Overview
overview
10Static
static
10Venom-Rat-...ed.exe
windows11-21h2-x64
8Majid Z Hacker.exe
windows11-21h2-x64
8Venom Cracked.exe
windows11-21h2-x64
1Venom-Rat-...ed.exe
windows11-21h2-x64
10Venom Cracked.exe
windows11-21h2-x64
1Venom-Rat-...AT.exe
windows11-21h2-x64
1Venom-Rat-...er.exe
windows11-21h2-x64
1Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 11:20
Behavioral task
behavioral1
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win11-20240426-en
Behavioral task
behavioral2
Sample
Majid Z Hacker.exe
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
Venom Cracked.exe
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
Venom Cracked.exe
Resource
win11-20240419-en
Behavioral task
behavioral6
Sample
Venom-Rat-Cracked--main/Venom Software RAT.exe
Resource
win11-20240508-en
Behavioral task
behavioral7
Sample
Venom-Rat-Cracked--main/vncviewer.exe
Resource
win11-20240426-en
General
-
Target
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
-
Size
9.8MB
-
MD5
1947749a785b384a9bfe51d57c796ae9
-
SHA1
db986cb4503589a2319e596b799c878ec4d4a990
-
SHA256
6018e4099dca3d452ecc8fe34f5e6d00b2b43c5c21cdea1b4c53c7025376048a
-
SHA512
3e82f60c595a5fc25043729366137ea35f2037bf23b78248cf8946a2edb39c6af4c9159c9c5b6c876148ef8b06468d975a4f6e413319b6ebc9712920f3c5829e
-
SSDEEP
196608:w6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7U:40f/KacMbR2J2UKEdiRIAL1xXPCwkEn3
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\script.vbs disable_win_def -
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WScript.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3304 netsh.exe -
Drops startup file 4 IoCs
Processes:
windows.exemicrosoft corporation.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe windows.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e23fc64d012fb66b44b10cd7ea0e2414.exe microsoft corporation.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e23fc64d012fb66b44b10cd7ea0e2414.exe microsoft corporation.exe -
Executes dropped EXE 6 IoCs
Processes:
Venom Cracked.exeMajid Z Hacker Website.exemicrosoft corporation.exewindows.exewindows.exemicrosoft corporation.exepid process 248 Venom Cracked.exe 2768 Majid Z Hacker Website.exe 1372 microsoft corporation.exe 2808 windows.exe 2404 windows.exe 3628 microsoft corporation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
windows.exewindows.exemicrosoft corporation.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\e23fc64d012fb66b44b10cd7ea0e2414 = "\"C:\\ProgramData\\microsoft corporation.exe\" .." microsoft corporation.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e23fc64d012fb66b44b10cd7ea0e2414 = "\"C:\\ProgramData\\microsoft corporation.exe\" .." microsoft corporation.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
windows.exedescription ioc process File created F:\autorun.inf windows.exe File opened for modification F:\autorun.inf windows.exe File created C:\autorun.inf windows.exe File opened for modification C:\autorun.inf windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
windows.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString windows.exe -
Modifies registry class 1 IoCs
Processes:
Majid Z Hacker Website.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings Majid Z Hacker Website.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoft corporation.exepid process 3228 powershell.exe 2368 powershell.exe 1172 powershell.exe 412 powershell.exe 4292 powershell.exe 4468 powershell.exe 4468 powershell.exe 2008 powershell.exe 2008 powershell.exe 3556 powershell.exe 3556 powershell.exe 1108 powershell.exe 1108 powershell.exe 2300 powershell.exe 2300 powershell.exe 4292 powershell.exe 4292 powershell.exe 4328 powershell.exe 4328 powershell.exe 2368 powershell.exe 2368 powershell.exe 3228 powershell.exe 3228 powershell.exe 412 powershell.exe 412 powershell.exe 1172 powershell.exe 1172 powershell.exe 4468 powershell.exe 2300 powershell.exe 2008 powershell.exe 3556 powershell.exe 1108 powershell.exe 4328 powershell.exe 1372 microsoft corporation.exe 1372 microsoft corporation.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoft corporation.exemicrosoft corporation.exedescription pid process Token: SeDebugPrivilege 3228 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 412 powershell.exe Token: SeDebugPrivilege 4292 powershell.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 3556 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 4328 powershell.exe Token: SeDebugPrivilege 1372 microsoft corporation.exe Token: SeDebugPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe Token: 33 3628 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 3628 microsoft corporation.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
