Malicious
Four tier-1 antivirus engines converge on Win64 trojan family; explicit hacktool label for Windows Defender disabler; offensive MITRE techniques confirm malicious intent.
123866f5752a876a56…3357184224The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file exhibits a strong malicious profile: 4 tier-1 engines converge on the 'win64' family, with specific trojan names (Win64.Trojan.Disabler.K, Trojan.Win64.KILLAV, Program:Win32/Wacapew.C!ml). Alibabacloud explicitly identifies it as a hacktool for disabling Windows Defender. Static behaviour analysis reveals 7 offensive MITRE techniques including process injection (T1134), system-process modification (T1543.003), registry persistence (T1547.001), and tool disabling (T1562.001). The filename 'enable-defender.exe' is adversarial misdirection — the actual purpose is to disable security controls. No sandbox verdicts are available, but the convergence of tier-1 detections and explicit hacktool labeling is decisive.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=4 (GData, Microsoft, TrendMicro×2); tier1FamilyConsensus.strong=true, family='win64'
Alibabacloud: 'Hacktool:Win/DisableWindowsDefender' with labelFlags.hacktool=true
Offensive MITRE: T1134, T1543.003, T1546.012, T1547.001, T1562.001 — process injection, persistence, evasion
Unsigned file; filename 'enable-defender.exe' mismatches actual trojan purpose (disables, not enables)
Engine families: Win64.Trojan.Disabler.K (GData), Trojan.Win64.KILLAV (TrendMicro), Program:Win32/Wacapew.C!ml (Microsoft)
- No malicious sandbox verdicts (no runtime execution data available)
- No contacted malicious hosts or dropped malicious children
- No external YARA or CIRCL hits (limited external corroboration, but not exculpatory)
- Tier-1 antivirus consensus on Win64 trojan family
- Explicit hacktool label for Windows Defender disabler
- Process injection and persistence techniques (T1134, T1543.003, T1547.001)
- Tool disabling capability (T1562.001) — targets security software
- Unsigned executable with adversarial filename misdirection
- 7 offensive MITRE techniques indicating malware-grade evasion
Block and quarantine this file immediately. Do not execute under any circumstances. If this file was downloaded or executed, perform a full system scan with a clean antivirus tool and verify Windows Defender is enabled and functioning.
win64 corroborated by 1 source
- MT AI Enginewin64
13 detections across 74 engines
Forensic fingerprint
- File name
- enable-defender.exe
- Size
- 286.5 KB
- MIME type
- application/x-msdownload
- Detected type
- (unknown)
- SHA-256
- 123866f5752a876a562fe8fca3b61846aecf3881477d31aedf735e3357184224
- MD5
- 863303f5468199f1f5f6dddf3474fb04
- SHA-1
- 9dae787d2df5248f12d70e89f6826bd160f12d2f
- Last analysis (VT)
- 6/24/2026, 12:26:07 PM
- First scan (MalwareTips)
- 6/24/2026, 12:27:39 PM
- Last scan (MalwareTips)
- 6/24/2026, 12:27:39 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.