Analysis Overview
SHA256
f546c80fed56869c11e41e892fcf4485e1704ccfb084e115d5377e453637fa6d
Threat Level: Known bad
The file 09a8420f132e0ecc5725d7055d4201dc was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Contains code to disable Windows Defender
Quasar payload
Nirsoft
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Drops file in Program Files directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 01:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 01:11
Reported
2023-12-31 02:18
Platform
win10v2004-20231215-en
Max time kernel
6s
Max time network
10s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Discord\$77Discord.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe
"C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe"
C:\Program Files\Windows_Defender\Advancedruncmd.exe
"C:\Program Files\Windows_Defender\Advancedruncmd.exe" "-pKazutoSan72@$%?:YB381#4PcVh9!0LqF5&jk6*Dw"
C:\Program Files\Windows_Defender\RAT.exe
"C:\Program Files\Windows_Defender\RAT.exe" "-pKazutoSan72@$%?:YB381#4PcVh9!0LqF5&jk6*Dw"
C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.cmd /RunAs 8 /Run
C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.cmd /RunAs 8 /Run
C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 3008
C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 3764
C:\Program Files\Windows_Defender\$77-Venom.exe
"C:\Program Files\Windows_Defender\$77-Venom.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Program Files\Windows_Defender\$77-Venom.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SysWOW64\Discord\$77Discord.exe
"C:\Windows\SysWOW64\Discord\$77Discord.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord\$77Discord.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5036 -ip 5036
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 2244
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | smtp.yassine-bolard.nl | udp |
Files
memory/4264-55-0x0000000000D00000-0x0000000000D96000-memory.dmp
memory/4264-56-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/4264-57-0x0000000005CD0000-0x0000000006274000-memory.dmp
memory/4264-58-0x00000000057C0000-0x0000000005852000-memory.dmp
memory/4264-59-0x0000000005890000-0x00000000058A0000-memory.dmp
memory/4264-60-0x00000000058A0000-0x0000000005906000-memory.dmp
memory/4264-61-0x00000000064C0000-0x00000000064D2000-memory.dmp
memory/5036-68-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/5036-69-0x00000000053A0000-0x00000000053B0000-memory.dmp
memory/2688-70-0x0000000002690000-0x00000000026C6000-memory.dmp
memory/2688-72-0x00000000027C0000-0x00000000027D0000-memory.dmp
memory/2688-74-0x0000000005150000-0x0000000005778000-memory.dmp
memory/2688-73-0x00000000027C0000-0x00000000027D0000-memory.dmp
memory/2688-75-0x0000000004FE0000-0x0000000005002000-memory.dmp
memory/2688-86-0x0000000005B50000-0x0000000005EA4000-memory.dmp
memory/2688-76-0x0000000005880000-0x00000000058E6000-memory.dmp
memory/2688-71-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/2688-87-0x0000000005F60000-0x0000000005F7E000-memory.dmp
memory/2688-88-0x0000000005FB0000-0x0000000005FFC000-memory.dmp
memory/4264-62-0x0000000006A00000-0x0000000006A3C000-memory.dmp
memory/5036-90-0x0000000006AA0000-0x0000000006AAA000-memory.dmp
memory/2688-93-0x0000000070490000-0x00000000704DC000-memory.dmp
memory/2688-106-0x0000000007140000-0x00000000071E3000-memory.dmp