windows.exewindows.exeVenom Cracked.exepid process 2808 windows.exe 2404 windows.exe 248 Venom Cracked.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Venom Cracked.exepid process 248 Venom Cracked.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
windows.exewindows.exepid process 2808 windows.exe 2404 windows.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
Venom Software RAT Activated Cracked.exeMajid Z Hacker Website.exeWScript.exeWScript.exewindows.exemicrosoft corporation.exemicrosoft corporation.exedescription pid process target process PID 2740 wrote to memory of 248 2740 Venom Software RAT Activated Cracked.exe Venom Cracked.exe PID 2740 wrote to memory of 248 2740 Venom Software RAT Activated Cracked.exe Venom Cracked.exe PID 2740 wrote to memory of 2768 2740 Venom Software RAT Activated Cracked.exe Majid Z Hacker Website.exe PID 2740 wrote to memory of 2768 2740 Venom Software RAT Activated Cracked.exe Majid Z Hacker Website.exe PID 2740 wrote to memory of 2768 2740 Venom Software RAT Activated Cracked.exe Majid Z Hacker Website.exe PID 2768 wrote to memory of 1372 2768 Majid Z Hacker Website.exe microsoft corporation.exe PID 2768 wrote to memory of 1372 2768 Majid Z Hacker Website.exe microsoft corporation.exe PID 2768 wrote to memory of 1372 2768 Majid Z Hacker Website.exe microsoft corporation.exe PID 2768 wrote to memory of 2808 2768 Majid Z Hacker Website.exe windows.exe PID 2768 wrote to memory of 2808 2768 Majid Z Hacker Website.exe windows.exe PID 2768 wrote to memory of 5092 2768 Majid Z Hacker Website.exe WScript.exe PID 2768 wrote to memory of 5092 2768 Majid Z Hacker Website.exe WScript.exe PID 2768 wrote to memory of 5092 2768 Majid Z Hacker Website.exe WScript.exe PID 5092 wrote to memory of 1784 5092 WScript.exe WScript.exe PID 5092 wrote to memory of 1784 5092 WScript.exe WScript.exe PID 5092 wrote to memory of 1784 5092 WScript.exe WScript.exe PID 1784 wrote to memory of 3228 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 3228 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 3228 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 1172 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 1172 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 1172 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 412 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 412 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 412 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 2368 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 2368 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 2368 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 4292 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 4292 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 4292 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 4468 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 4468 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 4468 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 2008 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 2008 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 2008 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 2300 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 2300 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 2300 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 1108 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 1108 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 1108 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 3556 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 3556 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 3556 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 4328 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 4328 1784 WScript.exe powershell.exe PID 1784 wrote to memory of 4328 1784 WScript.exe powershell.exe PID 2808 wrote to memory of 2404 2808 windows.exe windows.exe PID 2808 wrote to memory of 2404 2808 windows.exe windows.exe PID 1372 wrote to memory of 3628 1372 microsoft corporation.exe microsoft corporation.exe PID 1372 wrote to memory of 3628 1372 microsoft corporation.exe microsoft corporation.exe PID 1372 wrote to memory of 3628 1372 microsoft corporation.exe microsoft corporation.exe PID 3628 wrote to memory of 3304 3628 microsoft corporation.exe netsh.exe PID 3628 wrote to memory of 3304 3628 microsoft corporation.exe netsh.exe PID 3628 wrote to memory of 3304 3628 microsoft corporation.