
PID 1884 wrote to memory of 2236	1884	AdvancedRun.exe	AdvancedRun.exe
PID 1884 wrote to memory of 2236	1884	AdvancedRun.exe	AdvancedRun.exe
PID 3372 wrote to memory of 392	3372	AdvancedRun.exe	AdvancedRun.exe
PID 3372 wrote to memory of 392	3372	AdvancedRun.exe	AdvancedRun.exe
PID 2964 wrote to memory of 1756	2964	Discord.exe	$77-Venom.exe
PID 2964 wrote to memory of 1756	2964	Discord.exe	$77-Venom.exe
PID 2964 wrote to memory of 1756	2964	Discord.exe	$77-Venom.exe
PID 1756 wrote to memory of 436	1756	$77-Venom.exe	schtasks.exe
PID 1756 wrote to memory of 436	1756	$77-Venom.exe	schtasks.exe
PID 1756 wrote to memory of 436	1756	$77-Venom.exe	schtasks.exe
PID 1756 wrote to memory of 2276	1756	$77-Venom.exe	$77Discord.exe
PID 1756 wrote to memory of 2276	1756	$77-Venom.exe	$77Discord.exe
PID 1756 wrote to memory of 2276	1756	$77-Venom.exe	$77Discord.exe
PID 1756 wrote to memory of 4652	1756	$77-Venom.exe	powershell.exe
PID 1756 wrote to memory of 4652	1756	$77-Venom.exe	powershell.exe
PID 1756 wrote to memory of 4652	1756	$77-Venom.exe	powershell.exe
PID 2276 wrote to memory of 3624	2276	$77Discord.exe	schtasks.exe
PID 2276 wrote to memory of 3624	2276	$77Discord.exe	schtasks.exe
PID 2276 wrote to memory of 3624	2276	$77Discord.exe	schtasks.exe
PID 2276 wrote to memory of 3776	2276	$77Discord.exe	cmd.exe
PID 2276 wrote to memory of 3776	2276	$77Discord.exe	cmd.exe
PID 2276 wrote to memory of 3776	2276	$77Discord.exe	cmd.exe
PID 3776 wrote to memory of 4776	3776	cmd.exe	chcp.com
PID 3776 wrote to memory of 4776	3776	cmd.exe	chcp.com
PID 3776 wrote to memory of 4776	3776	cmd.exe	chcp.com
PID 3776 wrote to memory of 4120	3776	cmd.exe	PING.EXE
PID 3776 wrote to memory of 4120	3776	cmd.exe	PING.EXE
PID 3776 wrote to memory of 4120	3776	cmd.exe	PING.EXE
PID 3776 wrote to memory of 5048	3776	cmd.exe	$77Discord.exe
PID 3776 wrote to memory of 5048	3776	cmd.exe	$77Discord.exe
PID 3776 wrote to memory of 5048	3776	cmd.exe	$77Discord.exe

C:\Users\Admin\AppData\Local\Temp\aa48fe6b5774a66cab06338fa55d17de.exe
"C:\Users\Admin\AppData\Local\Temp\aa48fe6b5774a66cab06338fa55d17de.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files\Windows_Update\windows_defender_bypass.exe
  "C:\Program Files\Windows_Update\windows_defender_bypass.exe" -pKazutoSan72@$%?:YB381#4PcVh9!0LqF5
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Program Files\Windows_Defender\AdvancedRun.exe
    "C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Program Files\Windows_Defender\AdvancedRun.exe
      "C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 1884
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2236
- - C:\Program Files\Windows_Defender\AdvancedRun.exe
    "C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Program Files\Windows_Defender\AdvancedRun.exe
      "C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 3372
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:392
- C:\Program Files\Windows_Update\Discord.exe
  "C:\Program Files\Windows_Update\Discord.exe" -pKazutoSan72@$%?:YB381#4PcVh9!0LqF5
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Program Files\Windows_Defender\$77-Venom.exe
    "C:\Program Files\Windows_Defender\$77-Venom.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Program Files\Windows_Defender\$77-Venom.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:436
  - - C:\Windows\SysWOW64\Discord\$77Discord.exe
      "C:\Windows\SysWOW64\Discord\$77Discord.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord\$77Discord.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKTG4I9N1y1j.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3776
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4776
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:4120
      - C:\Windows\SysWOW64\Discord\$77Discord.exe
        
        "C:\Windows\SysWOW64\Discord\$77Discord.exe"
        6⤵
        Executes dropped EXE
        
        PID:5048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1736
        5⤵
        Program crash
        
        PID:1384
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2276 -ip 2276
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows_Defender\$77-Venom.exe

Filesize
576KB

MD5
d33530be695abbae61885800b8dae773

SHA1
ff5c3f69b71ddcf20948d16e2a1a1602f54c9f69

SHA256
f650c17d393c32c30f3ba1e34bc981f5ec4357a2e2084752b2e47b3d72ca4676

SHA512
83c6828e113ef193a0ba10f8dd6790107821515e82ac3724da224f6b47eaf35a321583c99a20757a4e89a1d50f59e6dd349bfc5c3d5394361fe9510eeac146f1

