quasar | 1c5bb8ac1735f400b18f16ed5daab07575ba4aaedb4da31ca5cd89205bb40141

Analysis

max time kernel
128s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91086ef2437049d4cfcb66149acf0d95.exe
Size

653KB
MD5

91086ef2437049d4cfcb66149acf0d95
SHA1

ac9cfed7ccfcd8676b437e753abdf7fc06981f71
SHA256

1c5bb8ac1735f400b18f16ed5daab07575ba4aaedb4da31ca5cd89205bb40141
SHA512

effe216b30c6371065d467e585f95db5106c35376a8fe430880a4e965c3a7927fb0453945036b19a6e0e7ec3d4a1290eee6e2445b68cd748086082da29db8046
SSDEEP

12288:bYBbFriWGl7gO03m4sRqJ2IOEEVR/7r+pKnoqsxWbvoyF3db6e0Rqs4J7S:MBxrd4lA7OvR/fqKoqsxsvoyFtbsqsJ

Score

10^/10

quasar venomrat windows firewall evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows firewall

23.105.131.187:7812

Mutex

VNM_MUTEX_zGeT5SjdI1pYgFyiav

Attributes

encryption_key
3kpwI2tkVNrXY2Mm5wlR
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Windows Firewall Updates

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4612-8-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

91086ef2437049d4cfcb66149acf0d95.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	91086ef2437049d4cfcb66149acf0d95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	91086ef2437049d4cfcb66149acf0d95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	91086ef2437049d4cfcb66149acf0d95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	91086ef2437049d4cfcb66149acf0d95.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4612-8-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91086ef2437049d4cfcb66149acf0d95.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	91086ef2437049d4cfcb66149acf0d95.exe

Executes dropped EXE 2 IoCs

Processes:

Windows Security.exeWindows Security.exe

pid process

1116 Windows Security.exe
212 Windows Security.exe

pid	process
1116	Windows Security.exe
212	Windows Security.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

91086ef2437049d4cfcb66149acf0d95.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	91086ef2437049d4cfcb66149acf0d95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	91086ef2437049d4cfcb66149acf0d95.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

91086ef2437049d4cfcb66149acf0d95.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\QwXMCzbSAJ = "C:\\Users\\Admin\\AppData\\Roaming\\jXMDeSqECF\\tEWMqGdDFT.exe"	91086ef2437049d4cfcb66149acf0d95.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com

flow	ioc
11	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

91086ef2437049d4cfcb66149acf0d95.exeWindows Security.exe91086ef2437049d4cfcb66149acf0d95.exe

description	pid	process	target process
PID 1164 set thread context of 4612	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1116 set thread context of 212	1116	Windows Security.exe	Windows Security.exe
PID 3748 set thread context of 2088	3748	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5096 schtasks.exe
2216 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

680 PING.EXE

pid	process
5096	schtasks.exe
2216	schtasks.exe

pid	process
680	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

91086ef2437049d4cfcb66149acf0d95.exepowershell.exe91086ef2437049d4cfcb66149acf0d95.exe91086ef2437049d4cfcb66149acf0d95.exe

pid	process
1164	91086ef2437049d4cfcb66149acf0d95.exe
1164	91086ef2437049d4cfcb66149acf0d95.exe
436	powershell.exe
436	powershell.exe
4612	91086ef2437049d4cfcb66149acf0d95.exe
4612	91086ef2437049d4cfcb66149acf0d95.exe
4612	91086ef2437049d4cfcb66149acf0d95.exe
4612	91086ef2437049d4cfcb66149acf0d95.exe
4612	91086ef2437049d4cfcb66149acf0d95.exe
4612	91086ef2437049d4cfcb66149acf0d95.exe
4612	91086ef2437049d4cfcb66149acf0d95.exe
2088	91086ef2437049d4cfcb66149acf0d95.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

91086ef2437049d4cfcb66149acf0d95.exe91086ef2437049d4cfcb66149acf0d95.exepowershell.exeWindows Security.exe91086ef2437049d4cfcb66149acf0d95.exe

description	pid	process
Token: SeDebugPrivilege	1164	91086ef2437049d4cfcb66149acf0d95.exe
Token: SeDebugPrivilege	4612	91086ef2437049d4cfcb66149acf0d95.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	212	Windows Security.exe
Token: SeDebugPrivilege	212	Windows Security.exe
Token: SeDebugPrivilege	2088	91086ef2437049d4cfcb66149acf0d95.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Security.exe

pid process

212 Windows Security.exe

pid	process
212	Windows Security.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

