Analysis
-
max time kernel
1050s -
max time network
1079s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-12-2024 00:51
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
ndlahlengmipmdcv
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Executes dropped EXE 8 IoCs
pid Process 2044 tsetup-x64.5.9.0.exe 740 tsetup-x64.5.9.0.tmp 3160 Telegram.exe 3460 Loader.exe 4864 CraxsRatV5.exe 4240 CraxsRatV5.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 2196 rat.exe -
Loads dropped DLL 1 IoCs
pid Process 3160 Telegram.exe -
resource yara_rule behavioral1/files/0x001700000002b0ea-2314.dat themida behavioral1/memory/3460-2317-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2316-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2318-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2320-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2321-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2319-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2323-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2322-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2324-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2334-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2335-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2372-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida behavioral1/memory/3460-2373-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Telegram.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3460 Loader.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsetup-x64.5.9.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsetup-x64.5.9.0.tmp -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "252771844" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31151523" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\DefaultIcon Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\NodeSlot = "10" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0 = 7e00310000000000ba563294100056454e4f4d527e312e3328530000620009000400efbe98593a0898593c082e00000011b102000000170000000000000000000000000000007b4b0701560065006e006f006d005200410054002000760036002e0030002e0033002000280053004f005500520043004500290000001c000000 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\MRUListEx = ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\URL Protocol Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\shell Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tg Telegram.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 800031000000000098593a08100056454e4f4d527e312e33285f0000640009000400efbe98593a0898593a082e00000075ae020000001a000000000000000000000000000000e6977800560065006e006f006d005200410054002000760036002e0030002e003300200028002b0053004f005500520043004500290000001c000000 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000005759f6711100557365727300640009000400efbec5522d60985970062e0000006c0500000000010000000000000000003a00000000004a924b0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tdesktop.tg Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tg\ = "URL:Telegram Link" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\shell\open Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\shell\open\command Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tdesktop.tg\DefaultIcon Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" Telegram.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 840031000000000098593a081100444f574e4c4f7e3100006c0009000400efbe5759f67198593b082e0000003b570200000001000000000000000000420000000000e697780044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tdesktop.tonsite Telegram.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tg\DefaultIcon Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tdesktop.tonsite\shell\open Telegram.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 8000310000000000f656fa46100056454e4f4d527e312e33285f0000640009000400efbe98593a0898593a082e00000010b10200000017000000000000000000000000000000805a0f00560065006e006f006d005200410054002000760036002e0030002e003300200028002b0053004f005500520043004500290000001c000000 Venom RAT + HVNC + Stealer + Grabber.exe -
NTFS ADS 4 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Telegram Desktop\Craxs Rat v5.1 + Loader.7z:Zone.Identifier Telegram.exe File created C:\Users\Admin\Downloads\Telegram Desktop\VenomRAT v6.0.3 (+SOURCE).7z:Zone.Identifier Telegram.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 217847.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe:Zone.Identifier msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3160 Telegram.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2796 msedge.exe 2796 msedge.exe 2900 msedge.exe 2900 msedge.exe 5044 msedge.exe 5044 msedge.exe 3728 identity_helper.exe 3728 identity_helper.exe 3804 msedge.exe 3804 msedge.exe 740 tsetup-x64.5.9.0.tmp 740 tsetup-x64.5.9.0.tmp 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe 2196 rat.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3160 Telegram.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 2196 rat.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 4248 7zG.exe Token: 35 4248 7zG.exe Token: SeSecurityPrivilege 4248 7zG.exe Token: SeSecurityPrivilege 4248 7zG.exe Token: SeDebugPrivilege 4864 CraxsRatV5.exe Token: SeRestorePrivilege 4828 7zG.exe Token: 35 4828 7zG.exe Token: SeSecurityPrivilege 4828 7zG.exe Token: SeSecurityPrivilege 4828 7zG.exe Token: SeDebugPrivilege 4284 Venom RAT + HVNC + Stealer + Grabber.exe Token: SeDebugPrivilege 2196 rat.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 740 tsetup-x64.5.9.0.tmp 3160 Telegram.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 3160 Telegram.exe 3160 Telegram.exe 3160 Telegram.exe 3160 Telegram.exe 3160 Telegram.exe 3160 Telegram.exe 3160 Telegram.exe 4864 CraxsRatV5.exe 4240 CraxsRatV5.exe 4240 CraxsRatV5.exe 4864 CraxsRatV5.