asyncrat | hxxps://mega[.]nz/file/nbBWmIIR#1zclxrRPl4NowyFwXWM0yD31MKtngoV33AUjt8iW83E

Analysis

max time kernel
213s
max time network
224s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/nbBWmIIR#1zclxrRPl4NowyFwXWM0yD31MKtngoV33AUjt8iW83E

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

127.0.0.1:9001

91.92.254.89:4449

91.92.254.89:9001

Mutex

fefewfewfewf

Attributes

delay
1
install
true
install_file
Realltek Audio Service 86x.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000700000001abb0-407.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
3692	Realltek Audio Service 86x.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3360	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133677642859402976"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
4960	Venom RAT + HVNC + Stealer + Grabber.exe
3692	Realltek Audio Service 86x.exe
3692	Realltek Audio Service 86x.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
3692	Realltek Audio Service 86x.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
3692	Realltek Audio Service 86x.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: 33	5064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5064	AUDIODG.EXE
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe
2624	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3692	Realltek Audio Service 86x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 4240	2908	chrome.exe	70
PID 2908 wrote to memory of 4240	2908	chrome.exe	70
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 2272	2908	chrome.exe	73
PID 2908 wrote to memory of 1312	2908	chrome.exe	74
PID 2908 wrote to memory of 1312	2908	chrome.exe	74
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75
PID 2908 wrote to memory of 1788	2908	chrome.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/nbBWmIIR#1zclxrRPl4NowyFwXWM0yD31MKtngoV33AUjt8iW83E
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff38f89758,0x7fff38f89768,0x7fff38f89778
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2036 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2736 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2744 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4864 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:8
  2⤵
  PID:356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1868,i,17220308199799314098,6777001277708339462,131072 /prefetch:8
  2⤵
  PID:3360

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3144

C:\Users\Admin\Downloads\VenomRAT v6.0.3\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\Downloads\VenomRAT v6.0.3\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Realltek Audio Service 86x" /tr '"C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe"' & exit
  2⤵
  PID:5108
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Realltek Audio Service 86x" /tr '"C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2FB1.tmp.bat""
  2⤵
  PID:904
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3360
- - C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe
    "C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3692

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624

C:\Users\Admin\Downloads\VenomRAT v6.0.3\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\Downloads\VenomRAT v6.0.3\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
PID:1972

C:\Users\Admin\Downloads\VenomRAT v6.0.3\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\Downloads\VenomRAT v6.0.3\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
PID:1272

C:\Users\Admin\Downloads\VenomRAT v6.0.3\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\Downloads\VenomRAT v6.0.3\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
f3700ba7dba7529578db33e6c03bb35a

SHA1
4cc1916729d4488f669e8d6ae3e9d7c191344db2

SHA256
6a151316ec20bd895aed656c7d1db3e308850c7974e483377ec47aa4ddcfa3da

SHA512
6f5fe27d6b6c43eac9719f35823f4ebb56bb709158cc970b477a425dff5bfff60896367652388a513a1940e2beb7f93381f65c00c157d7db916c0e92e804a45a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\00\00000000

Filesize
1.9MB

MD5
62cb7d727e93e57ab0b0930269919b9e

SHA1
d0285214176344d23a998dd7976b7d9cafabb9a1

SHA256
3c77d2c60df0f354ce1dbeadb98a1cf57ea234b750f88685fed9321116163ae0

SHA512
b5b057345c9fa1778c2de54ab76f4b9b37af208cba5064d403fc15c8a01e0817b3ae06c842acb97be41d4704041b3eddb7239e6561affba0c686a8365b44b3b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log

Filesize
90KB

MD5
ad69e9119b5d6ed34a62a40cd41db5b7

SHA1
bf2764771bba459bd16e3d90037e7f240e703300

SHA256
9bcae8571091355094ed631bad773fa35a18c08d9f008bb24f85d842fdf786b9

SHA512
e607b65d861728615dd7322457de3064ccd531291b4c8e4d8e10e9c8fd56b1bf29585da7f9ea811ef61e274446bdd6c3e22de81613ec915a126b34d0a9ac038f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
373B