91086ef2437049d4cfcb66149acf0d95.exe91086ef2437049d4cfcb66149acf0d95.exeWindows Security.exeWindows Security.execmd.execmd.exe91086ef2437049d4cfcb66149acf0d95.exe

description	pid	process	target process
PID 1164 wrote to memory of 804	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1164 wrote to memory of 804	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1164 wrote to memory of 804	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1164 wrote to memory of 4612	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1164 wrote to memory of 4612	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1164 wrote to memory of 4612	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1164 wrote to memory of 4612	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1164 wrote to memory of 4612	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1164 wrote to memory of 4612	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1164 wrote to memory of 4612	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 1164 wrote to memory of 4612	1164	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 4612 wrote to memory of 5096	4612	91086ef2437049d4cfcb66149acf0d95.exe	schtasks.exe
PID 4612 wrote to memory of 5096	4612	91086ef2437049d4cfcb66149acf0d95.exe	schtasks.exe
PID 4612 wrote to memory of 5096	4612	91086ef2437049d4cfcb66149acf0d95.exe	schtasks.exe
PID 4612 wrote to memory of 1116	4612	91086ef2437049d4cfcb66149acf0d95.exe	Windows Security.exe
PID 4612 wrote to memory of 1116	4612	91086ef2437049d4cfcb66149acf0d95.exe	Windows Security.exe
PID 4612 wrote to memory of 1116	4612	91086ef2437049d4cfcb66149acf0d95.exe	Windows Security.exe
PID 4612 wrote to memory of 436	4612	91086ef2437049d4cfcb66149acf0d95.exe	powershell.exe
PID 4612 wrote to memory of 436	4612	91086ef2437049d4cfcb66149acf0d95.exe	powershell.exe
PID 4612 wrote to memory of 436	4612	91086ef2437049d4cfcb66149acf0d95.exe	powershell.exe
PID 1116 wrote to memory of 212	1116	Windows Security.exe	Windows Security.exe
PID 1116 wrote to memory of 212	1116	Windows Security.exe	Windows Security.exe
PID 1116 wrote to memory of 212	1116	Windows Security.exe	Windows Security.exe
PID 1116 wrote to memory of 212	1116	Windows Security.exe	Windows Security.exe
PID 1116 wrote to memory of 212	1116	Windows Security.exe	Windows Security.exe
PID 1116 wrote to memory of 212	1116	Windows Security.exe	Windows Security.exe
PID 1116 wrote to memory of 212	1116	Windows Security.exe	Windows Security.exe
PID 1116 wrote to memory of 212	1116	Windows Security.exe	Windows Security.exe
PID 212 wrote to memory of 2216	212	Windows Security.exe	schtasks.exe
PID 212 wrote to memory of 2216	212	Windows Security.exe	schtasks.exe
PID 212 wrote to memory of 2216	212	Windows Security.exe	schtasks.exe
PID 4612 wrote to memory of 728	4612	91086ef2437049d4cfcb66149acf0d95.exe	cmd.exe
PID 4612 wrote to memory of 728	4612	91086ef2437049d4cfcb66149acf0d95.exe	cmd.exe
PID 4612 wrote to memory of 728	4612	91086ef2437049d4cfcb66149acf0d95.exe	cmd.exe
PID 728 wrote to memory of 2380	728	cmd.exe	cmd.exe
PID 728 wrote to memory of 2380	728	cmd.exe	cmd.exe
PID 728 wrote to memory of 2380	728	cmd.exe	cmd.exe
PID 4612 wrote to memory of 5068	4612	91086ef2437049d4cfcb66149acf0d95.exe	cmd.exe
PID 4612 wrote to memory of 5068	4612	91086ef2437049d4cfcb66149acf0d95.exe	cmd.exe
PID 4612 wrote to memory of 5068	4612	91086ef2437049d4cfcb66149acf0d95.exe	cmd.exe
PID 5068 wrote to memory of 2484	5068	cmd.exe	chcp.com
PID 5068 wrote to memory of 2484	5068	cmd.exe	chcp.com
PID 5068 wrote to memory of 2484	5068	cmd.exe	chcp.com
PID 5068 wrote to memory of 680	5068	cmd.exe	PING.EXE
PID 5068 wrote to memory of 680	5068	cmd.exe	PING.EXE
PID 5068 wrote to memory of 680	5068	cmd.exe	PING.EXE
PID 5068 wrote to memory of 3748	5068	cmd.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 5068 wrote to memory of 3748	5068	cmd.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 5068 wrote to memory of 3748	5068	cmd.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 3748 wrote to memory of 2088	3748	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 3748 wrote to memory of 2088	3748	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 3748 wrote to memory of 2088	3748	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 3748 wrote to memory of 2088	3748	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 3748 wrote to memory of 2088	3748	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 3748 wrote to memory of 2088	3748	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 3748 wrote to memory of 2088	3748	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe
PID 3748 wrote to memory of 2088	3748	91086ef2437049d4cfcb66149acf0d95.exe	91086ef2437049d4cfcb66149acf0d95.exe

C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe
"C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe
  "C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe"
  2⤵
  PID:804
- C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe
  "C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Checks computer location settings
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:5096
- - C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:212
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\alOhDmUeZSCH.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe
      "C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3748
    - - C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91086ef2437049d4cfcb66149acf0d95.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:2484

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\91086ef2437049d4cfcb66149acf0d95.exe.log

Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kufzbunt.qdx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\alOhDmUeZSCH.bat

Filesize
229B

MD5
fd633dae329100c2d28b6a6d3a722387

SHA1
cd3c6b0e158f22fdcfc734024fab715f844b6cf0

SHA256
897a2d080eab3a34b16463c2fc196cee5703fbc01a6f03745604880e2557edf8

SHA512
8300d355bd86c9f83e42a53f4852b324c9ec372723addc7eeee5b67f353fa65cc4daa5e5eb3623564bd9ddebb4cd5e3108d4538d0e8839723e4479fec7a1f2e0

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe

Filesize
653KB

MD5
91086ef2437049d4cfcb66149acf0d95

SHA1
ac9cfed7ccfcd8676b437e753abdf7fc06981f71

SHA256
1c5bb8ac1735f400b18f16ed5daab07575ba4aaedb4da31ca5cd89205bb40141

SHA512
effe216b30c6371065d467e585f95db5106c35376a8fe430880a4e965c3a7927fb0453945036b19a6e0e7ec3d4a1290eee6e2445b68cd748086082da29db8046

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe

Filesize
12KB

MD5
9630ed5f362e22250bbf72082bf5200e

SHA1
480814a759f83a9f2bb4fa33e16c66c3a3ab4e6c

SHA256
e6ddd3d0ef4a03386089622db4ef0b76c8333ca667a9debc732df0cd9e8ad632

SHA512
f9a95652c116b0a12cb3e79ea996078c8a146ab1fe3d9822505963b24b89286c4275901b60ff64c1293d690e19bfac76faf64abadc46b1b91d59e319bf959e28

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Firewall Updates\Windows Security.exe

Filesize
416KB

MD5
b7d9b96d618bbc8011bcc29829e69a94

SHA1
9a98a2d7e9a997900478b8d0d88200bfbe282334

SHA256
196623888e79ff93a90bbf8eda2ee15d853637e7746a257b1640942bd2ce8ce1

SHA512
17e8ca1648bc8ad49c8067aa96423c1fae6b7830b314fa5dc5fd9a4bbba3a9b2679946fb72e16a408186873980429d2479d982ded21376cb5ce0e019335a74e5

Download Submit
memory/212-84-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/212-89-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/212-49-0x0000000006B50000-0x0000000006B5A000-memory.dmp

Filesize
40KB

Download
memory/212-33-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/212-31-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/436-45-0x0000000005D30000-0x0000000006084000-memory.dmp

Filesize
3.3MB

Download
memory/436-73-0x0000000007820000-0x000000000783A000-memory.dmp

Filesize
104KB

Download
memory/436-77-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/436-74-0x0000000007800000-0x0000000007808000-memory.dmp

Filesize
32KB

Download
memory/436-72-0x0000000007720000-0x0000000007734000-memory.dmp

Filesize
80KB

Download
memory/436-24-0x00000000028E0000-0x0000000002916000-memory.dmp

Filesize
216KB

Download
memory/436-71-0x0000000007710000-0x000000000771E000-memory.dmp

Filesize
56KB

Download
memory/436-26-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/436-70-0x00000000076E0000-0x00000000076F1000-memory.dmp

Filesize
68KB

Download
memory/436-25-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/436-69-0x0000000007760000-0x00000000077F6000-memory.dmp

Filesize
600KB

Download
memory/436-30-0x0000000005310000-0x0000000005938000-memory.dmp

Filesize
6.2MB

Download
memory/436-68-0x0000000007550000-0x000000000755A000-memory.dmp

Filesize
40KB

Download
memory/436-66-0x0000000007B20000-0x000000000819A000-memory.dmp

Filesize
6.5MB

Download
memory/436-67-0x00000000074E0000-0x00000000074FA000-memory.dmp

Filesize
104KB

Download
memory/436-50-0x000000007F2A0000-0x000000007F2B0000-memory.dmp

Filesize
64KB

Download
memory/436-63-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/436-34-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/436-40-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/436-65-0x00000000073B0000-0x0000000007453000-memory.dmp

Filesize
652KB

Download
memory/436-46-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/436-47-0x00000000061F0000-0x000000000623C000-memory.dmp

Filesize
304KB

Download
memory/436-62-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/436-52-0x000000006FE20000-0x000000006FE6C000-memory.dmp

Filesize
304KB

Download
memory/436-51-0x0000000007170000-0x00000000071A2000-memory.dmp

Filesize
200KB

Download
memory/436-64-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/1116-32-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/1116-23-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/1116-22-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/1164-3-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download
memory/1164-4-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/1164-7-0x00000000031A0000-0x00000000031AA000-memory.dmp

Filesize
40KB

Download
memory/1164-5-0x0000000005740000-0x00000000057DC000-memory.dmp

Filesize
624KB

Download
memory/1164-12-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/1164-0-0x0000000000B80000-0x0000000000C2A000-memory.dmp

Filesize
680KB

Download
memory/1164-1-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/1164-2-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/2088-90-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/2088-88-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/3748-83-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/3748-85-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/3748-87-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/4612-82-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/4612-15-0x0000000005D90000-0x0000000005DA2000-memory.dmp

Filesize
72KB

Download
memory/4612-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4612-16-0x0000000006410000-0x000000000644C000-memory.dmp

Filesize
240KB

Download
memory/4612-14-0x0000000005090000-0x00000000050F6000-memory.dmp

Filesize
408KB

Download
memory/4612-13-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4612-11-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download