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Software RAT Activated Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Software RAT Activated Cracked.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\microsoft corporation.exe"C:\ProgramData\microsoft corporation.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\microsoft corporation.exe" "microsoft corporation.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 25⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 05⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD57562771811fd8c8a86936abdd287f0ec
SHA1d9903d0dead9710bed125bfeef3f290e86701b7b
SHA2563bb43c7de86bbfc0cc5835ceb2fc9b7f0b33b1d94dcbc9afc56dfa4f13d3bb47
SHA512f68fa2221b90119136346a5d7f3d6efaa943a69f42b64eee83fe6ca52797d66ad0119001cd50015577dacf428b7a2c3f4eedeeeb0a409d63497d560e335bc89f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5702a6df445d94ac3736bac0c1dc1947a
SHA147a9d9df011df964d2f2293c1ecefe92f6757eba
SHA25629cbc69e6a8cdccc57a0eb11cf8703b4eb187b0ee39a7a3917f6a497b18f45da
SHA5125fc3c6bbd593ae2a472a8fbb45c12e2697de64f2f161285f940e22ccd5b3471b7808b31a777413d99063a887e9bfcc90cf4950bcea84fc6a222487873adca4c7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5f039e611bdab5cd77cbd079ab14cad5a
SHA146a3368f7de131e6f5b73f3e15b2c814d650e84d
SHA256b4134af0135970afd36f00494e594d6c6b195c5f9a8781934f3908602ee8afa0
SHA512606fb33ba5b3c8a8e7f0d1d5e7afb02c70ddc9ca54cf4cec27cb07420abb15f87715d2b670dc906384abd3fa03b5a54eadf83ed77fa4962ae411a58daa5ad30e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD54b11be7e1f1f157805d9019c8bdf7493
SHA190445f579d0a65e0d31e40307830267de9e24e41
SHA25697677ffdcee4be99794053f925f39ed26ea9ff0dca3eb05f69727003e3c7c21e
SHA5129987924b48a7b9c72a6e651cc74a1b66fade0857c17707e5637f3a0063ac3a12e973f52ff7e9ce2b88f773ed265e4d5cbbfa5b7b2204d8572fe006aac0a68c25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD536dc41c5023bd27510aac97a563769c9
SHA1adcdedb293c4bcef5a3a7d1718165beb639247ee
SHA2562e7fac47d7d8429172643a3e3ff1b23ce220f4682889d4410dd668db71a6f1c4
SHA5126fb8447d5fcd8d0b42763f49ee3ae96080aaa407820c860ff817ee484a5d73df7664ad9da5cdbe532f2d8a71edee3471ac4fd70fbc04daec343fc71092bff6a8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD551e5fb2e4beb98fa79a973b584e28e04
SHA193faa2544e8af1def8ecd9e9168e96f7dca0c0f0
SHA256fcac468a39d1dd157c491990876b1421160abd00b6ac55cd5a58ea4b01f11b23
SHA512ed20bacc397a64836754d06a58933f9d98039ab0d0a6757f5d2fbdd1dd485984c7f8a2f1ec35a2a6a5b1050ddc7c98c7dd8d467826a5d53a9d455e5c8c97fd14
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5f4eba250208aa1bd2e61cba730e2956e
SHA16c6e89f1da92b2e29ab837edf702f7062a82a282
SHA2569246542bf42eb06de043e9f5168478e80885b8c7fe3e8d45f2f047981bf9d2f5
SHA5122cd5679e74ed838de01c340b64d6ef59bf5482a5364bbdfb851c775b3dea55387f356eef3497d60d20f215f03fa1be6feaa4c5829b230f285624f72711974779
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exeFilesize
127KB
MD5b4d0b69f3c391acca7128a66abd480f7
SHA18ccac1861f4c544c51a5c7d4a0fb32796ab30488
SHA256349b87c3ebd55cab9daa375c468b62be416063af859a16bed78cf4bd06fb5c07
SHA5129578df157aafc7740e12952d1abba08fa9e032fc73073e1787fffb7e24ce6963d98d7bdd4539297be0123626efdfccb63c7dea411d82ceef7bf6197ff2806ff1
-
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exeFilesize
12.1MB
MD5750015e08a9409c80cd3837daebb970a
SHA1bfd1122f8c459862717b0b7a50b7216fc2573880
SHA2563c413ee4b07c531c891ac1852d3d1b6a60bdc92e549e9cf4744d4fe85ebb5de2
SHA512f35938eac84d6084d9239977462c965bab95924895cd2b73e501a7d7c2ff400aaeaefbdc3302ac8f8c13cd49e22d19e95ef530cf1cc10f79f6ab62653021e5ac
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctn0htp5.q5v.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\melt.txtFilesize
45B
MD5c65dda57254957c2ad83b548c55b42a5
SHA1d88daf5dd37726325a30a3078c254128f5579f85
