quasar | 497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f

General

Target

497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe
Size

13.3MB
MD5

0d6982311c8a21313994773c99380dfb
SHA1

d8a6abfbdf3fe52598f570abeed3b272b10484bd
SHA256

497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f
SHA512

47b4c7f9a8a49ab067d4214d6cb73277bc56f7e671d3ef3c38ca8d845c65dbf2303e083294d71d68bf4348b87558141d4d3281d959d262efe56b29a87e5437c4
SSDEEP

49152:Kqsm55NYMPrb/T7vO90dL3BmAFd4A64nsfJlFngTR55I7NLz1S:Kq95TUGPf

Score

10^/10

quasar com surrogate discovery evasion spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

COM Surrogate

C2

10.8.1.66:8869

Mutex

119b9028-5664-4725-b2c1-1e4eaf743d68

Attributes

encryption_key
B0092D1E1BA8BCBB825AA0760094E03D6D52E169
install_name
3388.exe
log_directory
COMLogs
reconnect_delay
5000
startup_key
COM Surrogate

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\go-memexec-1367597922.exe	disable_win_def
behavioral1/memory/2656-41-0x0000000000C30000-0x0000000000C3C000-memory.dmp	disable_win_def
C:\Windows\Temp\vga0bucu.exe	disable_win_def
behavioral1/memory/2508-53-0x0000000000DB0000-0x0000000000DB8000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

vga0bucu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	vga0bucu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	vga0bucu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	vga0bucu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	vga0bucu.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\go-memexec-912365089.exe	family_quasar
behavioral1/memory/2636-42-0x0000000001170000-0x00000000011F4000-memory.dmp	family_quasar
behavioral1/memory/2096-66-0x00000000008E0000-0x0000000000964000-memory.dmp	family_quasar

Executes dropped EXE 8 IoCs

Processes:

go-memexec-2758755490.exeDISCORD-BUILD.EXEJAVAFIX.EXE-BUILD.EXEWINDEFENDDISABLE.EXE-BUILD.EXEgo-memexec-912365089.exego-memexec-1367597922.exevga0bucu.exe3388.exe

pid	process
2540	go-memexec-2758755490.exe
2800	DISCORD-BUILD.EXE
2760	JAVAFIX.EXE-BUILD.EXE
2852	WINDEFENDDISABLE.EXE-BUILD.EXE
2636	go-memexec-912365089.exe
2656	go-memexec-1367597922.exe
2508	vga0bucu.exe
2096	3388.exe

Loads dropped DLL 9 IoCs

Processes:

go-memexec-2758755490.exe

pid	process
2540	go-memexec-2758755490.exe
2540	go-memexec-2758755490.exe
2348
2540	go-memexec-2758755490.exe
2540	go-memexec-2758755490.exe
2840
2540	go-memexec-2758755490.exe
2540	go-memexec-2758755490.exe
2644

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

vga0bucu.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features vga0bucu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	vga0bucu.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exego-memexec-912365089.exe3388.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\3388.exe	go-memexec-912365089.exe
File opened for modification	C:\Windows\system32\3388.exe	go-memexec-912365089.exe
File opened for modification	C:\Windows\system32\3388.exe	3388.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

go-memexec-2758755490.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language go-memexec-2758755490.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1968 taskkill.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2460 schtasks.exe
1640 schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	go-memexec-2758755490.exe

pid	process
1968	taskkill.exe

pid	process
2460	schtasks.exe
1640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

go-memexec-1367597922.exe

pid	process
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe
2656	go-memexec-1367597922.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

go-memexec-1367597922.exego-memexec-912365089.exetaskkill.exepowershell.exe3388.exe

description	pid	process
Token: SeDebugPrivilege	2656	go-memexec-1367597922.exe
Token: SeDebugPrivilege	2636	go-memexec-912365089.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2096	3388.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

go-memexec-1367597922.exe3388.exe

pid process

2656 go-memexec-1367597922.exe
2656 go-memexec-1367597922.exe
2096 3388.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exego-memexec-2758755490.exeJAVAFIX.EXE-BUILD.EXEWINDEFENDDISABLE.EXE-BUILD.EXEgo-memexec-1367597922.execmd.exevga0bucu.exego-memexec-912365089.exe3388.exe