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
2.1MB

MD5
d6ebb5cd28341a5d77c127b56ce95800

SHA1
519844a801c69a6dbaf3c91ad4f1869140d00b5b

SHA256
9f94a1f0add12f4e63c49dc72c783aecebd30d5b8e48740c779a413a325e91c6

SHA512
6358493d8ebaacf7713d8914e39806a01c4b6c5368185e9043d5c0d32523044489b2df6c0cefa1f1ec70e9ee0ea8a1c050fafb19050ce1a7d8c2528a36b483be

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
1.3MB

MD5
24b757a898e6e0a116cbae84db4e8fa4

SHA1
4010e1b5085e199cf57d8c27fde565f11514a986

SHA256
fd35022298089e9bd4d4d45decb09379bac3d27e3377b20b574b86bd814f59f0

SHA512
7268d4207309787ee3dbe06cc1ac091a2f0f95f713834b8b79e409842f206361be746fee9053f8bb6a685bc22732fcc4172ddc4c08025566df5a827eca89b050

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
768KB

MD5
6d0180266a4add95b80894b576e6a9ea

SHA1
a1a6bb84fd96ff1884ef6a8da051de10c1e5afa5

SHA256
7b36534bb12a108229bd961c6eca31808d9ebe73544c7d98b3edf404fd705390

SHA512
2797edde64e8f9da3cfb63c9fc744edc3694d6ae591f88e9795af2376deda1b056f14e9ea72db8da5cf1334c2dc8eab2d2b23376db3c43825a322aad8b43dcd2

Download Submit
C:\Program Files\Windows_Update\Windows_Defender_Bypass.exe

Filesize
339KB

MD5
bf92277e5e65c1174f446cfe4e5e9ea4

SHA1
54dd08b9405443d51006473cd78f404ccf06ee8a

SHA256
b8f59e47d92f6ec02282832a4dc0d516b5bf66c60f02f0808fe991e643e0dba5

SHA512
e8911aad42cc858ac1b56e78e9899ced4b05c0f077f6c4f1a951ea6152f30aa5bb5e04220e1d2ed59cf5493923130e2870815f915644b6ae395d3b25df985358

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m5svun2x.yom.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKTG4I9N1y1j.bat

Filesize
201B

MD5
d7cdf9819ed0b88a5d1bc35d71883c86

SHA1
58ea42a6e43351b3ce1007504561c025c82b7ca2

SHA256
4ce6b899033a5021601b7d6bf1cde61fd5508f4f9b4ca6159c71efa716fa3636

SHA512
56aedcc2dc132b01d9a44be98f11e20492267528caa0709f287d0e7034b676756ffc11f9f95281165de3c651caa7485e8a9b9afa183e3df1b59e91247cc69781

Download Submit
memory/1756-68-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/1756-64-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1756-67-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1756-65-0x0000000005240000-0x00000000057E4000-memory.dmp

Filesize
5.6MB

Download
memory/1756-69-0x0000000005C60000-0x0000000005C72000-memory.dmp

Filesize
72KB

Download
memory/1756-70-0x00000000060A0000-0x00000000060DC000-memory.dmp

Filesize
240KB

Download
memory/1756-63-0x00000000001F0000-0x0000000000286000-memory.dmp

Filesize
600KB

Download
memory/1756-102-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1756-103-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1756-66-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/2276-106-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/2276-107-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2276-77-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2276-101-0x0000000006670000-0x000000000667A000-memory.dmp

Filesize
40KB

Download
memory/2276-76-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4652-93-0x0000000005A70000-0x0000000005DC4000-memory.dmp

Filesize
3.3MB

Download
memory/4652-79-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4652-95-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/4652-98-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4652-92-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/4652-82-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/4652-81-0x0000000005000000-0x0000000005628000-memory.dmp

Filesize
6.2MB

Download
memory/4652-80-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4652-78-0x00000000048A0000-0x00000000048D6000-memory.dmp

Filesize
216KB

Download
memory/4652-105-0x0000000006460000-0x0000000006492000-memory.dmp

Filesize
200KB

Download
memory/4652-108-0x00000000706D0000-0x000000007071C000-memory.dmp

Filesize
304KB

Download
memory/4652-109-0x000000007F9E0000-0x000000007F9F0000-memory.dmp

Filesize
64KB

Download
memory/4652-119-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/4652-94-0x0000000005E80000-0x0000000005E9E000-memory.dmp

Filesize
120KB

Download
memory/4652-120-0x0000000007060000-0x0000000007103000-memory.dmp

Filesize
652KB

Download
memory/4652-121-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4652-122-0x0000000007800000-0x0000000007E7A000-memory.dmp

Filesize
6.5MB

Download
memory/4652-123-0x00000000071C0000-0x00000000071DA000-memory.dmp

Filesize
104KB

Download
memory/4652-125-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4652-126-0x0000000007230000-0x000000000723A000-memory.dmp

Filesize
40KB

Download
memory/4652-127-0x0000000007450000-0x00000000074E6000-memory.dmp

Filesize
600KB

Download
memory/4652-128-0x00000000073C0000-0x00000000073D1000-memory.dmp

Filesize
68KB

Download
memory/4652-129-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4652-132-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/5048-131-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download