MD5
206a7dcbaaddda9908fe426400268616

SHA1
7ebed06957d2de13701abbfc14213b43db1336b7

SHA256
bce74621d0641f46f8b9068922d19206ea58d85cce75134735730b894b924c68

SHA512
2c593f80dd0ffdbbe472b5459451ad9d4c465c179e5e40813623eeeff65fb1fc3bdf3bb5d3f568d06b3bbe1bf8d7daf547d9f12873048d67a89a01a221718c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
370B

MD5
d559832b89acb73de872993747e9b453

SHA1
8445db67441a568c95178c56b2a1c6a40f2927e4

SHA256
8360d4265ebbdba6bc458775592768aa64c3fd0b62e0a37af472a3ae59527a9f

SHA512
720ee16483aae230f710d88fc3e7fabd3a0fd5b33b4dbd551854c6c008f36945fbebfcc035d4eb1a0b4390501ffe0279e821f50f75c7452bf3c2484906574e20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe587412.TMP

Filesize
333B

MD5
02d7aed8a2bc089b40815b19b38fbde0

SHA1
2c38f3c810d17d42ee8f7db8bc808deabe68d2ff

SHA256
c3a887a5aefaaf020c3f7c521bce0f4548aa732197f870a527affba6c96fc385

SHA512
bf64b0d8561f5297e1b91fbb57d078b92b2d9cc6572f277da34b9dcb11a1b241d24bebb257d56659c326b4292c40e8ab9653b5ed96f7235ab68180ba5da8abed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
467B

MD5
b7b21685abf1962e08864076654f80e7

SHA1
5d0191091c65805d0f41a2878bffa7b3e836c52a

SHA256
bcf663035773be7436a71aa3d673de46e8e5c28939d8e05f50b1dff1594a72b0

SHA512
a515da30ab9d97372e00e7b1b9d5f0d48b842570a6fe371949f9fb2b42856c334eff10de8804cea80c43dd877f1563b05a7f93c42161b0f192633edcb85a39fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d3b4f4ddc0282d866265f64e99770e32

SHA1
28876a9977975b3900c02fbea0314a4a83953a16

SHA256
c0731631233ed3ce2492727bf9ad550bc4f25b383429bd617851ebce0497b87b

SHA512
44d1785eb22059b8f9c020db91ecd029ea59367345242d345dbd486598b09a4f490de1becbe3b0a668d01b2bcd0ca919c757dfe4be052ec46583d53f9485823c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4fd321b1ea022b3ff6ec4022d22ea848

SHA1
af8820900ffbd11139b8c0dea349ae15bc71282f

SHA256
92eee5d078f55ac559eb1851eec7e4cf12e3395f2491351ab115f1edda0bc393

SHA512
f7ee4a9e9a72e0af9b64a2ea65488cacb2f6242c7cf2a1dcd14a237d34b6f3113a75096f7f6845b9b941a0209fa41939a8d866c1b6e0817f608c91f5cab9e76e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
29cae13c419ea23de44723ba9fde30a3

SHA1
b8db6ead8fb51d3bb7115be62d8c01daf0d52e6f

SHA256
efd09400aa47b14b47d8eda1fbe1223aee729f1b89786493d437e4b8905e7790

SHA512
60115a4856665786e556bdcb638b69fa4d87b157b85c310af3e9f6c1072580ce6f1044db67d446e95b37a568ea8148195b87b58aa1267265b8e657db84082059

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
400531cc3d2585fcdc7107f32af5debb

SHA1
43da21df76ce3737d35fa389eb326ccda7567bb1

SHA256
8d2305b4e03cdd1044a8090256d77ce5ddb3bf6da06c064d4896bd6962b20826

SHA512
95920903211d51cff517dccef9195d5cbac8d93f0b56ec23cc8611ad198c952af89588fadacef00e7f44ad71e98a859ff9020ebc8f683b9fb17ce9f3f213d8a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ee0ed15f8262a1b1e1f03e6abb16dc78