SHA256adae127291a1d4f70e9ff1258044a01d95176fd9bb2c303ab94f3e62db429a44
SHA512d74c977dd16046f024a6b012322dcfd0380fcc58a5db5e96d350852723bc1404d49a67d6185210711a24b9aeb94974212f4e056590e0742937821a459ba628b6
-
C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exeFilesize
33KB
MD523fb3146d1455b890afdbd9511b48351
SHA19e0118366167c76de2d88fb354606d5e58677eb7
SHA25658c8e3599d16762dfc51decf16c3d014cd8c8dd1aab59a0acff5372c5182bda7
SHA51292a816b16f854cb19a28a9bd186223dd3f7961800b6486b32be1f270b26a0240c0f68ebe0f6c555b72f0e3388f3aa1a061fad50c0b09aaec1af9de1185fc8cf4
-
C:\Users\Admin\AppData\Local\Temp\script.vbsFilesize
1KB
MD577a4da4863ffcaba51ce05d3c632158d
SHA1253f9a594a6ca3a7a23acb90f8dc81939215ba4b
SHA256ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
SHA512ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf
-
C:\Users\Admin\AppData\Local\Temp\windows.exeFilesize
145KB
MD5aa4ba7df205e6f0dc8d847ab3c3681c2
SHA1bb8c96c2f736f1d5f1923fc3b20f53b890b98e46
SHA25659a0bd599e306457164b08b7fe23bbf4fe92b202beaad836d6faa28da61073ca
SHA5120f8f57de1251e3102d1db2c72ed7c3f7cc1d12c3ce561a275d4d280944f77952970464c553da3ce6ce88e9462033818ed186e83eba1b8853d16d28bcc7140450
-
memory/248-306-0x00007FFF244F3000-0x00007FFF244F5000-memory.dmpFilesize
8KB
-
memory/248-20-0x00000000001D0000-0x0000000000DEA000-memory.dmpFilesize
12.1MB
-
memory/248-17-0x00007FFF244F3000-0x00007FFF244F5000-memory.dmpFilesize
8KB
-
memory/412-51-0x0000000005570000-0x0000000005B9A000-memory.dmpFilesize
6.2MB
-
memory/412-223-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/1108-270-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/1172-214-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/1172-50-0x0000000004840000-0x0000000004876000-memory.dmpFilesize
216KB
-
memory/1372-39-0x0000000001A30000-0x0000000001A40000-memory.dmpFilesize
64KB
-
memory/2008-241-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/2300-191-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/2368-66-0x0000000006320000-0x0000000006386000-memory.dmpFilesize
408KB
-
memory/2368-65-0x0000000006280000-0x00000000062A2000-memory.dmpFilesize
136KB
-
memory/2368-67-0x0000000006400000-0x0000000006466000-memory.dmpFilesize
408KB
-
memory/2368-180-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/2368-72-0x0000000006530000-0x0000000006887000-memory.dmpFilesize
3.3MB
-
memory/2404-321-0x000000001D910000-0x000000001D972000-memory.dmpFilesize
392KB
-
memory/2808-71-0x000000001DBE0000-0x000000001DEF0000-memory.dmpFilesize
3.1MB
-
memory/2808-49-0x000000001C050000-0x000000001C09C000-memory.dmpFilesize
304KB
-
memory/2808-48-0x0000000000D90000-0x0000000000D98000-memory.dmpFilesize
32KB
-
memory/2808-47-0x000000001BEF0000-0x000000001BF8C000-memory.dmpFilesize
624KB
-
memory/2808-46-0x000000001B970000-0x000000001BE3E000-memory.dmpFilesize
4.8MB
-
memory/2808-45-0x000000001B3F0000-0x000000001B496000-memory.dmpFilesize
664KB
-
memory/3228-204-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/3556-250-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/4292-179-0x0000000007B20000-0x000000000819A000-memory.dmpFilesize
6.5MB
-
memory/4292-190-0x0000000007560000-0x000000000756A000-memory.dmpFilesize
40KB
-
memory/4292-158-0x0000000006190000-0x00000000061AE000-memory.dmpFilesize
120KB
-
memory/4292-159-0x00000000064E0000-0x000000000652C000-memory.dmpFilesize
304KB
-
memory/4292-260-0x0000000007730000-0x0000000007745000-memory.dmpFilesize
84KB
-
memory/4292-279-0x0000000007830000-0x000000000784A000-memory.dmpFilesize
104KB
-
memory/4292-280-0x0000000007820000-0x0000000007828000-memory.dmpFilesize
32KB
-
memory/4292-213-0x00000000076F0000-0x0000000007701000-memory.dmpFilesize
68KB
-
memory/4292-203-0x0000000007770000-0x0000000007806000-memory.dmpFilesize
600KB
-
memory/4292-259-0x0000000007720000-0x000000000772E000-memory.dmpFilesize
56KB
-
memory/4292-167-0x0000000006760000-0x0000000006794000-memory.dmpFilesize
208KB
-
memory/4292-189-0x00000000074E0000-0x00000000074FA000-memory.dmpFilesize
104KB
-
memory/4292-177-0x0000000007160000-0x000000000717E000-memory.dmpFilesize
120KB
-
memory/4292-178-0x0000000007380000-0x0000000007424000-memory.dmpFilesize
656KB
-
memory/4292-168-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/4328-261-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/4468-232-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB