f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

Analysis

max time kernel
1s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Size

10.1MB
MD5

4dabfeed4b250a3248714458ae370ca8
SHA1

6e215b2a20039a4dbde18579a1419a4eb10946ac
SHA256

eb23cbc820d2b8fdc0227b2e89274edf2671163cae40e0a9bb930b91c05ac3a9
SHA512

7ea826cf27da942ce2e9db4a800b3c247670a8fc260af8686d14c48583f38f14b935d5af282a3774a9811f0957ca7318dc883307254554e907f7cfb5f6419a4c
SSDEEP

196608:m6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7NaREE:m0f/KacMbR2J2UKEdiRIAL1xXPCwkEn7

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 42 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
3512	netsh.exe
3240	netsh.exe
3112	netsh.exe
5384	netsh.exe
5932	netsh.exe
644	netsh.exe
3824	netsh.exe
5164	netsh.exe
4600	netsh.exe
4812	netsh.exe
1216	netsh.exe
2764	netsh.exe
5704	netsh.exe
4440	netsh.exe
6140	netsh.exe
6128	netsh.exe
4512	netsh.exe
3876	netsh.exe
652	netsh.exe
3404	netsh.exe
1884	netsh.exe
4980	netsh.exe
5204	netsh.exe
4588	netsh.exe
2272	netsh.exe
3612	netsh.exe
2172	netsh.exe
4872	netsh.exe
1124	netsh.exe
5200	netsh.exe
5188	netsh.exe
2704	netsh.exe
4476	netsh.exe
1092	netsh.exe
2724	netsh.exe
4616	netsh.exe
2424	netsh.exe
5404	netsh.exe
3760	netsh.exe
2148	netsh.exe
3124	netsh.exe
3200	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Venom Activated Cracked.exeMajid Z Hacker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Venom Activated Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Majid Z Hacker.exe

Executes dropped EXE 4 IoCs

Processes:

Venom Cracked.exeMajid Z Hacker.exeMajid Z Hacker.exefirewall.exe

pid process

1928 Venom Cracked.exe
4832 Majid Z Hacker.exe
3088 Majid Z Hacker.exe
4936 firewall.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1928	Venom Cracked.exe
4832	Majid Z Hacker.exe
3088	Majid Z Hacker.exe
4936	firewall.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Venom Activated Cracked.exeMajid Z Hacker.exe

description	pid	process	target process
PID 1180 wrote to memory of 1928	1180	Venom Activated Cracked.exe	Venom Cracked.exe
PID 1180 wrote to memory of 1928	1180	Venom Activated Cracked.exe	Venom Cracked.exe
PID 1180 wrote to memory of 4832	1180	Venom Activated Cracked.exe	Majid Z Hacker.exe
PID 1180 wrote to memory of 4832	1180	Venom Activated Cracked.exe	Majid Z Hacker.exe
PID 1180 wrote to memory of 4832	1180	Venom Activated Cracked.exe	Majid Z Hacker.exe
PID 4832 wrote to memory of 3088	4832	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 4832 wrote to memory of 3088	4832	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 4832 wrote to memory of 3088	4832	Majid Z Hacker.exe	Majid Z Hacker.exe
PID 4832 wrote to memory of 4936	4832	Majid Z Hacker.exe	firewall.exe
PID 4832 wrote to memory of 4936	4832	Majid Z Hacker.exe	firewall.exe
PID 4832 wrote to memory of 4936	4832	Majid Z Hacker.exe	firewall.exe

C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Activated Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Activated Cracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"
2⤵
- Executes dropped EXE
PID:1928

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
3⤵
- Executes dropped EXE
PID:3088

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
4⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
5⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
6⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
7⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
8⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
9⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
10⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
11⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
12⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
13⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
14⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
15⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
16⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
17⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
18⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
19⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
20⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
21⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
22⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
23⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
24⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
25⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
26⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
27⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
28⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
29⤵
PID:5172

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
30⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
31⤵
PID:5780

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
32⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
33⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
34⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
35⤵
PID:5444

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
36⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
37⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
38⤵
PID:5344

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
39⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
40⤵
PID:5444

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
41⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
42⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
43⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
44⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
45⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
45⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
44⤵
PID:5708

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
45⤵
- Modifies Windows Firewall
PID:4980

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
43⤵
PID:412

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
44⤵
- Modifies Windows Firewall
PID:5164

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
42⤵
PID:6100

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
43⤵
- Modifies Windows Firewall
PID:644

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
41⤵
PID:6060

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
42⤵
- Modifies Windows Firewall
PID:2704

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
40⤵
PID:6008

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
41⤵
- Modifies Windows Firewall
PID:4588

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
39⤵
PID:5604

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
40⤵
- Modifies Windows Firewall
PID:1884

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
38⤵
PID:5244

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
39⤵
- Modifies Windows Firewall
PID:6128

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
37⤵
PID:5532

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
38⤵
- Modifies Windows Firewall
PID:5404

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
36⤵
PID:1216

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
37⤵
- Modifies Windows Firewall
PID:5204

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
35⤵
PID:5392

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
36⤵
- Modifies Windows Firewall
PID:6140

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
34⤵
PID:5516

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
35⤵
- Modifies Windows Firewall
PID:4440

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
33⤵
PID:2084

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
34⤵
- Modifies Windows Firewall
PID:2424

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
32⤵
PID:6000

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
33⤵
- Modifies Windows Firewall
PID:5200

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
31⤵
PID:5788

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
32⤵
- Modifies Windows Firewall
PID:5932

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
30⤵
PID:5464

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
31⤵
- Modifies Windows Firewall
PID:5704

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
29⤵
PID:5272

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
30⤵
- Modifies Windows Firewall
PID:5384

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
28⤵
PID:4332

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
29⤵
- Modifies Windows Firewall
PID:5188

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
27⤵
PID:2304

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
28⤵
- Modifies Windows Firewall
PID:3240

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
26⤵
PID:2672

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
27⤵
- Modifies Windows Firewall
PID:3824

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
25⤵
PID:4960

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
26⤵
- Modifies Windows Firewall
PID:2764

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
24⤵
PID:460

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
25⤵
- Modifies Windows Firewall
PID:1216

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
23⤵
PID:1948

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
24⤵
- Modifies Windows Firewall
PID:4872

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
22⤵
PID:4940

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
23⤵
- Modifies Windows Firewall
PID:2172

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
21⤵
PID:3176

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
22⤵
- Modifies Windows Firewall
PID:4616

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
20⤵
PID:4600

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
21⤵
- Modifies Windows Firewall
PID:3112

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
19⤵
PID:1712

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
20⤵
- Modifies Windows Firewall
PID:3200

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
18⤵
PID:2592

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
19⤵
- Modifies Windows Firewall
PID:3404

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
17⤵
PID:1092

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
18⤵
- Modifies Windows Firewall
PID:3124

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
16⤵
PID:864

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
17⤵
- Modifies Windows Firewall
PID:2148

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
15⤵
PID:2464

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
16⤵
- Modifies Windows Firewall
PID:652

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
14⤵
PID:4784

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
15⤵
- Modifies Windows Firewall
PID:2724

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
13⤵
PID:3668

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
14⤵
- Modifies Windows Firewall
PID:3612

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
12⤵
PID:4968

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
13⤵
- Modifies Windows Firewall
PID:3512

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
11⤵
PID:4472

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
12⤵
- Modifies Windows Firewall
PID:1124

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
10⤵
PID:2228

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
11⤵
- Modifies Windows Firewall
PID:1092

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
9⤵
PID:4312

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
10⤵
- Modifies Windows Firewall
PID:4812

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
8⤵
PID:3020

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
9⤵
- Modifies Windows Firewall
PID:3876

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
7⤵
PID:3384

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
8⤵
- Modifies Windows Firewall
PID:4600

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
6⤵
PID:4464

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
7⤵
- Modifies Windows Firewall
PID:2272

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
5⤵
PID:3656

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
6⤵
- Modifies Windows Firewall
PID:4476

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
4⤵
PID:4952

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
5⤵
- Modifies Windows Firewall
PID:3760

C:\Users\Admin\AppData\Local\Temp\firewall.exe
"C:\Users\Admin\AppData\Local\Temp\firewall.exe"
3⤵
- Executes dropped EXE
PID:4936

C:\Windows\SysWOW64\netsh.exe
"netsh.exe" firewall set opmode disable
4⤵
- Modifies Windows Firewall
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BlackData.dat
Filesize
3B

MD5
93cba07454f06a4a960172bbd6e2a435

SHA1
5397e0583f14f6c88de06b1ef28f460a1fb5b0ae

SHA256
85a39ab345d672ff8ca9b9c6876f3adcacf45ee7c1e2dbd2408fd338bd55e07e

SHA512
6b99acba1e4e469610f9227829648fa52e7ad463f22568f0a04188f2d465a585ba077f12d1a527674c338470e79665fd16e54f25553482cddd85845232d186f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
Filesize
462KB

MD5
a8a8d6f3b48466242959545235d1c9b6

SHA1
0c2d670dc3b3b07a2498756e1d46fd1fee53a621

SHA256
09d709640f6884d6b7e7501175cfdcc3724df07785c081c0e14b20cbcdf382ec

SHA512
09f08dd6026b2e24a05e20505723055deceffaba3d351dd49cdc934d038ef0796a3d8d481fe7734b3ec3ba80f4800994983441204dbc3f12baf4f637534a4796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe
Filesize
12.1MB

MD5
750015e08a9409c80cd3837daebb970a

SHA1
bfd1122f8c459862717b0b7a50b7216fc2573880

SHA256
3c413ee4b07c531c891ac1852d3d1b6a60bdc92e549e9cf4744d4fe85ebb5de2

SHA512
f35938eac84d6084d9239977462c965bab95924895cd2b73e501a7d7c2ff400aaeaefbdc3302ac8f8c13cd49e22d19e95ef530cf1cc10f79f6ab62653021e5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\firewall.exe
Filesize
40KB

MD5
085242fc50844dc41d1966e620d3e121

SHA1
5e9a343256313938468d5d4fb92e39c5ef6f8c91

SHA256
180b8e0169f2c89d3b4f34d3ee5b26f5578211068be74cf9c2fd194d8cda9b3d

SHA512
3341c74802aa98ce2bd7b15d2921d3082110c62ee6d82df784cb610c1594d905c82c6ae79cf43d76f98db7a8a4951686898ba1dddeb9615fca6480ac6bb7887b

Download Submit
C:\Users\Admin\Documents\My Music\autorun.inf
Filesize
287B

MD5
15755ea8c0f620cfdaf9ada425e6b4c2

SHA1
868d9aca932d7a1a0d26ba19d613e34f3325a4eb

SHA256
3ae21c30b4273c6dfcc5841aaa18d776e53dd9dd9458051cb5457e25af4250fe

SHA512
6a44ff83fcf9d22fe1d06d3333be2bcfd45df0a9bc449cdf857d255c69d88497efc8c00c6a4ba383da6ebd7d422e87fea2e78ad62ec678fa3dc1aac29e34fae9

Download Submit
C:\Users\Admin\Documents\My Pictures\autorun.inf
Filesize
299B

MD5
d7111cd7ccdee778d8261d4e03614a85

SHA1
f88c30e0403764b7384e3ef64cb54a1c2f5121f4

SHA256
6ad6f66d55b492f4f982a1bbe9ba99b20f3c77b93285cca02ca7843642336aa3

SHA512
15578fff5e7ee767edeaa4da93a66b2a634d8caa7a0a06223481fa6ab1c97c64f3871a36550406bc29f2e1262bb01e282d022cd55e9e7aa8ce9745fa3037c5b1

Download Submit
C:\Users\Admin\Documents\My Videos\autorun.inf
Filesize
291B

MD5
5cda9292cfaacb554b5ddda7a5d8daa0

SHA1
05d78ca665e4186a6245c29c9b392e090a9d0937

SHA256
8cbbcbdb2618fb7eaf7e09ceceee1c9d0cbdf609e4f0fc9a6a2de71912ceb174

SHA512
825381e97b7a0458898f27a95584affa011d1038a380a3e19c81cb04a80bbb9924536fa6c53dbde073d371de2918ede9a0e2427b9227888ce208b6ac50accdba

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\autorun.inf
Filesize
323B

MD5
f949be5c00056b76437bc780e92999de

SHA1
fd9920081f3bf1e7eb86433b1ac1a4d8f25174e6

SHA256
3c4ffecacd1c4c008d3fb69855972b2209e12e9695386b687038e12c5ec80ce8

SHA512
619eec04a8c1cce943aa27f69f65480428f07685a03a543d69800e0fdc41321ccd2cc57ff7ba310d22a0196b6cfdb5b30e5331c1a1ac6f0c94382cb27d32f270

Download Submit
memory/1928-18-0x00007FFE83493000-0x00007FFE83495000-memory.dmp

Filesize
8KB

Download
memory/1928-29-0x0000000000110000-0x0000000000D2A000-memory.dmp

Filesize
12.1MB

Download