description	pid	process	target process
PID 2280 wrote to memory of 2540	2280	497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe	go-memexec-2758755490.exe
PID 2280 wrote to memory of 2540	2280	497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe	go-memexec-2758755490.exe
PID 2280 wrote to memory of 2540	2280	497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe	go-memexec-2758755490.exe
PID 2280 wrote to memory of 2540	2280	497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe	go-memexec-2758755490.exe
PID 2540 wrote to memory of 2800	2540	go-memexec-2758755490.exe	DISCORD-BUILD.EXE
PID 2540 wrote to memory of 2800	2540	go-memexec-2758755490.exe	DISCORD-BUILD.EXE
PID 2540 wrote to memory of 2800	2540	go-memexec-2758755490.exe	DISCORD-BUILD.EXE
PID 2540 wrote to memory of 2800	2540	go-memexec-2758755490.exe	DISCORD-BUILD.EXE
PID 2540 wrote to memory of 2760	2540	go-memexec-2758755490.exe	JAVAFIX.EXE-BUILD.EXE
PID 2540 wrote to memory of 2760	2540	go-memexec-2758755490.exe	JAVAFIX.EXE-BUILD.EXE
PID 2540 wrote to memory of 2760	2540	go-memexec-2758755490.exe	JAVAFIX.EXE-BUILD.EXE
PID 2540 wrote to memory of 2760	2540	go-memexec-2758755490.exe	JAVAFIX.EXE-BUILD.EXE
PID 2540 wrote to memory of 2852	2540	go-memexec-2758755490.exe	WINDEFENDDISABLE.EXE-BUILD.EXE
PID 2540 wrote to memory of 2852	2540	go-memexec-2758755490.exe	WINDEFENDDISABLE.EXE-BUILD.EXE
PID 2540 wrote to memory of 2852	2540	go-memexec-2758755490.exe	WINDEFENDDISABLE.EXE-BUILD.EXE
PID 2540 wrote to memory of 2852	2540	go-memexec-2758755490.exe	WINDEFENDDISABLE.EXE-BUILD.EXE
PID 2760 wrote to memory of 2636	2760	JAVAFIX.EXE-BUILD.EXE	go-memexec-912365089.exe
PID 2760 wrote to memory of 2636	2760	JAVAFIX.EXE-BUILD.EXE	go-memexec-912365089.exe
PID 2760 wrote to memory of 2636	2760	JAVAFIX.EXE-BUILD.EXE	go-memexec-912365089.exe
PID 2852 wrote to memory of 2656	2852	WINDEFENDDISABLE.EXE-BUILD.EXE	go-memexec-1367597922.exe
PID 2852 wrote to memory of 2656	2852	WINDEFENDDISABLE.EXE-BUILD.EXE	go-memexec-1367597922.exe
PID 2852 wrote to memory of 2656	2852	WINDEFENDDISABLE.EXE-BUILD.EXE	go-memexec-1367597922.exe
PID 2656 wrote to memory of 1760	2656	go-memexec-1367597922.exe	cmstp.exe
PID 2656 wrote to memory of 1760	2656	go-memexec-1367597922.exe	cmstp.exe
PID 2656 wrote to memory of 1760	2656	go-memexec-1367597922.exe	cmstp.exe
PID 2944 wrote to memory of 2508	2944	cmd.exe	vga0bucu.exe
PID 2944 wrote to memory of 2508	2944	cmd.exe	vga0bucu.exe
PID 2944 wrote to memory of 2508	2944	cmd.exe	vga0bucu.exe
PID 2508 wrote to memory of 1508	2508	vga0bucu.exe	powershell.exe
PID 2508 wrote to memory of 1508	2508	vga0bucu.exe	powershell.exe
PID 2508 wrote to memory of 1508	2508	vga0bucu.exe	powershell.exe
PID 2636 wrote to memory of 2460	2636	go-memexec-912365089.exe	schtasks.exe
PID 2636 wrote to memory of 2460	2636	go-memexec-912365089.exe	schtasks.exe
PID 2636 wrote to memory of 2460	2636	go-memexec-912365089.exe	schtasks.exe
PID 2636 wrote to memory of 2096	2636	go-memexec-912365089.exe	3388.exe
PID 2636 wrote to memory of 2096	2636	go-memexec-912365089.exe	3388.exe
PID 2636 wrote to memory of 2096	2636	go-memexec-912365089.exe	3388.exe
PID 2096 wrote to memory of 1640	2096	3388.exe	schtasks.exe
PID 2096 wrote to memory of 1640	2096	3388.exe	schtasks.exe
PID 2096 wrote to memory of 1640	2096	3388.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe
"C:\Users\Admin\AppData\Local\Temp\497960e1fdb8af14899674be0c997f9858384261945dbb91e8b28ae0e174cb6f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\go-memexec-2758755490.exe
  C:\Users\Admin\AppData\Local\Temp\go-memexec-2758755490.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\DISCORD-BUILD.EXE
    "C:\Users\Admin\AppData\Local\Temp\DISCORD-BUILD.EXE"
    3⤵
    - Executes dropped EXE
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\JAVAFIX.EXE-BUILD.EXE
    "C:\Users\Admin\AppData\Local\Temp\JAVAFIX.EXE-BUILD.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\go-memexec-912365089.exe
      C:\Users\Admin\AppData\Local\Temp\go-memexec-912365089.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "COM Surrogate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\go-memexec-912365089.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2460
    - - C:\Windows\system32\3388.exe
        
        "C:\Windows\system32\3388.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "COM Surrogate" /sc ONLOGON /tr "C:\Windows\system32\3388.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1640
- - C:\Users\Admin\AppData\Local\Temp\WINDEFENDDISABLE.EXE-BUILD.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINDEFENDDISABLE.EXE-BUILD.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\go-memexec-1367597922.exe
      C:\Users\Admin\AppData\Local\Temp\go-memexec-1367597922.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2656
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\4dflld34.inf
        5⤵
        
        PID:1760

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\vga0bucu.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\temp\vga0bucu.exe
  C:\Windows\temp\vga0bucu.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1508

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JAVAFIX.EXE-BUILD.EXE

Filesize
2.6MB

MD5
6f5376f20c7f474f5554222d01456849

SHA1
4931b9dc0767c76dc31e3e6c4423a961c0f51d86

SHA256
bdbc5164ef806974456f579200541d7c84f643377c86b0bc3c1081ddd1317146

SHA512
3c0510afbd1b076889491f7e177e03cd7e73b1debd1c416765bf18890e916a504376af7b04923ee233d78e08124f0d89fc60ca4dcc256ca44adffa87b83a59e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\go-memexec-1367597922.exe

Filesize
19KB

MD5
c6e7fd0dc447c35e6e31aad46e83de96

SHA1
5367e124d66f45babf625b56418155ea5a04ccd3

SHA256
60a855b888b3021d74803be43ae95ec62ec509ed3d70dd734295d12d9375a0a1

SHA512
6c7a43aa7dd335e388db6cb651ab1bfd4e3d3abb82b31dce2900178af27616e330e84d8e5d89a3435eb8939cfed0a23892f3aeac219c883f4e53a51932d61746

Download Submit
C:\Users\Admin\AppData\Local\Temp\go-memexec-2758755490.exe

Filesize
5.8MB

MD5
456fda268601e84c3308378d26dc74d2

SHA1
a27d3718b6338927e98a38219862f5859528d5fb

SHA256
b9a1d3ee098339ac5942b437f76cb25bf5f33dacb65a883162a447c158702cfb

SHA512
a70ab8ffa8f429aa9e98eb181d405ad01333258b4646d67ec3b9743267e56de11cac9eff2a41611e7a3e269f8577a8db6217341f1ca68bdaedafbdd0e7699434

Download Submit
C:\Users\Admin\AppData\Local\Temp\go-memexec-912365089.exe

Filesize
502KB

MD5
e49e8745bb3748c02b6991155ef988f9

SHA1
13ce804a8d4dd951b5535ceb819be3f04372f375

SHA256
9e105120064cd753917b8f60a20dedc1d5c33156189afdcc514189b07d23587e

SHA512
f7b514a905ba52970f5c17bd91e12a07ebd3e3715d3b5c59284c8f09ea7e4da317fd3968a46b164e520757de9567bd0ef36f0b0bed79e7aacd412032322a416d

Download Submit
C:\Windows\Temp\vga0bucu.exe

Filesize
12KB

MD5
9cfc5141261e2144858e32a779e4e87f

SHA1
5698cb6c917d92a40d44f6e096acbf90be3a86c5

SHA256
e117d0ef5ed73d676fb845556b2ca33fe68c1728069ad1df39429b2ad5feaa15

SHA512
340af9ef8bad9678ef458e2e57aa79d5038fe1805e8a7a67e5a839efd89f6aa414d0022d233d624317eff1ca225f1b7a3b8637f0555511fddc588a9aeab34003

Download Submit
C:\Windows\temp\4dflld34.inf

Filesize
606B

MD5
da3a86e68adfeec8842bd8abcc99f4d4

SHA1
41955c5f2ffb97e15d5140ecd21230f0cd971259

SHA256
6d83c6792ea0e9086d3ea5121b0f33d6e2bf56705e48a1c83df40036509193ea

SHA512
c3a5ec6f7c737df6c372597f7195dc018a4601272741d7369081b6ca0b1d57626a580b6372e5a2b40cab36df486291a1a13e5eb305eb67bfdf1c6dda1750bfc6

Download Submit
\Users\Admin\AppData\Local\Temp\DISCORD-BUILD.EXE

Filesize
1.6MB

MD5
f50a77623d245a4599777ab4fbf714c6

SHA1
ef50b96df7cd351b62bdca83b7244e550d4a2e89

SHA256
0f68faff74b9185ca8c48dd2aa5bfdf0ee5dcf0c7a0282e964b4d29d807143cf

SHA512
1b8c09465a6cb42a5b121187edbb1082edcd8f5983d61cb243514ef8da4f90a64f7d0d6f9a08b346a869a065f981ab469cc6f97c6edffd5be79f281b180094b6

Download Submit
\Users\Admin\AppData\Local\Temp\WINDEFENDDISABLE.EXE-BUILD.EXE

Filesize
1.6MB

MD5
9af255f8c616c0cce55ba6ebed9575cd

SHA1
06e0a3e0183c0dada31c3e7f2195f2156f98f336

SHA256
83a53512f6ed96e88941330b73ceffed794603da3204d169eb44826b0a03985f

SHA512
05e0c2d059de60ff0186b372198148f3980738e71328366b585045477ef9e3f62ad230fbcbee3c4aac9113f178d77cf2745c0a17205867a12e6dda5766bf14f3

Download Submit
memory/1508-59-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1508-58-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2096-66-0x00000000008E0000-0x0000000000964000-memory.dmp

Filesize
528KB

Download
memory/2508-53-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/2636-42-0x0000000001170000-0x00000000011F4000-memory.dmp

Filesize
528KB

Download
memory/2656-41-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads