Overview
overview
10Static
static
10Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...il.dll
windows7-x64
1Venom-Rat-...il.dll
windows10-2004-x64
1Venom-Rat-...at.dll
windows7-x64
1Venom-Rat-...at.dll
windows10-2004-x64
1Venom-Rat-...me.dll
windows7-x64
1Venom-Rat-...me.dll
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
8Venom-Rat-...ed.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
8Majid Z Hacker.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
10Majid Z Hacker.exe
windows10-2004-x64
10Windows Program.exe
windows7-x64
7Windows Program.exe
windows10-2004-x64
7script.vbs
windows7-x64
10script.vbs
windows10-2004-x64
10windows registry.exe
windows7-x64
10windows registry.exe
windows10-2004-x64
10firewall.exe
windows7-x64
8firewall.exe
windows10-2004-x64
Venom Cracked.exe
windows7-x64
1Venom Cracked.exe
windows10-2004-x64
1Venom-Rat-...er.exe
windows7-x64
1Venom-Rat-...er.exe
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
10Venom-Rat-...ed.exe
windows10-2004-x64
10Majid Z Ha...te.exe
windows7-x64
10Majid Z Ha...te.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 12:30
Behavioral task
behavioral1
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Majid Z Hacker.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Majid Z Hacker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Windows Program.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows Program.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
script.vbs
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
script.vbs
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
windows registry.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
windows registry.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
firewall.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
firewall.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
Venom Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Venom Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
Majid Z Hacker Website.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
Majid Z Hacker Website.exe
Resource
win10v2004-20240508-en
General
-
Target
Majid Z Hacker Website.exe
-
Size
127KB
-
MD5
b4d0b69f3c391acca7128a66abd480f7
-
SHA1
8ccac1861f4c544c51a5c7d4a0fb32796ab30488
-
SHA256
349b87c3ebd55cab9daa375c468b62be416063af859a16bed78cf4bd06fb5c07
-
SHA512
9578df157aafc7740e12952d1abba08fa9e032fc73073e1787fffb7e24ce6963d98d7bdd4539297be0123626efdfccb63c7dea411d82ceef7bf6197ff2806ff1
-
SSDEEP
3072:iqRaMrUwmuvDWLcg0CmHmFXfy57jQtMrpGIXFb177dWVqu:inx1FWmxf87UIXpl7dWVR
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\script.vbs disable_win_def -
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WScript.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2820 netsh.exe -
Drops startup file 4 IoCs
Processes:
windows.exemicrosoft corporation.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe windows.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e23fc64d012fb66b44b10cd7ea0e2414.exe microsoft corporation.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e23fc64d012fb66b44b10cd7ea0e2414.exe microsoft corporation.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe windows.exe -
Executes dropped EXE 4 IoCs
Processes:
microsoft corporation.exewindows.exewindows.exemicrosoft corporation.exepid process 1356 microsoft corporation.exe 2560 windows.exe 2792 windows.exe 2552 microsoft corporation.exe -
Loads dropped DLL 3 IoCs
Processes:
Majid Z Hacker Website.exemicrosoft corporation.exepid process 1532 Majid Z Hacker Website.exe 1532 Majid Z Hacker Website.exe 1356 microsoft corporation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
windows.exewindows.exemicrosoft corporation.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\e23fc64d012fb66b44b10cd7ea0e2414 = "\"C:\\ProgramData\\microsoft corporation.exe\" .." microsoft corporation.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e23fc64d012fb66b44b10cd7ea0e2414 = "\"C:\\ProgramData\\microsoft corporation.exe\" .." microsoft corporation.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
windows.exedescription ioc process File created F:\autorun.inf windows.exe File opened for modification F:\autorun.inf windows.exe File created C:\autorun.inf windows.exe File opened for modification C:\autorun.inf windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoft corporation.exepid process 2920 powershell.exe 2592 powershell.exe 2516 powershell.exe 2472 powershell.exe 2556 powershell.exe 2664 powershell.exe 2632 powershell.exe 1632 powershell.exe 2660 powershell.exe 788 powershell.exe 2776 powershell.exe 1356 microsoft corporation.exe 1356 microsoft corporation.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoft corporation.exemicrosoft corporation.exedescription pid process Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 788 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 1356 microsoft corporation.exe Token: SeDebugPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe Token: 33 2552 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2552 microsoft corporation.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
windows.exewindows.exepid process 2560 windows.exe 2792 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
windows.exewindows.exepid process 2560 windows.exe 2792 windows.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Majid Z Hacker Website.exeWScript.exeWScript.exewindows.exemicrosoft corporation.exedescription pid process target process PID 1532 wrote to memory of 1356 1532 Majid Z Hacker Website.exe microsoft corporation.exe PID 1532 wrote to memory of 1356 1532 Majid Z Hacker Website.exe microsoft corporation.exe PID 1532 wrote to memory of 1356 1532 Majid Z Hacker Website.exe microsoft corporation.exe PID 1532 wrote to memory of 1356 1532 Majid Z Hacker Website.exe microsoft corporation.exe PID 1532 wrote to memory of 2560 1532 Majid Z Hacker Website.exe windows.exe PID 1532 wrote to memory of 2560 1532 Majid Z Hacker Website.exe windows.exe PID 1532 wrote to memory of 2560 1532 Majid Z Hacker Website.exe windows.exe PID 1532 wrote to memory of 2560 1532 Majid Z Hacker Website.exe windows.exe PID 1532 wrote to memory of 2576 1532 Majid Z Hacker Website.exe WScript.exe PID 1532 wrote to memory of 2576 1532 Majid Z Hacker Website.exe WScript.exe PID 1532 wrote to memory of 2576 1532 Majid Z Hacker Website.exe WScript.exe PID 1532 wrote to memory of 2576 1532 Majid Z Hacker Website.exe WScript.exe PID 2576 wrote to memory of 2672 2576 WScript.exe WScript.exe PID 2576 wrote to memory of 2672 2576 WScript.exe WScript.exe PID 2576 wrote to memory of 2672 2576 WScript.exe WScript.exe PID 2576 wrote to memory of 2672 2576 WScript.exe WScript.exe PID 2672 wrote to memory of 2632 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2632 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2632 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2632 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2664 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2664 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2664 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2664 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2556 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2556 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2556 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2556 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2516 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2516 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2516 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2516 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2472 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2472 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2472 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2472 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2592 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2592 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2592 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2592 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2920 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2920 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2920 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2920 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 1632 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 1632 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 1632 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 1632 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 788 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 788 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 788 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 788 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2660 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2660 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2660 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2660 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2776 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2776 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2776 2672 WScript.exe powershell.exe PID 2672 wrote to memory of 2776 2672 WScript.exe powershell.exe PID 2560 wrote to memory of 2792 2560 windows.exe windows.exe PID 2560 wrote to memory of 2792 2560 windows.exe windows.exe PID 2560 wrote to memory of 2792 2560 windows.exe windows.exe PID 1356 wrote to memory of 2552 1356 microsoft corporation.exe microsoft corporation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\microsoft corporation.exe"C:\ProgramData\microsoft corporation.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\microsoft corporation.exe" "microsoft corporation.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate3⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\melt.txtFilesize
45B
MD5c65dda57254957c2ad83b548c55b42a5
SHA1d88daf5dd37726325a30a3078c254128f5579f85
SHA256adae127291a1d4f70e9ff1258044a01d95176fd9bb2c303ab94f3e62db429a44
SHA512d74c977dd16046f024a6b012322dcfd0380fcc58a5db5e96d350852723bc1404d49a67d6185210711a24b9aeb94974212f4e056590e0742937821a459ba628b6
-
C:\Users\Admin\AppData\Local\Temp\script.vbsFilesize
1KB
MD577a4da4863ffcaba51ce05d3c632158d
SHA1253f9a594a6ca3a7a23acb90f8dc81939215ba4b
SHA256ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
SHA512ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5455f4998bd617c76bfeb3c2827e2372b
SHA1caa8cba023e1eb20a0944cc577968ee6e3405463
SHA2563a73c045f5a0a6171cb8425b1df545aaea7da6a525a5c430fb38620743d1a3df
SHA5123597be599dd70af514c943cd1ab4b58de869fa6982b7f645dd6190731bacabf7be0db008cbc39683aa5dda3ffe3da212cecc22ad796aca432b4e8ef0424677e8
-
\Users\Admin\AppData\Local\Temp\microsoft corporation.exeFilesize
33KB
MD523fb3146d1455b890afdbd9511b48351
SHA19e0118366167c76de2d88fb354606d5e58677eb7
SHA25658c8e3599d16762dfc51decf16c3d014cd8c8dd1aab59a0acff5372c5182bda7
SHA51292a816b16f854cb19a28a9bd186223dd3f7961800b6486b32be1f270b26a0240c0f68ebe0f6c555b72f0e3388f3aa1a061fad50c0b09aaec1af9de1185fc8cf4
-
\Users\Admin\AppData\Local\Temp\windows.exeFilesize
145KB
MD5aa4ba7df205e6f0dc8d847ab3c3681c2
SHA1bb8c96c2f736f1d5f1923fc3b20f53b890b98e46
SHA25659a0bd599e306457164b08b7fe23bbf4fe92b202beaad836d6faa28da61073ca
SHA5120f8f57de1251e3102d1db2c72ed7c3f7cc1d12c3ce561a275d4d280944f77952970464c553da3ce6ce88e9462033818ed186e83eba1b8853d16d28bcc7140450
-
memory/1356-19-0x00000000009E0000-0x0000000000A20000-memory.dmpFilesize
256KB
-
memory/2560-16-0x000007FEF5D1E000-0x000007FEF5D1F000-memory.dmpFilesize
4KB
-
memory/2560-18-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmpFilesize
9.6MB
-
memory/2560-20-0x000007FEF5D1E000-0x000007FEF5D1F000-memory.dmpFilesize
4KB
-
memory/2560-79-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmpFilesize
9.6MB