SHA1
c41d480503cbd45b4ab5d83cd33dbed20ff0018d

SHA256
0f87273045faf0299283167878298507b85b48d2b5aa6c3562928be8ed3b9ad4

SHA512
f879c6cec18332bdd054c708db15271bafd0107f20f89314dfd90d4e3d574a402d37a0b5fca3b2d85ea847b4a4597a196f8961161320557aad06a1ec3a0bd894

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585dda.TMP

Filesize
48B

MD5
cc19e01d1d6c3da0913dadbab36ff228

SHA1
ef603352e1231d1aaed5fcd830ab61bbcd167116

SHA256
9fead06fb82568f9a0d7d4c5d75c62df9d271907d91e390e6c3e2b105a920cbf

SHA512
72942ec2d89eeed27d92c4a91c683fe4bf440826333b5071388546879b736e6b65d717fa7d4b39ca833c98c93e2cdfcbc5763219d0f49745fc26d0cfbbcc48c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
e34410c47193475ba3a4e2649789fe4e

SHA1
16f0170bca206c591a53bf5eeac6b83cfb6d00e9

SHA256
95adc6d02c4f15be06640789a5403d594b1ccb788bf5f5b5684ee44e8ac2a661

SHA512
4e900f52a10bccf76535a49aa106ea3dbb9789ad5b64f644c53591513ac1d6f537e0d9d6f285ff07bca63f7ece3098b02b201856e385fda825365bed29f3283f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
b5781d1c749e53da22a856262f36a4a4

SHA1
507545e83d963a891b56be45451c86a0da0ab41b

SHA256
805924c66afa26879bd606a48864c01e8d170f0718b0028d6bd78ac7490c435c

SHA512
ab224b991cd52f11329c0c0d6e5839992d5ba8eca65ebc5677df03fcd330a2fd94aa0df49b1736e50809f4b300f98ca753995051c494f89338fe7ac58f4d00d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
295cb8b493c458b30c3935ba2e769d7e

SHA1
6440b645708e4d8d78403bf8572784f19749daf4

SHA256
3e560fc4978adc264403695d4b534b3e7620e5fe5beeaa1785323224d14bdb17

SHA512
e65efa95984922f616d5b6b5d27b41c67954093ae23935bcaec98732c300f48fc26db65e7cd698eb9cdc32b8ab162a137ef3ed20b79eeb601977e58c0e63155b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
658721be4eb50802da78f5701f813c7f

SHA1
9ab649c44ad19cad905c17b3720c7fca9358db45

SHA256
3cd3f1364db8eb26969f99ba6f4f98f23fdb2e2451268b06e463acc611006a1f

SHA512
49d163f71dada5d942c58b290ab144df2715b5543e2695d30610a3f0c4e4c036ff15603862170aeca9a291503e91b2c8511a232317ba0e408c9c33db6428124b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Venom RAT + HVNC + Stealer + Grabber.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FB1.tmp.bat

Filesize
170B

MD5
ef721c2a17537908b67a168fbb4af10d

SHA1
037a087ccbec5456a7b9302827386fbcc2c674ba

SHA256
fb6e3126c465465a45ebd5e8cc27ec8a2e1b69f95bc9f85ee67c60c567adce2f

SHA512
f0d39c9b48f6efda28bf3dc64b6e163f62295cb65f5ad4b50c3ac7c6684ddcb4ad23a53ecee8efa11f8a8a5cdcaf643ca05c66afbb5da3b9a540dccf4cf37528

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe

Filesize
82KB

MD5
401cdb3441eaa85c7d5d85b8cfe0fe54

SHA1
6bbb659c5c2b30c24313efa7a3775b78cbf385c5

SHA256
f1cf79e0ebbb693d10ca8b96d6c6aae0176c3a3417512bacaf0016207e60492d

SHA512
fb70afc7e5a382b3970cf92feaa12c4cfeba7a7dbca0d0f8736b5a38c0e4c42204cf4975081eab940524332fd3067bc4d5da053b55e71f983e01bc20454822bf

Download Submit
memory/4960-400-0x0000000000B40000-0x0000000000B5A000-memory.dmp

Filesize
104KB

Download