Malware Analysis Report

2025-01-18 04:18

Sample ID 231230-bj4e6aaec9
Target 09a8420f132e0ecc5725d7055d4201dc
SHA256 f546c80fed56869c11e41e892fcf4485e1704ccfb084e115d5377e453637fa6d
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f546c80fed56869c11e41e892fcf4485e1704ccfb084e115d5377e453637fa6d

Threat Level: Known bad

The file 09a8420f132e0ecc5725d7055d4201dc was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar RAT

Contains code to disable Windows Defender

Quasar payload

Nirsoft

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 01:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 01:11

Reported

2023-12-31 02:18

Platform

win10v2004-20231215-en

Max time kernel

6s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Discord\$77Discord.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe

"C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe"

C:\Program Files\Windows_Defender\Advancedruncmd.exe

"C:\Program Files\Windows_Defender\Advancedruncmd.exe" "-pKazutoSan72@$%?:YB381#4PcVh9!0LqF5&jk6*Dw"

C:\Program Files\Windows_Defender\RAT.exe

"C:\Program Files\Windows_Defender\RAT.exe" "-pKazutoSan72@$%?:YB381#4PcVh9!0LqF5&jk6*Dw"

C:\Program Files\Windows_Defender\AdvancedRun.exe

"C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.cmd /RunAs 8 /Run

C:\Program Files\Windows_Defender\AdvancedRun.exe

"C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.cmd /RunAs 8 /Run

C:\Program Files\Windows_Defender\AdvancedRun.exe

"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 3008

C:\Program Files\Windows_Defender\AdvancedRun.exe

"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 3764

C:\Program Files\Windows_Defender\$77-Venom.exe

"C:\Program Files\Windows_Defender\$77-Venom.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Program Files\Windows_Defender\$77-Venom.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\Discord\$77Discord.exe

"C:\Windows\SysWOW64\Discord\$77Discord.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord\$77Discord.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5036 -ip 5036

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 2244

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 smtp.yassine-bolard.nl udp

Files

memory/4264-55-0x0000000000D00000-0x0000000000D96000-memory.dmp

memory/4264-56-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/4264-57-0x0000000005CD0000-0x0000000006274000-memory.dmp

memory/4264-58-0x00000000057C0000-0x0000000005852000-memory.dmp

memory/4264-59-0x0000000005890000-0x00000000058A0000-memory.dmp

memory/4264-60-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/4264-61-0x00000000064C0000-0x00000000064D2000-memory.dmp

memory/5036-68-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/5036-69-0x00000000053A0000-0x00000000053B0000-memory.dmp

memory/2688-70-0x0000000002690000-0x00000000026C6000-memory.dmp

memory/2688-72-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/2688-74-0x0000000005150000-0x0000000005778000-memory.dmp

memory/2688-73-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/2688-75-0x0000000004FE0000-0x0000000005002000-memory.dmp

memory/2688-86-0x0000000005B50000-0x0000000005EA4000-memory.dmp

memory/2688-76-0x0000000005880000-0x00000000058E6000-memory.dmp

memory/2688-71-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/2688-87-0x0000000005F60000-0x0000000005F7E000-memory.dmp

memory/2688-88-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

memory/4264-62-0x0000000006A00000-0x0000000006A3C000-memory.dmp

memory/5036-90-0x0000000006AA0000-0x0000000006AAA000-memory.dmp

memory/2688-93-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/2688-106-0x0000000007140000-0x00000000071E3000-memory.dmp

memory/2688-111-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/2688-110-0x00000000078E0000-0x0000000007F5A000-memory.dmp

memory/2688-112-0x0000000007310000-0x000000000731A000-memory.dmp

memory/2688-113-0x0000000007520000-0x00000000075B6000-memory.dmp

memory/2688-114-0x00000000074A0000-0x00000000074B1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 01:11

Reported

2023-12-31 02:17

Platform

win7-20231215-en

Max time kernel

17s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows_Defender\$77-Venom.exe C:\Program Files\Windows_Defender\RAT.exe N/A
File opened for modification C:\Program Files\Windows_Defender\$77-Venom.exe C:\Program Files\Windows_Defender\RAT.exe N/A
File created C:\Program Files\Windows_Defender\16384.rnd C:\Program Files\Windows_Defender\RAT.exe N/A
File opened for modification C:\Program Files\Windows_Defender\16384.rnd C:\Program Files\Windows_Defender\RAT.exe N/A
File opened for modification C:\Program Files\Windows_Defender\Advancedruncmd.exe C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe N/A
File created C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_259408618 C:\Program Files\Windows_Defender\Advancedruncmd.exe N/A
File created C:\Program Files\Windows_Defender\Test.cmd C:\Program Files\Windows_Defender\Advancedruncmd.exe N/A
File created C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_259407838 C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe N/A
File opened for modification C:\Program Files\Windows_Defender\Test.cmd C:\Program Files\Windows_Defender\Advancedruncmd.exe N/A
File created C:\Program Files\Windows_Defender\AdvancedRun.exe C:\Program Files\Windows_Defender\Advancedruncmd.exe N/A
File opened for modification C:\Program Files\Windows_Defender\RAT.exe C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe N/A
File opened for modification C:\Program Files\Windows_Defender\AdvancedRun.exe C:\Program Files\Windows_Defender\Advancedruncmd.exe N/A
File created C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_259408898 C:\Program Files\Windows_Defender\RAT.exe N/A
File opened for modification C:\Program Files\Windows_Defender C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe N/A
File created C:\Program Files\Windows_Defender\Advancedruncmd.exe C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe N/A
File created C:\Program Files\Windows_Defender\RAT.exe C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Discord\$77Discord.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Windows_Defender\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows_Defender\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files\Windows_Defender\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files\Windows_Defender\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows_Defender\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files\Windows_Defender\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows_Defender\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files\Windows_Defender\AdvancedRun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe C:\Program Files\Windows_Defender\Advancedruncmd.exe
PID 1940 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe C:\Program Files\Windows_Defender\Advancedruncmd.exe
PID 1940 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe C:\Program Files\Windows_Defender\Advancedruncmd.exe
PID 1940 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe C:\Program Files\Windows_Defender\Advancedruncmd.exe
PID 1940 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe C:\Program Files\Windows_Defender\RAT.exe
PID 1940 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe C:\Program Files\Windows_Defender\RAT.exe
PID 1940 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe C:\Program Files\Windows_Defender\RAT.exe
PID 1940 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe C:\Program Files\Windows_Defender\RAT.exe
PID 2256 wrote to memory of 2936 N/A C:\Program Files\Windows_Defender\Advancedruncmd.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2256 wrote to memory of 2936 N/A C:\Program Files\Windows_Defender\Advancedruncmd.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2256 wrote to memory of 2936 N/A C:\Program Files\Windows_Defender\Advancedruncmd.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2256 wrote to memory of 2936 N/A C:\Program Files\Windows_Defender\Advancedruncmd.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2256 wrote to memory of 2656 N/A C:\Program Files\Windows_Defender\Advancedruncmd.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2256 wrote to memory of 2656 N/A C:\Program Files\Windows_Defender\Advancedruncmd.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2256 wrote to memory of 2656 N/A C:\Program Files\Windows_Defender\Advancedruncmd.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2256 wrote to memory of 2656 N/A C:\Program Files\Windows_Defender\Advancedruncmd.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2936 wrote to memory of 2572 N/A C:\Program Files\Windows_Defender\AdvancedRun.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2936 wrote to memory of 2572 N/A C:\Program Files\Windows_Defender\AdvancedRun.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2936 wrote to memory of 2572 N/A C:\Program Files\Windows_Defender\AdvancedRun.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2656 wrote to memory of 844 N/A C:\Program Files\Windows_Defender\AdvancedRun.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2656 wrote to memory of 844 N/A C:\Program Files\Windows_Defender\AdvancedRun.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2656 wrote to memory of 844 N/A C:\Program Files\Windows_Defender\AdvancedRun.exe C:\Program Files\Windows_Defender\AdvancedRun.exe
PID 2840 wrote to memory of 2908 N/A C:\Program Files\Windows_Defender\RAT.exe C:\Program Files\Windows_Defender\$77-Venom.exe
PID 2840 wrote to memory of 2908 N/A C:\Program Files\Windows_Defender\RAT.exe C:\Program Files\Windows_Defender\$77-Venom.exe
PID 2840 wrote to memory of 2908 N/A C:\Program Files\Windows_Defender\RAT.exe C:\Program Files\Windows_Defender\$77-Venom.exe
PID 2840 wrote to memory of 2908 N/A C:\Program Files\Windows_Defender\RAT.exe C:\Program Files\Windows_Defender\$77-Venom.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe

"C:\Users\Admin\AppData\Local\Temp\09a8420f132e0ecc5725d7055d4201dc.exe"

C:\Program Files\Windows_Defender\Advancedruncmd.exe

"C:\Program Files\Windows_Defender\Advancedruncmd.exe" "-pKazutoSan72@$%?:YB381#4PcVh9!0LqF5&jk6*Dw"

C:\Program Files\Windows_Defender\RAT.exe

"C:\Program Files\Windows_Defender\RAT.exe" "-pKazutoSan72@$%?:YB381#4PcVh9!0LqF5&jk6*Dw"

C:\Program Files\Windows_Defender\AdvancedRun.exe

"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 2656

C:\Program Files\Windows_Defender\AdvancedRun.exe

"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 2936

C:\Program Files\Windows_Defender\AdvancedRun.exe

"C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.cmd /RunAs 8 /Run

C:\Program Files\Windows_Defender\AdvancedRun.exe

"C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.cmd /RunAs 8 /Run

C:\Program Files\Windows_Defender\$77-Venom.exe

"C:\Program Files\Windows_Defender\$77-Venom.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Program Files\Windows_Defender\$77-Venom.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\Discord\$77Discord.exe

"C:\Windows\SysWOW64\Discord\$77Discord.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord\$77Discord.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pAz8ptJha8C3.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1476

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8M4tMHeVSexc.bat" "

C:\Program Files\Windows_Defender\$77-Venom.exe

"C:\Program Files\Windows_Defender\$77-Venom.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 smtp.yassine-bolard.nl udp
US 8.8.8.8:53 payloads-poison.000webhostapp.com udp
US 145.14.145.179:443 payloads-poison.000webhostapp.com tcp
FR 91.134.207.16:80 91.134.207.16 tcp

Files

\Program Files\Windows_Defender\Advancedruncmd.exe

MD5 6bc73831502efdbf856b7fc554b3fca4
SHA1 7151d4582496b74a93279222258f1d1566246866
SHA256 4855250783f059d34eb409e89d06e3fcb47c3bd61a10cc1cdf0221167cb71e8d
SHA512 35db4da4b4349f000594316b031c80a126c6f52d79113316f6dd277fb1fdddb938721528f32b0dbbca4c5c566fddb1acb20a51f73b9471d0966155b99b5882ef

\Program Files\Windows_Defender\Advancedruncmd.exe

MD5 61686e8a3228e4d23fddc162ae11f3b4
SHA1 98b9ac26d24aa339e85beeb1642113012df3ec25
SHA256 7f89de4cafadaa7e5c618012767784aedc385d00fe2374f7c100961ba256904e
SHA512 8f1943ec47c99bd242c811621eb14e74b6fc6a67bdf2b3409106b99452e87d3aed40d1bc6bf6ddd19119df8679c26ae3ef7321558eac3fd524b4eb77eea359af

\Program Files\Windows_Defender\Advancedruncmd.exe

MD5 ca5f45afd90108839b3cd199b853baf3
SHA1 06e64927d735e4bb9d0afe4b924186b215df218d
SHA256 a6b9df778b858a32ac8b31f333c43bbcf6f430cf679eda136dfe3ba86a1c4efe
SHA512 1a50dd244b51ec52dbe2d12919fe2651dd884bba9c85dd878a17cb64fca6760ed5bd6d9355742b4742a56d733875ecd6d2f265abfbc0d2face3571eafa56ec3f

\Program Files\Windows_Defender\Advancedruncmd.exe

MD5 eabffcd41bf80fe9252bbed293c19981
SHA1 d9095c4cf83b735f4f587b74bf0876c03e9f1143
SHA256 1c5503f7a9624155a8be58b52182a518c3ba963ba42b8ba0d6ef1db3a863f944
SHA512 852f257f03c0d07a17515d81077ac4dc1f0a698a3ca2c2404c4fb3f31a5c64e5127bfa114621a6855648f31d3328a69ccbc952cf16919cb7f64ba8de8730e7e0

\Program Files\Windows_Defender\RAT.exe

MD5 b8238557a2d72fa0dd600ba90f12084d
SHA1 6395616037bbf0b663e9fd2470fd51258094a689
SHA256 2efaeac3b7c910470a4177061e62d7ef78ff20f7e4b670c349e91ce46eaf7446
SHA512 8c5c53e71d2dd3e0a5f39bb8ca391a20943b0c5abf6182d9ccd7135ae9d2e669d92b96d0f8245933dd0852aadc5b70a05ff29b091c477dcb05df5789ed7983e5

\Program Files\Windows_Defender\RAT.exe

MD5 149ea71e5367cdebf9ee3cef13bf4951
SHA1 270842af33b5b87538c7a69bb6766a8d56841c74
SHA256 03e1ed4500421e762ec3c2d2ccdccea9d181ae3e1f9941934e56a2b5edfadaa4
SHA512 00208be6f5211fc9005becb76b0353ae00c383f8d0f7cf41598cef773bb010008cf9e55b05d0824fd8f9a087711c0839c89c0d2fc76d17210f86b1d7450cf1b2

C:\Program Files\Windows_Defender\RAT.exe

MD5 598b5a461c093d2b4ad2d9fece01f2ed
SHA1 2e9e70db074417eade8463f2fa2c5f6e743ba2fe
SHA256 debee91fa37cd3deb245f6c971938db98c4146657d2c7bbbc0462201dbc67c85
SHA512 854edf45c4817c3ec4113f2278468f41cb32ca1f8c9c92632060054d578313ea4e04db608ae107b298f49cec8997a534b11eaa4cb956e1ee2db3a81a81e74172

\Program Files\Windows_Defender\RAT.exe

MD5 ea57382633c00d17e4969aa4ed2f142d
SHA1 ff4211e3185ef878df4982a2cc5874468338a5ce
SHA256 a50d8a4e05f34d21ffb527d82d34042375ca84cd69563184b806d314fb7a0b52
SHA512 a1ff71b1a2841f3779f358970e8f6fcd34d3c31149b8a0f0a10efd7bc5341be05a0eeaa7b9eca7f1fa5d7086d0ba07cfcf4ead1aa9150c54ae38a56e067c3601

\Program Files\Windows_Defender\RAT.exe

MD5 9af8c3db50a3006b4804024e8b737014
SHA1 0510b6d26ab99ce38d96053e3fbff1b274c37b88
SHA256 5d707fb06696bbe4114ebc56b258d1fd512f320d45c306653525e3e1cc12b4b3
SHA512 8741bfe437152b4d18033cd2601ef5160764200b977d67d67e0568e93ed854acfe412b5d5556b45f89b8188618dfad8535e8e2c1dc3779e26c03037eda1e7176

C:\Program Files\Windows_Defender\RAT.exe

MD5 4293f65356b9729e8ce0ba1681957c96
SHA1 049f1c7ff84bb43f56730717a55cf3308e85b5bf
SHA256 70157b2d6a02e8895c7c65320e14aefdb463cb6379aec4e7d610f74285f6afc0
SHA512 8fa467ccbf248879588918630319a8a67107765a26e0208cf8353d78ca45e6fd01b49ac3dc22e50b3d1123a166f4fef995247774be1ddb872db07c6e3c14a100

C:\Program Files\Windows_Defender\RAT.exe

MD5 20f13160acd3c467bf3449c2f30f4b99
SHA1 9aee459db2b779f08ada7580ecf289bdfdfb0810
SHA256 4870ac900ed709105428fe12464b426ad57cefefac84a56db69170e423512e52
SHA512 067355958523d0a16806b2c3cb09ce56f651a8f246781115b2f668b8cbc46811b83f771c3d6582dccb7e2a6e56666bcb30c97117ebb5a7cf611b787b5a5057ef

C:\Program Files\Windows_Defender\AdvancedRun.exe

MD5 fd048f729a521a51273897c937b0a132
SHA1 3ba5137721c135fe125f9667c45b01b9728d21ed
SHA256 71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA512 9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

\Program Files\Windows_Defender\$77-Venom.exe

MD5 2a70e2be46bd695a13d57d6ca1d4258e
SHA1 beed74ea5f55ad8f94d1892cc39277c34540540e
SHA256 6ab781748cd6a367c0a12eb45632349a5cd33a63f5b3ae92f7a0613b6ab8cee3
SHA512 5e49cf5218b264aaf0495c34395f71f6645adec1faa319323be169fd8841b82edc67a069ed1423ca9f4c19768e3326e9c44189201d806d6ff771d84c91cf60a8

\Program Files\Windows_Defender\$77-Venom.exe

MD5 c1bca3137e2b66e2e246a3597783e5d2
SHA1 5253fdad4daea8d3e7c41b1bdd73519cc65804cf
SHA256 dc5039663b51ea8829cb95c1f64ae21c9fedcb364797c6130da57b4a0d6f9156
SHA512 9f9d337e243c25a3bc10aad04c85a8ebb81ad5165e504410442ca9ec54801c716205d8e3048b0c310f48d89eade224bdca7aa67fbeac7a9ddb8ab54f569084ab

C:\Program Files\Windows_Defender\$77-Venom.exe

MD5 347430bd50587f357c081d9562acc46b
SHA1 3c1f2c10c1fceffa5371a7bd03ac6847e926a9dd
SHA256 fd0686bd94b7edb99dd428d53258170105d77a856bb3633de6c01be14e4722d3
SHA512 7b850db48bfbd529ef1469fc13d4ae3b0ba05d64784cdc2d15cda1203d71bdcb3494e8db3efe53d23cfa2933bd3ed0d088367df9a27d5b201d0621e79680c25e

C:\Program Files\Windows_Defender\$77-Venom.exe

MD5 19dbd4537395de7bd14e94c93abb385d
SHA1 1fdffd7a4839c555eb7cd1051139f93069ea5594
SHA256 efc3cbd67e2578b2c3ccd52fab71d62b9a60d2ae22fadd0d14ae4fe6a250980a
SHA512 ca34bc3e611c07fe9a14c466c7860915ced598d28470c7f890eef308245f2d05109afc983ad836d0f9a3310ae7f5d5afaaa4f13d2efa608b014bf1567459006f

\Program Files\Windows_Defender\$77-Venom.exe

MD5 c601a5c009c08e4c88b0183f3269ed8d
SHA1 baad82319caf9e131677964715d410e3e607f688
SHA256 be5e040d573d4382fe4f0dd45664df2d9d27b9b448410efffda890765c545f77
SHA512 4676270bfba0df635e58f38638a6954987ae19475dfc1b5b56ab942f9331f611486a677777fa954cf2382aaad1a6d3bea75dbf286ca892caf2e7aee094c67855

\Program Files\Windows_Defender\$77-Venom.exe

MD5 819a44fa2a626b6b861cbb44188633c0
SHA1 97280c595357a37758c223c084866435cb24a634
SHA256 d6c406dbac2e3e1cfe1aa57a8616223528d7611adc63fa4ec6a9afe779e187bb
SHA512 eab683144ae3880d50ab36ca21fd34e79db44866654b5fc3ac93e3850e210125bc29c889afc96ea7db49fb4eb147fa71cdbc053e2b1ce1fec818296e188605d7

C:\Program Files\Windows_Defender\$77-Venom.exe

MD5 f4f30ba72ff1b91e957de778ea5df8d1
SHA1 ccee5845ba75a174de016b7d5e6ddd88d98686c2
SHA256 d3a0438e8598d817dc1f100c940264a3450752094b6ba571784bd4c05ecbf3b0
SHA512 8ff0ce0fe46c19607d0f338bd4331dad114993e9fa7d723587745610b356cfd4d073f578ed0f1498a8a71de24297a98dd665e09e4bfddd54c2c9591f6234f8b9

memory/2908-73-0x00000000011D0000-0x0000000001266000-memory.dmp

memory/2908-74-0x0000000073C60000-0x000000007434E000-memory.dmp

memory/2908-75-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2908-76-0x0000000073C60000-0x000000007434E000-memory.dmp

memory/2908-78-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

\Windows\SysWOW64\Discord\$77Discord.exe

MD5 f09891e38088cbd3a816894bad63c320
SHA1 cce1776b80cc803b75a445a49932afb51879d299
SHA256 6ace22686e550d8dc7b1d45db5fc8acba47b7c566cf2fd4a14f685b7ea890ce1
SHA512 16ccd8fc7a9d8f4cfbf4883ea0ed6b70e35bb20f85c4579cff073284eb7bf0c44f874033ff0fa4aba57266874007afa65592f6c7e0ca67eae91de277d0db4e10

C:\Windows\SysWOW64\Discord\$77Discord.exe

MD5 1229b951accaa55f1f5c237f02bae541
SHA1 ad8d86e76143411d79b9c9c782621853d45d126a
SHA256 fbcab4a096234ba14b969f32310eb763eb88ca3a2ab0e6969e99c411089443cb
SHA512 4ba5d3d8a52ff78a86edb84216b9509a1ce903ee2b46f3e132607bb6797405daa3550528a0e13edfe265476b227898005a75209a883658d10ceb19141fc3ff0d

memory/2456-85-0x0000000001250000-0x00000000012E6000-memory.dmp

memory/2456-86-0x0000000073C60000-0x000000007434E000-memory.dmp

memory/2456-87-0x0000000004A00000-0x0000000004A40000-memory.dmp

C:\Windows\SysWOW64\Discord\$77Discord.exe

MD5 175fa555d0702a7968d30a910d210b06
SHA1 f4a1ffae6939e3dcbb84d47eb98e70f175c6481f
SHA256 6ee55d3ed20158824848e403fdc23428dcf2d947cedee9712db53737400bd230
SHA512 df07e4ede3f284f25002690e2ee085133539e662cbba5d0d1095164a20d141bf2824dfad6240ef006ba2cdc4bcd95457868e2068dd5c953c380600077e3098ae

C:\Users\Admin\AppData\Local\Temp\pAz8ptJha8C3.bat

MD5 7b570b428aba29e89a59b3e72d3b5f3b
SHA1 cb1a6d4fc75def53c762785ec701aeff898b6aef
SHA256 6999be65d13092c3d576ec042f5e7968ba36488e67a509fe38013c953d73d87e
SHA512 bf6bb17b801df7bde016b63fb78b340a2134a2d4671e3cb8690607fff230e50ca6ac57f2ef55f1555e822e317edbeb814fd53a9c600bc45ab73297c73e68e8cc

\Windows\SysWOW64\Discord\$77Discord.exe

MD5 a0afe8bedd587ea31c7105d79106572d
SHA1 7d1a1d505149fefeac606828d83d964a53d79c66
SHA256 dc0f86edbed9004a92d4edec6e8f9633c7337d616d9b875082bfd906b08cf02f
SHA512 a39c6ef2e0e62ddbd0ee3c47ed758e1d5e16d0ff55edd3568a3e262a9957617409e1ac1c0e08c5b94f442f1c7f9f6114b32901acecef1db9f3bcf028dc933f96

\Windows\SysWOW64\Discord\$77Discord.exe

MD5 1992a9ad541bd8cd2b30b49b88401824
SHA1 f75674100832ce7d438eba0b0490582670b094b4
SHA256 0d254f258c0608dcedd5591310e5f40534ceab776d387aef2f3f99e20d4723ce
SHA512 3cb634e30717055635ef52cd676e40fbc609301503582e6eb95fbcbaabce3756cb3293b1d4189a6b581d05adda3438cb75f188959554545af731bc805838695b

\Windows\SysWOW64\Discord\$77Discord.exe

MD5 0a737a272dce4a874ce9cfebd6b788f3
SHA1 f7c8b325026865e80d6f00dfae99b1b010f1d460
SHA256 1f197d3000c96c0308f015b6e317fdfee3c253bb605226b45d9a8430ce70885e
SHA512 abe37f939aee10d378b4388f6f74b85deb70b928edd2c341986ac15498d67c111cb0fbe2c9084a221e0d489be35f2913a3026e7542424e8413a29f5b84c7f9c7

\Windows\SysWOW64\Discord\$77Discord.exe

MD5 1db04bf4f4fc3521edfcafb4cd404a95
SHA1 05647b42a46283be893d859a68d53df6baa6a4a6
SHA256 9caf6e41b774630518e04f3fe38ba7c5af95bcab3008bac06b66d84a62425d48
SHA512 d89aaa4aa8ef9319ee2d57b5e7f517c99c3415be48b19296f0cd23a82757b1d3ed3f344fe8893b633d197ce219605662297bbfdf8819f7de14cbc145c170275e

memory/2456-104-0x0000000073C60000-0x000000007434E000-memory.dmp

memory/1528-105-0x000000006E8B0000-0x000000006EE5B000-memory.dmp

memory/1528-108-0x00000000026E0000-0x0000000002720000-memory.dmp

memory/1528-107-0x00000000026E0000-0x0000000002720000-memory.dmp

memory/1528-106-0x000000006E8B0000-0x000000006EE5B000-memory.dmp

memory/2456-109-0x0000000004A00000-0x0000000004A40000-memory.dmp

\Windows\SysWOW64\Discord\$77Discord.exe

MD5 ecccdbf49258bbacd78578017ca99227
SHA1 1c054dec74f60aa971f9d24fa9f3dffbfd924b95
SHA256 67e346bae17dafaf2b359b58d46d941f7336500577024f1f0e078770c3fd158c
SHA512 099742a045306a19dd6b48408bf729ecbfd29d7aaaf5db0f8f0b811f18b13e3a35eab69ad60fd9d9139bd98ce2d03ef46c0e46b22d647ee30a8f9a6627758431

memory/1528-111-0x000000006E8B0000-0x000000006EE5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2E62.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2E75.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2908-173-0x0000000073C60000-0x000000007434E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8M4tMHeVSexc.bat

MD5 a56c816e07479fd4a9f54c73a4143f02
SHA1 47ba7cec576382996b5b05735155520c38ad36de
SHA256 dde3108dc9249639c17ea728badb3cee3cd77c95535db09ed061d4a0a1863b6c
SHA512 43bce1d47c3765865cc8f72404cc7abadca2a9d733d19e02edb9b79a2a3bf16f4a484300c199ba1bd9e0e5face02c9996cb1c8c40152c4794afb88c2ef803e2f

C:\Program Files\Windows_Defender\$77-Venom.exe

MD5 33092c02354e181516b3f3f47ec16441
SHA1 1c829b9d129133e2b59fea3dd62cf607a052dc84
SHA256 53a7fe09a6adaafdbd5cb2024f5fcffbc5375e3a530e17a38b89f8778371436f
SHA512 d4d528fb2fdd8e3b1de0c746ade7f8816c6da18b73571bfcd66a7a8019dbf17d6e96efa830c7180531b0b6f370498a673580b0bfaf68b8b1c23a9935aa7b2f6d

memory/2856-175-0x0000000000210000-0x00000000002A6000-memory.dmp

memory/2856-176-0x0000000073C60000-0x000000007434E000-memory.dmp

memory/2856-177-0x0000000004B30000-0x0000000004B70000-memory.dmp

memory/2856-178-0x0000000073C60000-0x000000007434E000-memory.dmp

memory/2856-179-0x0000000004B30000-0x0000000004B70000-memory.dmp