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3160 Telegram.exe 3160 Telegram.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 2196 rat.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe 1600 OpenWith.exe 2668 OpenWith.exe 4284 Venom RAT + HVNC + Stealer + Grabber.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2900 wrote to memory of 4404 2900 msedge.exe 77 PID 2900 wrote to memory of 4404 2900 msedge.exe 77 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 3908 2900 msedge.exe 78 PID 2900 wrote to memory of 2796 2900 msedge.exe 79 PID 2900 wrote to memory of 2796 2900 msedge.exe 79 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80 PID 2900 wrote to memory of 4016 2900 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://t.me/RELabDiscussion/308861⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdb103cb8,0x7fffdb103cc8,0x7fffdb103cd82⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:82⤵PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:12⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:12⤵PID:896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:12⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:12⤵PID:2888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6244 /prefetch:82⤵PID:2080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3804
-
-
C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe"C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\is-2G75I.tmp\tsetup-x64.5.9.0.tmp"C:\Users\Admin\AppData\Local\Temp\is-2G75I.tmp\tsetup-x64.5.9.0.tmp" /SL5="$902B8,45613588,827904,C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:740 -
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3160
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:12⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:12⤵PID:3272
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4132
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3084
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3268
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\" -ad -an -ai#7zMap1040:106:7zEvent221061⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Loader\Loader.exe"C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Loader\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3460
-
C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe"C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4864
-
C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe"C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:4240
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRat.xml"1⤵PID:3068
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRat.xml2⤵
- Modifies Internet Explorer settings
PID:1684
-
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRat.xml"1⤵PID:2548
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRat.xml2⤵
- Modifies Internet Explorer settings
PID:3420
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\" -ad -an -ai#7zMap24769:110:7zEvent267821⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4284
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1104
-
C:\Users\Admin\Downloads\rat.exe"C:\Users\Admin\Downloads\rat.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1420
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1872
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1752
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4900
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5076
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1460
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:576
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4632
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5088
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1636
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4856
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4972
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1700
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4556
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2712
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:3396
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:3040
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2436
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2356
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4176
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4104
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1564
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:712
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2368
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:3052
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2264
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4916
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4424
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:3320
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:3056
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5020
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5156
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5192
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5244
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5300
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5348
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5432
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5476
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5524
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5576
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5624
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5672
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5720
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5764
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5820
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5868
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5968
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6024
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6072
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5500
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5996
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6184
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6216
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6264
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6328
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6368
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6416
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6568
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6616
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6656
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6704
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6764
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6808
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6860
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6944
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7000
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7056
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7088
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7144
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7192
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7248
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7288
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7344
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7424
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7536
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7584
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7632
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7668
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7728
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7776
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7816
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7864
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7968
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8004
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8064
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8104
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8164
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7356
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:4020
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:336
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1240
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1736
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5640
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5692
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6912
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7216
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:6272
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8236
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8332
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8420
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8564
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8612
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8660
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8716
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8764
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8844
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8952
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8988
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9052
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9132
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8444
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9108
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9252
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9300
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9348
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9392
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9448
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9488
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9548
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9588
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9692
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9748
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9796
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9828
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9892
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9940
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10032
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10076
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10132
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10176
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10232
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9760
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:7744
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:5272
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:8488
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9148
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:9564
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10156
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10256
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10300
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10340
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10392
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10456
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10536
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10576
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10648
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10684
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10736
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10800
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10848
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10888
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10988
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11028
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11076
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11132
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11228
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10320
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11268
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11328
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11384
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11432
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11528
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11560
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11660
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11712
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11760
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11808
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11848
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12020
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12064
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12096
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12212
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12260
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2160
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10312
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:10856
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11540
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12032
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12292
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12332
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12388
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12428
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12488
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12520
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12568
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12624
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12684
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12728
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12776
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12824
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12872
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12912
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12968
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13008
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13064
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13112
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13152
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13200
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13248
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13296
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12700
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12836
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13360
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13408
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13456
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13504
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13552
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13600
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13640
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13696
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13736
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13832
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13872
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13936
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13984
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14024
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14072
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14176
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14228
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14264
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14308
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12484
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11820
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13848
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:11452
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13040
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1224
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14368
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14416
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14456
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14500
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14560
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14612
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14708
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14756
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14796
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14824
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14884
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14952
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15000
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15040
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15136
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15192
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15232
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15272
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14528
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:13616
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14104
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15304
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15372
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15420
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15572
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15604
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15652
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15708
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15748
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15804
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15844
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15900
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15948
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15996
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16044
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16084
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16228
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16268
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16348
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:12744
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14732
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15720
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:2412
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:15772
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16364
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16396
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16456
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16496
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16544
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16600
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16640
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16696
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16748
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16796
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16844
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16892
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16940
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16992
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17036
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17076
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17132
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17172
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17228
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17276
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17372
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:14804
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16760
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17288
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:16964
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17416
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17460
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17556
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17604
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17704
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17752
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17848
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17896
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17936
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17996
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18032
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18084
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18184
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18232
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18296
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18344
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18384
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17616
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18168
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18452
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18556
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18604
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18652
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18708
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18748
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18804
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18832
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18900
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18948
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18996
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19036
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19080
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19156
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19220
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19292
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19364
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19428
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:17620
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:18468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:3124
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19484
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19584
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19640
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19712
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19772
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19868
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:19924
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1600
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2668
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD55431d6602455a6db6e087223dd47f600
SHA127255756dfecd4e0afe4f1185e7708a3d07dea6e
SHA2567502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763
SHA512868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829
-
Filesize
152B
MD57bed1eca5620a49f52232fd55246d09a
SHA1e429d9d401099a1917a6fb31ab2cf65fcee22030
SHA25649c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e
SHA512afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD50137be688ef13e60148d61c03e717780
SHA1e6905ed271b147684759dc4ae0471b66872e941a
SHA2569020bb576baeebc7d552f304b235c184f7ebba25334069ca3a4c2e5a71515c8c
SHA5122e43eac8f0ddd7737b3e91c5b4da1c74a670d291b9f6fed1cb7225306fac3aa498c4e1d492dcf05581624b7669f73cb2695d3e6867b7ee38b7ee3aa56c4c9c39
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD5ac196ca407bb61b480966000174149e0
SHA192ac6fb9c6ed162e5ebe9655c6716ff06a1861bf
SHA2562dfd58606a7fa924a4af0a3eabab644e2eef19b3db780f0491e9d7b512ed3bc6
SHA51219c84cbf02a32c2b2b455f2f6218e247547291bef95baa88272550dc7e7271d894082ea6b2ecfb19d125152737a84d8ffbf8dda60e169a5cc2f30ba3206fc059
-
Filesize
512B
MD579fc0abf1c001cd651a37b79d70d441b
SHA1fc7dbb343012fad0ca0837fa5ca60eaf6bca1d26
SHA256c65e8af0db21b0436600eb1f377741d981c9584f6d65f5b37240a917b8efb8e7
SHA512ec38bcc9e8786b3212065227638fca9a9bdf07cf4372611e279e4b257f4719572791b24099cd5fbcc9d33c8e257b668cfe1ad9d1a884c0ab649b54aec941bdb3
-
Filesize
5KB
MD5798ef1b30f5f1c2afa7166e671abac77
SHA11de1d17f2bb41f3c69318ca011a8b958fe2aaeb3
SHA2565d6d2ac0e1a2fbe812cabdef9fa933081b7eb2f1630bc2d1026b67fe85de038a
SHA5128ae46f9aafb844b1414500a825e4e248341535a409bc7bba9e5588eccecd15928c2b6cf25c672f27ed837f9e4cab0a0b79aae6c8f0732b54139b47dbfbc1cb08
-
Filesize
6KB
MD596d4e554734429f9f592e7cb47a6c60c
SHA10e9be712f2545c26949ae1556d42b33f4bdfe941
SHA25637c8afc2a54b7ec02cb1bf79a6c5d5632c89a6fb4264570b03b2790268fcf429
SHA512760b5e8704a413ce6757129615f525b39ee55a530bee0b5fb9d514d09de14ec81dc47f7f0bff658a783b4d3e6f387f5fb00a55bc00eb13e737541fa44df960f1
-
Filesize
6KB
MD5582dcdf78f2e5612c10a4f2ea8d848bb
SHA1d0ed05faaa7891c081b50a260dc140a3d920bf77
SHA256fd24e55e777f1432aa8905594ba2e93cf17cef55a745e961ee41ea95dfed14fc
SHA512a75caf33a6ecd61a3709fb663c3f648ec74f244e43e6769ef429cb03b1de5f9b59bc6b770f448064661595a0d3f3318290818cb66ca22911c4ef35cb73c19907
-
Filesize
6KB
MD560cbafa560ac2dec589b0845c325ef43
SHA192cc172e0e362c8dcd7c5151726beada1f2d76c7
SHA256df4c9c56ae351b57a69bc306d95be973fa45c0d0cc382a1337cb0ce19aaa2831
SHA512ff8a174216c6f5afb2680844832c8f4f331a1998a6882d3a51eb422a8d87c3e53ae87fb7382bdcd3c7a8f2213f344d31a3c9b89c463b948027e818fd9133beae
-
Filesize
1KB
MD5fee5345fa3ea07fae937980ed7987158
SHA113018ef31aeab1beff98cb78938745535d6ce2ff
SHA25671e5572d82b5e7c59cea8c89b4b4e043d5f493385253f770633d415071b04fc9
SHA5120d89a9792d0db185f03d478ecf279988a871f3ada96d3d352e5b2c63b47df31ce36647dbdad80073438285bc610486e49b81ad2cd669f7bc7e2c6c908e8d4ab5
-
Filesize
705B
MD5d3ce3607212818bdc8aaca1733980147
SHA1ca1988f2e47ba70e772129a1237662b8ce141dc5
SHA256e5b450b6e1b598e4a5491aff6362133f42da66c566fc4ad7a9af7cc9e65208c4
SHA512033784301a44923d2757b0b39b7861755490e0289f73d71dd0f3ea793f77a70c23a50296bb09a1ba4e012505ea6dddf93056aa8d6fbaf030077a13e8b1b886a6
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD59062abba42470c4618ed3236ecea0f02
SHA167f93b12cde98f25d886880ee77e119c99cebc0f
SHA256d7dcbbf5aa16cc030fbad0439b5bb5e8d797060a8fa15d2ba009a53c5160587c
SHA512c1d0fb68cf556aa83f4bfffe3ae126ffb28309f9df00c4b8bc073d18f78feff6123c9969869be8685fe63475c975370168c38f07fc739c66ecb0cff69f618e7f
-
Filesize
10KB
MD59e752aacce4820534ba8e8ae67841f91
SHA183916b739c991d595954decf9a0cdc86b0a495a4
SHA256d3b915f2c68761eb56282a96e964874c6a7b61c2db5e85a822e452d98bbcca98
SHA5129da90f49c9d339af3b65f4415eb409aab4d2dfa0a6091105380159c1397d34f71a514bafeeb8ac95d5fd992b88e518fd46d2fe864a78b352227979a4e9fc48d4
-
Filesize
11KB
MD5ca58710259b55a21a304598a6c03c41a
SHA130a451efe5f86eddd321c1dcdbbaf1b5e100c54f
SHA2560b40fe5d9cffe01cbc4e82141010b38f64810bb9d82e3d5de38c6059b797364b
SHA512fc247f772f34acaaaa2ca94abb7ba3e6692816518dccd8169030490268e91aef4df0581aa1810b0da4ea5f2eceb5dd58919093f50c5db90d0c358ad0542f8dbc
-
Filesize
11KB
MD515d791e78c94cf88c95ec1e4935f742c
SHA13fa15e1a16d132b888688a62dd387e746579e7e4
SHA2566505c6154b49bdc434b622658cbe7ce958b1f39bb21faf9057fa316a3c40a791
SHA512c45174725dedca8f0b7139f783fff1079502e4ae1372dbad121eb5201220f9461f4bbacd2b61db4a8298d76cf9794257ae374baa834ee3fab309e3328e1627d3
-
C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_qkamrgd2yxc3i0qepbewoqwa2m5juegt\6.0.3.1\user.config
Filesize1KB
MD53fb8d2a2cd510948957ef43af5de1a6a
SHA1165c56b69c45db04546436b8cfcd21bf543fe1e3
SHA256095a2b7ce003847ea27f3eb98eca1c5bf9098c194c137c550bed549fe8d46306
SHA512ddf025953f0487612cab831866ce03285aa810a406d0a92d4491a2d26c7eaba2c4108c230309732a7ab6184c1578419164afe2fdc8e0179d8584bfbc7e75f1c6
-
C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_qkamrgd2yxc3i0qepbewoqwa2m5juegt\6.0.3.1\user.config
Filesize1KB
MD5ec49b7f5618d420d4c61a527d52c2638
SHA14c627db09339ea9d8266671a866140c5c9377c89
SHA2561e5fc255b1d6ff6b9fcb242f9aade5db7d5ce869a7bad4a216cf92c90f239def
SHA512d33bbc0e55aa55a52b12a476d570bc2f2bb649313d416d94cd7bf73c0e76bdbf016b8cecf2eb3aaafb490e36238a8bec3e41e88201b65d032daaed757ddabd6c
-
Filesize
3.2MB
MD5ca8534026f0cdbdd4a5ed88a7f56c846
SHA1e465106eaa5b9af57d8254e09dc5b853970ba90e
SHA2564b55d6a2f77c5f365f544409ea9f5de7db8b954e99f1a7ac9f904bb851bd9f89
SHA51292bbbcbf40b5b8d0ef1bc4fc6eabb9b1b7586cdf768b9e6feb6d6a9f7a2ab73710538544a14534ae539cfb9307586275799f118054e5f063335566883d41f563
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
22B
MD514f705f549f3028d93387168a973b57d
SHA1904d2cdfa31872976e6144d3049fd93241077cb6
SHA2560994bef5e49e421d0af1c4833f5410e131f3f2a49ccc5d217a553f41ca59cb86
SHA5122f7dc1827e66c6dbd89c189fa87250971ad033490489f657a6939b5bf30e6e7eadc36deb1d215afb622418b9cea01c7fce321acb2335d3f2b73795d8fccf2052
-
Filesize
1KB
MD516dc5231e9cc4d644a69f330fbef2016
SHA12bdc5121a0c9f846afdc29e5d109e9af47936877
SHA25632166b2a223105a377369b65a2ae9dcdbb9ef6f2625da0285148284be22cd2d8
SHA512816bf8ecf326224c8216e4ff4aeaf1af303340b808ea6375a6bc65e5662a9a99ca0d4bf79781904d8cf64210f81b3a8af745812511ec3b59f7ebd2f8ca389e77
-
Filesize
4.7MB
MD5a7349236212b0e5cec2978f2cfa49a1a
SHA15abb08949162fd1985b89ffad40aaf5fc769017e
SHA256a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02
-
Filesize
1KB
MD5620f344bef69cb43ad1b03fb5e6e5269
SHA1627f27bbcf9b8c8ff57fab6b8acafb4aa4eccc04
SHA256f678bb540b3c12906ee4eb91847031873c95aa26782d3022c9d9608a27e654bb
SHA512159014c44c97013c2d734e223094ff1a58e4a2649ee6afdb2f85b0ceab7de1f596e14faa61f59f63cef0117fe401d39418d07251a5aa414194768ed349db91d1
-
Filesize
1.6MB
MD50562b4c97f643306df491a938ae636da
SHA10807c37b711374ed4814a9518c9e264517de89a0
SHA25670e72477f7fe0018e043ce8fe2228a289459058ee41caecd6f05855898bc5b80
SHA512c969cd274b6bf65a34f1d129b6531616a3485a1f153088609ad2369d380fdec37c3e88a423495912715a26e353dd5498f7f9e73c895e9f3f18fc7d1e65d2ecaf
-
Filesize
191KB
MD5c070f2421851420e832e4f5989a775a2
SHA1d6af3c48ffbe0fa1e0e54860836d3bbf374b8b46
SHA256d54fd6c5903eea49a75d620d4ba232f8effb1863f5f9c974e4ac0a8fb1904131
SHA51275c3edeb4c16d8e82eedc5595b9c3fde4cbd4a3e9deae1967ad513474920a48e4e9275fdc76f44032b1be570a4ece1a6393c4680af8989f67bcdec039d06798e
-
Filesize
19KB
MD576c775d09b24798f6923452e920979b5
SHA13fe2c79512a0d1153fb07f6640b27106c90d333e
SHA256a5b61c1726304e6b72e09a0f35ddbf52f89a75a4e28e6ed098c8d1df6081b4ad
SHA512eacc093f8ac9401f617df7e07fd68a8a0f1f03aa150283de67ad8c338fcb1520b0f07335547cf533a646ff95f239c92b029f952a706e736bcd9508817c9be0f9
-
Filesize
212KB
MD5e924f79f0b5f3e79c98477d75831813d
SHA164f71e20e1953b13c771d8a8e63549ad6d64216e
SHA2561bdbb1b5c1a50653e5c26161e9b7c03edc518721a6e10ea180a84049d967106b
SHA512063e9bdbdaf0accb46cef5fdb98b30a97b8a6ba097a80d43a9799ff73e820d1c56d41ca9f71d94497736e3def7fbd0109db4000ab1d9e46cdc96357bf3e15fd1
-
Filesize
148KB
MD59642899636959b7fc89bf34a8b998a90
SHA1479a0254d1c9e5565c7d861bb77f54b7eae50c96
SHA2569fcf89837b60f69c1c501e4cfa4d2860887afd0b8f325803367e795a4e3bc9ca
SHA512435dccb57ff3e9d0663770768c866838b19fbaa5b8e79de0ca111d9c73276f016e016d1d268f72cf3435ecac122039764fada952e1a4f68f368b492bb866c9a2
-
Filesize
5.0MB
MD5cf8ecc93a3848a0f1af2d86a7583fa7b
SHA10c3a2f0c232269fd606cbc5878e79a9a7e9f5ad2
SHA2562194e86e58b755f6e198fbcd1da59c59d407640ee546016511571a2831aed428
SHA5124d51419d732e76b8957c94410eb0c2fb983a294b114b37f3e3eb6601917f119d519b235449a97aa720b05bbb57b6a058bf9a33e6f3167200c1d70e785ae335e2
-
Filesize
11.1MB
MD51d2042cc4361cac2c13b0b33a4149080
SHA1e5105299770c325bb7b5198542869002a9c332ce
SHA256a9dd7159a39dd053806d36920f76da18ca5e8b488ae04167a7feadf3c1ea4fc3
SHA512d0335fcfea1d6b7428ad6b070602b5765b4d07d2f0bb8819821544c6280ed1e4d76cc99bcd00414aedad954fd1b5bfae58d1bb80427600d619d9e0c910438a4b
-
Filesize
24B
MD5e1b54e517318b3b3363551e926b9e474
SHA1cdd2df4411afed1c9e44997dc9ebf85728eafcca
SHA256dab8688b4d139db5ba57783791efbce34e9e46c37a2c506685cbc6d18e68073e
SHA512edcdd405bf3d57cd524151e9f41670cb7c3bf693e59254c8a034c30a8457b936d507fa434d38e733819a11cf3afc6858d909fbe73bf091f3c96526cf99138728
-
Filesize
33KB
MD5410e4dba1b3e1acd689425d024f3fd56
SHA1d38fcae133db0cff918dc455acd8ffa437989659
SHA256e10518132ded7ee51739953121f6efe77412aa85bd744ea7b256a5a6da751e44
SHA512cac41002ef9ffe4592a0949ebb3a21b3837645838e623d3a188f7e70b6c82b2253c586a6a9395007849da0ef94d6dc47bcfce9cde554e8b6becdaf21082cf014
-
Filesize
33KB
MD52cce7e02f2decbdcf648cc249eeabbfc
SHA14a9cc2ab3162a949d5f559ac2828813da7aaa6d2
SHA256ffd5e4016c4bc247f49ded9d4ac463e7bd9d7f92c9889528f5f3a865dc8234e2
SHA512be3d96046ec50bfd8e4399d1268856d0cc1f541635896ad128d660660294cfd98f79998dfa46849a2e6e5aa3e637626a94a062ab694444b7210f69b3a55d1686
-
Filesize
33KB
MD55c22046c8b4f37adbd0f41a811238d5e
SHA1e3c49202f86ff0718f169ce4cb82570457891bd3
SHA2560759c987d55b3e2bc78ea1761d451b0b40928865c5b5652ef7b304426bc1dab9
SHA512655c129c7456ce083a9eec235e04b871a16c4226f7cb1aa2ac4b119770b24ac61036950b0a77257af96352318a991037a1b9b5e2925ca84272995dd8135abca8
-
Filesize
33KB
MD5e18c650283441dfbdc3aa46a414f326c
SHA1eda65607858d6b93db9ca4a9f20cac382cb685db
SHA256ecf99e08bf15aca4325c4790ee20ccc674b6f4fc6dbbef0885f36bf8e6e8aa68
SHA512f10cd2a31390bbb06546052214a817153f35ed9b5c5403995267e1e9b4987630c08ddf7db414146211b8cfb4769949cd660060bd2a5c8a51bf5bc381372a6673
-
Filesize
33KB
MD593f8d14b56bf5f257f87ea438c7a3601
SHA131b71ace333e016408af2f18290463389206d1c0
SHA2568e36c85a8ba6b92ea906d4dcda412b492449e668fac3b05f5fc512118fa71e5f
SHA512a70adeb933e65ba11b28d11fad9a2eae29a623013f9bd8383afa5c794f214a6820f797f03f1714759bd38356b160b9c1e159dfcecbfa7e95f4ce2b24bfb24cf5
-
Filesize
33KB
MD52d5ee470e51e769e649109d2721937d3
SHA189bb18a904dc2857e52cff3a384df50858d5e17c
SHA25608afe88e8a0475e320c6da70ff530ada3a6fb426051a6337a769c14dc37ae316
SHA512d6801a6b238a9779b0b8829f79412c227ed8480ec060e3d1992c9b1024c94a8f1f6ed32097c8a93a6f2600ad68b2ac537fba5f0982a41fef01a832994cc0cc20
-
Filesize
33KB
MD55dbcdfb9a2f9120ba42006c997e22b42
SHA101fe537ccabec19b252e07ed6ab557a46a70e6df
SHA2568f726d2132b2b7764936aaffb52ef7b0271abf857949588c36b32fb3c769bcc4
SHA512519b0757a1bba205915aea9f8bb715072420fae126a4917f146c9ea7567fc231d74f93ded8dead86dcffb0fc293de1a4c85a161dd894b490e57806df67cf01da
-
Filesize
33KB
MD516782d3d013fbdd1277424363dd8a0ad
SHA1c26e1fd52de7ceb24af6f01fb4486d39e1932bfe
SHA256faf3d661a09912ff0c1f6cc92dd8775c3d2be31e9a72fe0962c144d679021d86
SHA51244bda0a5d59f1ead6939a6af13b81ab23b28be44a61e7e736d5e21cbfee813a3a44c5832b16036717f0e18a418dc449b5c3aa1e0f05c4830cb3b64698ce0901a
-
Filesize
33KB
MD5ed05e0515da2b4c11d839493abf8d44b
SHA18862a2bd75632d916fdd049b31f2155ac7894524
SHA2568f641c948721c9e7e92f28224b8b1beeb27382e5bac8a4014a57537dd7543a8d
SHA51231613012f4ea1da8d1318f69e6e9a4be068e9e490f01ef0e1f880b33f50d715d92d7498ca99223ce81d6656ccc4293a7fbd272939e99dbc21d62176a6c6d9553
-
Filesize
33KB
MD5a5c78266329a1eb0f3e52bc0343783b5
SHA1e0b254e2176f0eab8d2b76213a64c24ba1788675
SHA256550a1b6e2b97febd865cd130b0c0d484cf2fd02b8066ddf6d7290b9cffb35059
SHA51261a7bf67f9019e5f4c653246e1844703619d6421c3625c963862ee9b0b3975b26ce2f785c9b3cc79e77181c098f0e3d60c9f0e21203928117c6cd45f104af36f
-
Filesize
33KB
MD5be6fa7ab4980735841141d4d3f642a4a
SHA1c6d03cda7f73a959a3d20d0e3897595fbe2915e9
SHA2563439ebcdd8e7a614f157f58d7f77d190aac7fe514129a01024a8b68b7008fbb2
SHA512fbc116df306de7a04f43cb2becfecbbaf103d6b252336e0bd37f006506140ceb14f114cdf62e203bc12f78c25906066385eb6caa67f694d8526b341bcf3462f2
-
Filesize
33KB
MD5bb4f489b2ae1f6601513296357fb478b
SHA1b8337772e2e17d48412f44373ea8a821b85e9c54
SHA256af2f591584f6c59da15fd42e5175dc136844442e1c755fac047b0efae3956c50
SHA512547e0753a1ac4058ec609ddd2d6ce54b50cc47177ee319f5bcc82eca9e231d01d74b7c2d02de90557c08224bed962c74f8c4079a1292153cbff32db234ddf6a6
-
Filesize
33KB
MD5caba1e66c954bc8d784efe2a3c02d808
SHA1ef1d5ba4735c99b55648503513d9ae7393a3a6d6
SHA2564946c58e14318696ea03cf9bcb5d8a7334273c2f9e30173a3c7ae0bb7ee70bc4
SHA512430806d048e383411e36a8e3777a27b7efc1819cca50c7d7eeba662d32351a366d3cc0b892f819b6a96db8281c5e249d3faef13e8a4ec3bef75e67b9567bd466
-
Filesize
33KB
MD58effa2f5bbcecf6415b04f9408c0a65d
SHA13f3249fe921c1d4767b76b0c3a720cba0262b565
SHA256236c59500b9bd83212375ca7514c0d62dc088203ed269e9cd55ca6349adbc8f0
SHA5123f8a1f0683207ed616819a0e42b18e5b02eab0300fcf6eac1c399f0e5475f45d62e0bdebfe0055d411d529649938623acfd4b3b02fe80fc9da6a0492dcd31822
-
Filesize
33KB
MD5ae8189b2c04d783a2f68f0204f1baeab
SHA1e5709598ed08427a1dd83e1d994330bba1b1b091
SHA256047f9bd82ca7e2685c1dca4c065209977b5e8c32f78ee821bcc7aba12decb044
SHA512ef1dd8330cf3cfa9840a5902e13c669e6de911ca9f383067506e2c106f05021aa79df60e2a867259bbd1dd056b9367d5814e9bcbafb242d718fa7fe0fe664248
-
Filesize
33KB
MD549d969f363a153b7e1cb4dc2cb742238
SHA12a8fbfd37be58690dc2e0ca2b3ce04c2d15d6eec
SHA256f0d730a0d8ce85f049a6d8a52733c506a8cf48584b18838f3d677b09d9c09b52
SHA51297f17ab20ee96ae4e71e31c7864c509ef0b714215606413c801b3608770415ab63d6d5be0980af7231e4c2e270407fd273c36e0e47d524e59126b933fafa4eac
-
Filesize
33KB
MD519169001a889e72fef769900ca7a8b27
SHA1e17d9c371cc34d19f05c46d81e06f7ae2159dc7f
SHA2565ac8c61a8ad2d7ecc3e76927fd6d52b4f279c4d3a92dd32715395581c4615423
SHA5124c8247ab0f37cafa90ae34aa865af45b6b388fdfa8ab96935d2ae2064c620240dbb8f93c9958844a34fbd249422a9b5751639179697bab44aabda8afc18b0454
-
Filesize
33KB
MD53abcf274a070469b7fd5cc1f60408c9d
SHA1a2fbdbc0028f398a90b351fe5e3a2e4b31153b07
SHA256d3cc5eeabeae7f54a8c5600b5c2354b355492634031e32e8ba981806b0494b61
SHA51214be128eaa0b49b7ad07ad2230732e923a30c204faae1c3afac766088836845fc385a99ef50938f6261456e0e45afcd17c0661345ab72cca8b66bd710eb3035f
-
Filesize
33KB
MD5a603875f8aecceb0d62c9c346f250e62
SHA144b58245d17d8d205e6bc2015965b3ac9374245e
SHA256b586dd987bd326d24ad3edddd1f649d2fc49eaf96028e62e6e14208591a31a9b
SHA51262c218f9e7e30c056c02b0e9e35b39fa9b66faced7fa8c3a14e9636450d271da04aa5f04a627452be03d0df062b38db0bbeb4fcdedb0d7d820d0bb186cb38953
-
Filesize
33KB
MD5a272b143736710d954a021e7b5b1fe41
SHA1abf3a358da02a0d9786a022a1367d9bf805ae060
SHA256f679b5b2dfe2c980b55b713a025936c10260db10254391c5b66dcec51dd97705
SHA5129290ed552de75f080719d3e6f4954234b48cb1bf87952bf62d1799d64c0d0a2419fe6776d5a84f691f877a6e7ccb176824e7dd00f5ceec7da32458faf1ef6485
-
Filesize
33KB
MD57bb2410b8a58504b0645e9e869cb903e
SHA1a1d49a900e2367817575d581c34a3f4b5282db25
SHA256f8d767b5e74cde08d614d64bc51f4d9db90dc056dba1c38ad8b21aa6c598a286
SHA512a629b6e3a5fc4cc0499e18139260a7c67c629d76c8264ffd3d99c62154354b50bcc5d73b0475891cf38b90809de996648c211a9c2df0aa4e885e536fe4d3f825
-
Filesize
1.1MB
MD52fbec46d430f57befcde85b86c68b36e
SHA13ff9829e3242deb69a7fde0832b7d9345b925afc
SHA256681ede512fe7ac21e976c754bfc1e1a75a9e02c3d931ce6849cfaa9d4080338a
SHA51242036af6f57e446fec194ce71fa634dee9f4c77342f64a867fca8730d76349190960a7e7a5967ea59c250ca1b220d4845b4911dd63ee870f5620d9eb513b91d6
-
Filesize
25.6MB
MD5fab3cc04a19ffdf90d775e27967a7c25
SHA1723c1635338bec7c1c876769618789268b8faad2
SHA256bf41a0a700e3b35415609d090b15c5355e5cf4ca703ab119626b2d450997c608
SHA512fe013386ff799cda195222341ee601d7b8b3c5c8abacf3c80e3fa03af52ac848f8a79a7dd87d8831d5a366243343f1025f704f49d858da4b02235968f834a9e6
-
Filesize
7KB
MD532bd051749a0fc05e1bb83707fb379ef
SHA1479ef7feba3b01dc6aa39817104ab9f78ba6451c
SHA256515a7cae5767ed438b9112de05d90bd36568cfa68d5284ce648cff45400fe0e0
SHA5123a80f3f0890337ef0294dd4a1b473a136b732438dfb125a3fb80103451b471919621952a21be4b0cbc3fbc7b479545711c9a5dc498121de9b7fde0f77128685a
-
C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\Icons\Apps\s_translator.png
Filesize7KB
MD5bc33c93efd4900d799deb3cd6a195b42
SHA118a3527e1e4382e83fe50b470d8cc393d695542b
SHA2565506ccae41f78fa556d449c2cf3aa95e6caeaecdce847eda5289037aa33c1824
SHA512164439b404d354cfefdf55aea30ddc28c6a0ff4cdbcf3986b003eed0fffd35f9740ad7add000363e05b774ca80897848e3ef68248897a58cb0f5282e1b701f15
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe.config
Filesize3KB
MD5a1c2a2870001b66db41bcb020bff1c2d
SHA18c54c6a3564c8892aa9baa15573682e64f3659d9
SHA2560aa9e3ab5c88c5761120206eff5c6e35c90288290b3647a942059705ef5b75e5
SHA512b3bf53120203cfaa951f301b532849cb382d2404c9503916bc1ca39925a9a1530b01045f341fc75d47d65130d0187dcbbf4288b9ef46aa81624b59ba7802794b
-
Filesize
44.5MB
MD54d126a74212250584edad0f21daaf06c
SHA1cac28f26e1d89c0c71ea954e5d79c72e5402f1a0
SHA256ce397d1a47b24efe2b90da9e565386dbb69175d5e170468f498b82e5cd394b60
SHA5122489d61f7b0e8228b0bc09a3f4c974724a1f1ff402f470a9d074f9f2d4e6386232a2eb6352ee8c1bf274c5dbbf9fa32cbad0f32f5f22a74ded2656a510dbc220
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98