memory/2688-111-0x00000000072A0000-0x00000000072BA000-memory.dmp
memory/2688-110-0x00000000078E0000-0x0000000007F5A000-memory.dmp
memory/2688-112-0x0000000007310000-0x000000000731A000-memory.dmp
memory/2688-113-0x0000000007520000-0x00000000075B6000-memory.dmp
memory/2688-114-0x00000000074A0000-0x00000000074B1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 01:11
Reported
2023-12-31 02:17
Platform
win7-20231215-en
Max time kernel
17s
Max time network
122s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows_Defender\Advancedruncmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\RAT.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\$77-Venom.exe | N/A |
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows_Defender\$77-Venom.exe | C:\Program Files\Windows_Defender\RAT.exe | N/A |
| File opened for modification | C:\Program Files\Windows_Defender\$77-Venom.exe | C:\Program Files\Windows_Defender\RAT.exe | N/A |
| File created | C:\Program Files\Windows_Defender\16384.rnd | C:\Program Files\Windows_Defender\RAT.exe | N/A |
| File opened for modification | C:\Program Files\Windows_Defender\16384.rnd | C:\Program Files\Windows_Defender\RAT.exe | N/A |
| File opened for modification | C:\Program Files\Windows_Defender\Advancedruncmd.exe | C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe | N/A |
| File created | C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_259408618 | C:\Program Files\Windows_Defender\Advancedruncmd.exe | N/A |
| File created | C:\Program Files\Windows_Defender\Test.cmd | C:\Program Files\Windows_Defender\Advancedruncmd.exe | N/A |
| File created | C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_259407838 | C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe | N/A |
| File opened for modification | C:\Program Files\Windows_Defender\Test.cmd | C:\Program Files\Windows_Defender\Advancedruncmd.exe | N/A |
| File created | C:\Program Files\Windows_Defender\AdvancedRun.exe | C:\Program Files\Windows_Defender\Advancedruncmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows_Defender\RAT.exe | C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe | N/A |
| File opened for modification | C:\Program Files\Windows_Defender\AdvancedRun.exe | C:\Program Files\Windows_Defender\Advancedruncmd.exe | N/A |
| File created | C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_259408898 | C:\Program Files\Windows_Defender\RAT.exe | N/A |
| File opened for modification | C:\Program Files\Windows_Defender | C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe | N/A |
| File created | C:\Program Files\Windows_Defender\Advancedruncmd.exe | C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe | N/A |
| File created | C:\Program Files\Windows_Defender\RAT.exe | C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Discord\$77Discord.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Program Files\Windows_Defender\AdvancedRun.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe
"C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe"
C:\Program Files\Windows_Defender\Advancedruncmd.exe
"C:\Program Files\Windows_Defender\Advancedruncmd.exe" "-pKazutoSan72@$%?:YB381#4PcVh9!0LqF5&jk6*Dw"
C:\Program Files\Windows_Defender\RAT.exe
"C:\Program Files\Windows_Defender\RAT.exe" "-pKazutoSan72@$%?:YB381#4PcVh9!0LqF5&jk6*Dw"
C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 2656
C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 2936
C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.cmd /RunAs 8 /Run
C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.cmd /RunAs 8 /Run
C:\Program Files\Windows_Defender\$77-Venom.exe
"C:\Program Files\Windows_Defender\$77-Venom.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Program Files\Windows_Defender\$77-Venom.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SysWOW64\Discord\$77Discord.exe
"C:\Windows\SysWOW64\Discord\$77Discord.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord\$77Discord.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pAz8ptJha8C3.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1476
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8M4tMHeVSexc.bat" "
C:\Program Files\Windows_Defender\$77-Venom.exe
"C:\Program Files\Windows_Defender\$77-Venom.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | smtp.yassine-bolard.nl | udp |
| US | 8.8.8.8:53 | payloads-poison.000webhostapp.com | udp |
| US | 145.14.145.179:443 | payloads-poison.000webhostapp.com | tcp |
| FR | 91.134.207.16:80 | 91.134.207.16 | tcp |
Files
\Program Files\Windows_Defender\Advancedruncmd.exe
| MD5 | 6bc73831502efdbf856b7fc554b3fca4 |
| SHA1 | 7151d4582496b74a93279222258f1d1566246866 |
| SHA256 | 4855250783f059d34eb409e89d06e3fcb47c3bd61a10cc1cdf0221167cb71e8d |
| SHA512 | 35db4da4b4349f000594316b031c80a126c6f52d79113316f6dd277fb1fdddb938721528f32b0dbbca4c5c566fddb1acb20a51f73b9471d0966155b99b5882ef |
\Program Files\Windows_Defender\Advancedruncmd.exe
| MD5 | 61686e8a3228e4d23fddc162ae11f3b4 |
| SHA1 | 98b9ac26d24aa339e85beeb1642113012df3ec25 |
| SHA256 | 7f89de4cafadaa7e5c618012767784aedc385d00fe2374f7c100961ba256904e |
| SHA512 | 8f1943ec47c99bd242c811621eb14e74b6fc6a67bdf2b3409106b99452e87d3aed40d1bc6bf6ddd19119df8679c26ae3ef7321558eac3fd524b4eb77eea359af |
\Program Files\Windows_Defender\Advancedruncmd.exe
| MD5 | ca5f45afd90108839b3cd199b853baf3 |
| SHA1 | 06e64927d735e4bb9d0afe4b924186b215df218d |
| SHA256 | a6b9df778b858a32ac8b31f333c43bbcf6f430cf679eda136dfe3ba86a1c4efe |
| SHA512 | 1a50dd244b51ec52dbe2d12919fe2651dd884bba9c85dd878a17cb64fca6760ed5bd6d9355742b4742a56d733875ecd6d2f265abfbc0d2face3571eafa56ec3f |
\Program Files\Windows_Defender\Advancedruncmd.exe
| MD5 | eabffcd41bf80fe9252bbed293c19981 |
| SHA1 | d9095c4cf83b735f4f587b74bf0876c03e9f1143 |
| SHA256 | 1c5503f7a9624155a8be58b52182a518c3ba963ba42b8ba0d6ef1db3a863f944 |
| SHA512 | 852f257f03c0d07a17515d81077ac4dc1f0a698a3ca2c2404c4fb3f31a5c64e5127bfa114621a6855648f31d3328a69ccbc952cf16919cb7f64ba8de8730e7e0 |
\Program Files\Windows_Defender\RAT.exe
| MD5 | b8238557a2d72fa0dd600ba90f12084d |
| SHA1 | 6395616037bbf0b663e9fd2470fd51258094a689 |
| SHA256 | 2efaeac3b7c910470a4177061e62d7ef78ff20f7e4b670c349e91ce46eaf7446 |
| SHA512 | 8c5c53e71d2dd3e0a5f39bb8ca391a20943b0c5abf6182d9ccd7135ae9d2e669d92b96d0f8245933dd0852aadc5b70a05ff29b091c477dcb05df5789ed7983e5 |
\Program Files\Windows_Defender\RAT.exe
| MD5 | 149ea71e5367cdebf9ee3cef13bf4951 |
| SHA1 | 270842af33b5b87538c7a69bb6766a8d56841c74 |
| SHA256 | 03e1ed4500421e762ec3c2d2ccdccea9d181ae3e1f9941934e56a2b5edfadaa4 |
| SHA512 | 00208be6f5211fc9005becb76b0353ae00c383f8d0f7cf41598cef773bb010008cf9e55b05d0824fd8f9a087711c0839c89c0d2fc76d17210f86b1d7450cf1b2 |
C:\Program Files\Windows_Defender\RAT.exe
| MD5 | 598b5a461c093d2b4ad2d9fece01f2ed |
| SHA1 | 2e9e70db074417eade8463f2fa2c5f6e743ba2fe |
| SHA256 | debee91fa37cd3deb245f6c971938db98c4146657d2c7bbbc0462201dbc67c85 |
| SHA512 | 854edf45c4817c3ec4113f2278468f41cb32ca1f8c9c92632060054d578313ea4e04db608ae107b298f49cec8997a534b11eaa4cb956e1ee2db3a81a81e74172 |
\Program Files\Windows_Defender\RAT.exe
| MD5 | ea57382633c00d17e4969aa4ed2f142d |
| SHA1 | ff4211e3185ef878df4982a2cc5874468338a5ce |
| SHA256 | a50d8a4e05f34d21ffb527d82d34042375ca84cd69563184b806d314fb7a0b52 |
| SHA512 | a1ff71b1a2841f3779f358970e8f6fcd34d3c31149b8a0f0a10efd7bc5341be05a0eeaa7b9eca7f1fa5d7086d0ba07cfcf4ead1aa9150c54ae38a56e067c3601 |
\Program Files\Windows_Defender\RAT.exe
| MD5 | 9af8c3db50a3006b4804024e8b737014 |
| SHA1 | 0510b6d26ab99ce38d96053e3fbff1b274c37b88 |
| SHA256 | 5d707fb06696bbe4114ebc56b258d1fd512f320d45c306653525e3e1cc12b4b3 |
| SHA512 | 8741bfe437152b4d18033cd2601ef5160764200b977d67d67e0568e93ed854acfe412b5d5556b45f89b8188618dfad8535e8e2c1dc3779e26c03037eda1e7176 |
C:\Program Files\Windows_Defender\RAT.exe
| MD5 | 4293f65356b9729e8ce0ba1681957c96 |
| SHA1 | 049f1c7ff84bb43f56730717a55cf3308e85b5bf |
| SHA256 | 70157b2d6a02e8895c7c65320e14aefdb463cb6379aec4e7d610f74285f6afc0 |
| SHA512 | 8fa467ccbf248879588918630319a8a67107765a26e0208cf8353d78ca45e6fd01b49ac3dc22e50b3d1123a166f4fef995247774be1ddb872db07c6e3c14a100 |
C:\Program Files\Windows_Defender\RAT.exe
| MD5 | 20f13160acd3c467bf3449c2f30f4b99 |
| SHA1 | 9aee459db2b779f08ada7580ecf289bdfdfb0810 |
| SHA256 | 4870ac900ed709105428fe12464b426ad57cefefac84a56db69170e423512e52 |
| SHA512 | 067355958523d0a16806b2c3cb09ce56f651a8f246781115b2f668b8cbc46811b83f771c3d6582dccb7e2a6e56666bcb30c97117ebb5a7cf611b787b5a5057ef |
C:\Program Files\Windows_Defender\AdvancedRun.exe
| MD5 | fd048f729a521a51273897c937b0a132 |
| SHA1 | 3ba5137721c135fe125f9667c45b01b9728d21ed |
| SHA256 | 71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4 |
| SHA512 | 9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec |
\Program Files\Windows_Defender\$77-Venom.exe
| MD5 | 2a70e2be46bd695a13d57d6ca1d4258e |
| SHA1 | beed74ea5f55ad8f94d1892cc39277c34540540e |
| SHA256 | 6ab781748cd6a367c0a12eb45632349a5cd33a63f5b3ae92f7a0613b6ab8cee3 |
| SHA512 | 5e49cf5218b264aaf0495c34395f71f6645adec1faa319323be169fd8841b82edc67a069ed1423ca9f4c19768e3326e9c44189201d806d6ff771d84c91cf60a8 |
\Program Files\Windows_Defender\$77-Venom.exe
| MD5 | c1bca3137e2b66e2e246a3597783e5d2 |
| SHA1 | 5253fdad4daea8d3e7c41b1bdd73519cc65804cf |
| SHA256 | dc5039663b51ea8829cb95c1f64ae21c9fedcb364797c6130da57b4a0d6f9156 |
| SHA512 | 9f9d337e243c25a3bc10aad04c85a8ebb81ad5165e504410442ca9ec54801c716205d8e3048b0c310f48d89eade224bdca7aa67fbeac7a9ddb8ab54f569084ab |
C:\Program Files\Windows_Defender\$77-Venom.exe
| MD5 | 347430bd50587f357c081d9562acc46b |
| SHA1 | 3c1f2c10c1fceffa5371a7bd03ac6847e926a9dd |
| SHA256 | fd0686bd94b7edb99dd428d53258170105d77a856bb3633de6c01be14e4722d3 |
| SHA512 | 7b850db48bfbd529ef1469fc13d4ae3b0ba05d64784cdc2d15cda1203d71bdcb3494e8db3efe53d23cfa2933bd3ed0d088367df9a27d5b201d0621e79680c25e |
C:\Program Files\Windows_Defender\$77-Venom.exe
| MD5 | 19dbd4537395de7bd14e94c93abb385d |
| SHA1 | 1fdffd7a4839c555eb7cd1051139f93069ea5594 |
| SHA256 | efc3cbd67e2578b2c3ccd52fab71d62b9a60d2ae22fadd0d14ae4fe6a250980a |
| SHA512 | ca34bc3e611c07fe9a14c466c7860915ced598d28470c7f890eef308245f2d05109afc983ad836d0f9a3310ae7f5d5afaaa4f13d2efa608b014bf1567459006f |
\Program Files\Windows_Defender\$77-Venom.exe
| MD5 | c601a5c009c08e4c88b0183f3269ed8d |
| SHA1 | baad82319caf9e131677964715d410e3e607f688 |
| SHA256 | be5e040d573d4382fe4f0dd45664df2d9d27b9b448410efffda890765c545f77 |
| SHA512 | 4676270bfba0df635e58f38638a6954987ae19475dfc1b5b56ab942f9331f611486a677777fa954cf2382aaad1a6d3bea75dbf286ca892caf2e7aee094c67855 |
\Program Files\Windows_Defender\$77-Venom.exe
| MD5 | 819a44fa2a626b6b861cbb44188633c0 |
| SHA1 | 97280c595357a37758c223c084866435cb24a634 |
| SHA256 | d6c406dbac2e3e1cfe1aa57a8616223528d7611adc63fa4ec6a9afe779e187bb |
| SHA512 | eab683144ae3880d50ab36ca21fd34e79db44866654b5fc3ac93e3850e210125bc29c889afc96ea7db49fb4eb147fa71cdbc053e2b1ce1fec818296e188605d7 |
C:\Program Files\Windows_Defender\$77-Venom.exe
| MD5 | f4f30ba72ff1b91e957de778ea5df8d1 |
| SHA1 | ccee5845ba75a174de016b7d5e6ddd88d98686c2 |
| SHA256 | d3a0438e8598d817dc1f100c940264a3450752094b6ba571784bd4c05ecbf3b0 |
| SHA512 | 8ff0ce0fe46c19607d0f338bd4331dad114993e9fa7d723587745610b356cfd4d073f578ed0f1498a8a71de24297a98dd665e09e4bfddd54c2c9591f6234f8b9 |
memory/2908-73-0x00000000011D0000-0x0000000001266000-memory.dmp
memory/2908-74-0x0000000073C60000-0x000000007434E000-memory.dmp
memory/2908-75-0x0000000004AA0000-0x0000000004AE0000-memory.dmp
memory/2908-76-0x0000000073C60000-0x000000007434E000-memory.dmp
memory/2908-78-0x0000000004AA0000-0x0000000004AE0000-memory.dmp
\Windows\SysWOW64\Discord\$77Discord.exe
| MD5 | f09891e38088cbd3a816894bad63c320 |
| SHA1 | cce1776b80cc803b75a445a49932afb51879d299 |
| SHA256 | 6ace22686e550d8dc7b1d45db5fc8acba47b7c566cf2fd4a14f685b7ea890ce1 |
| SHA512 | 16ccd8fc7a9d8f4cfbf4883ea0ed6b70e35bb20f85c4579cff073284eb7bf0c44f874033ff0fa4aba57266874007afa65592f6c7e0ca67eae91de277d0db4e10 |
C:\Windows\SysWOW64\Discord\$77Discord.exe
| MD5 | 1229b951accaa55f1f5c237f02bae541 |
| SHA1 | ad8d86e76143411d79b9c9c782621853d45d126a |
| SHA256 | fbcab4a096234ba14b969f32310eb763eb88ca3a2ab0e6969e99c411089443cb |
| SHA512 | 4ba5d3d8a52ff78a86edb84216b9509a1ce903ee2b46f3e132607bb6797405daa3550528a0e13edfe265476b227898005a75209a883658d10ceb19141fc3ff0d |
memory/2456-85-0x0000000001250000-0x00000000012E6000-memory.dmp
memory/2456-86-0x0000000073C60000-0x000000007434E000-memory.dmp
memory/2456-87-0x0000000004A00000-0x0000000004A40000-memory.dmp
C:\Windows\SysWOW64\Discord\$77Discord.exe
| MD5 | 175fa555d0702a7968d30a910d210b06 |
| SHA1 | f4a1ffae6939e3dcbb84d47eb98e70f175c6481f |
| SHA256 | 6ee55d3ed20158824848e403fdc23428dcf2d947cedee9712db53737400bd230 |
| SHA512 | df07e4ede3f284f25002690e2ee085133539e662cbba5d0d1095164a20d141bf2824dfad6240ef006ba2cdc4bcd95457868e2068dd5c953c380600077e3098ae |
C:\Users\Admin\AppData\Local\Temp\pAz8ptJha8C3.bat
| MD5 | 7b570b428aba29e89a59b3e72d3b5f3b |
| SHA1 | cb1a6d4fc75def53c762785ec701aeff898b6aef |
| SHA256 | 6999be65d13092c3d576ec042f5e7968ba36488e67a509fe38013c953d73d87e |
| SHA512 | bf6bb17b801df7bde016b63fb78b340a2134a2d4671e3cb8690607fff230e50ca6ac57f2ef55f1555e822e317edbeb814fd53a9c600bc45ab73297c73e68e8cc |
\Windows\SysWOW64\Discord\$77Discord.exe
| MD5 | a0afe8bedd587ea31c7105d79106572d |
| SHA1 | 7d1a1d505149fefeac606828d83d964a53d79c66 |
| SHA256 | dc0f86edbed9004a92d4edec6e8f9633c7337d616d9b875082bfd906b08cf02f |
| SHA512 | a39c6ef2e0e62ddbd0ee3c47ed758e1d5e16d0ff55edd3568a3e262a9957617409e1ac1c0e08c5b94f442f1c7f9f6114b32901acecef1db9f3bcf028dc933f96 |
\Windows\SysWOW64\Discord\$77Discord.exe
| MD5 | 1992a9ad541bd8cd2b30b49b88401824 |
| SHA1 | f75674100832ce7d438eba0b0490582670b094b4 |
| SHA256 | 0d254f258c0608dcedd5591310e5f40534ceab776d387aef2f3f99e20d4723ce |
| SHA512 | 3cb634e30717055635ef52cd676e40fbc609301503582e6eb95fbcbaabce3756cb3293b1d4189a6b581d05adda3438cb75f188959554545af731bc805838695b |
\Windows\SysWOW64\Discord\$77Discord.exe
| MD5 | 0a737a272dce4a874ce9cfebd6b788f3 |
| SHA1 | f7c8b325026865e80d6f00dfae99b1b010f1d460 |
| SHA256 | 1f197d3000c96c0308f015b6e317fdfee3c253bb605226b45d9a8430ce70885e |
| SHA512 | abe37f939aee10d378b4388f6f74b85deb70b928edd2c341986ac15498d67c111cb0fbe2c9084a221e0d489be35f2913a3026e7542424e8413a29f5b84c7f9c7 |
\Windows\SysWOW64\Discord\$77Discord.exe
| MD5 | 1db04bf4f4fc3521edfcafb4cd404a95 |
| SHA1 | 05647b42a46283be893d859a68d53df6baa6a4a6 |
| SHA256 | 9caf6e41b774630518e04f3fe38ba7c5af95bcab3008bac06b66d84a62425d48 |
| SHA512 | d89aaa4aa8ef9319ee2d57b5e7f517c99c3415be48b19296f0cd23a82757b1d3ed3f344fe8893b633d197ce219605662297bbfdf8819f7de14cbc145c170275e |
memory/2456-104-0x0000000073C60000-0x000000007434E000-memory.dmp
memory/1528-105-0x000000006E8B0000-0x000000006EE5B000-memory.dmp
memory/1528-108-0x00000000026E0000-0x0000000002720000-memory.dmp
memory/1528-107-0x00000000026E0000-0x0000000002720000-memory.dmp
memory/1528-106-0x000000006E8B0000-0x000000006EE5B000-memory.dmp
memory/2456-109-0x0000000004A00000-0x0000000004A40000-memory.dmp
\Windows\SysWOW64\Discord\$77Discord.exe
| MD5 | ecccdbf49258bbacd78578017ca99227 |
| SHA1 | 1c054dec74f60aa971f9d24fa9f3dffbfd924b95 |
| SHA256 | 67e346bae17dafaf2b359b58d46d941f7336500577024f1f0e078770c3fd158c |
| SHA512 | 099742a045306a19dd6b48408bf729ecbfd29d7aaaf5db0f8f0b811f18b13e3a35eab69ad60fd9d9139bd98ce2d03ef46c0e46b22d647ee30a8f9a6627758431 |
memory/1528-111-0x000000006E8B0000-0x000000006EE5B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2E62.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar2E75.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2908-173-0x0000000073C60000-0x000000007434E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8M4tMHeVSexc.bat
| MD5 | a56c816e07479fd4a9f54c73a4143f02 |
| SHA1 | 47ba7cec576382996b5b05735155520c38ad36de |
| SHA256 | dde3108dc9249639c17ea728badb3cee3cd77c95535db09ed061d4a0a1863b6c |
| SHA512 | 43bce1d47c3765865cc8f72404cc7abadca2a9d733d19e02edb9b79a2a3bf16f4a484300c199ba1bd9e0e5face02c9996cb1c8c40152c4794afb88c2ef803e2f |
C:\Program Files\Windows_Defender\$77-Venom.exe
| MD5 | 33092c02354e181516b3f3f47ec16441 |
| SHA1 | 1c829b9d129133e2b59fea3dd62cf607a052dc84 |
| SHA256 | 53a7fe09a6adaafdbd5cb2024f5fcffbc5375e3a530e17a38b89f8778371436f |
| SHA512 | d4d528fb2fdd8e3b1de0c746ade7f8816c6da18b73571bfcd66a7a8019dbf17d6e96efa830c7180531b0b6f370498a673580b0bfaf68b8b1c23a9935aa7b2f6d |
memory/2856-175-0x0000000000210000-0x00000000002A6000-memory.dmp
memory/2856-176-0x0000000073C60000-0x000000007434E000-memory.dmp
memory/2856-177-0x0000000004B30000-0x0000000004B70000-memory.dmp
memory/2856-178-0x0000000073C60000-0x000000007434E000-memory.dmp
memory/2856-179-0x0000000004B30000-0x0000000004B70000-memory.dmp