b1d31c902186539b2eb39e87aca817447a6e61747abda0e8b82de3cc88d4ff4e

Analysis

max time kernel
14s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 23:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

venom_cleaner.exe
Size

3.0MB
MD5

b5171ffa77f44270c3979165ec797df1
SHA1

625625196353920ef6cad543ad83d6038cb9c442
SHA256

0a30913f417c499108b490cd121f895b9e1f3d7b387a8eacb238a8032a7045f8
SHA512

1181a844603eb8917c29f29034452d6f6ed7876da5ded558d79358a798de5ba408ee9f68b59fe5b6a4622fbe39792a550aa6a288da88b9080181d5b55c60a0c7
SSDEEP

49152:XwutH7zfAqCUtFXqFLknKGrqqcmig4qSvFkfQg35/e0e/JTzUbc:XltbTUUQL4HrqqHigj4k4gk0iJTzUQ

Score

10^/10

defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer themida trojan

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
5100	fsutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	venom_cleaner.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	venom_cleaner.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	venom_cleaner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3236-0-0x00007FF6E9F60000-0x00007FF6EA789000-memory.dmp	themida
behavioral2/memory/3236-3-0x00007FF6E9F60000-0x00007FF6EA789000-memory.dmp	themida
behavioral2/memory/3236-2-0x00007FF6E9F60000-0x00007FF6EA789000-memory.dmp	themida
behavioral2/memory/3236-4-0x00007FF6E9F60000-0x00007FF6EA789000-memory.dmp	themida
behavioral2/memory/3236-46-0x00007FF6E9F60000-0x00007FF6EA789000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	venom_cleaner.exe

Drops desktop.ini file(s) 59 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	venom_cleaner.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\spp\store	venom_cleaner.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3236	venom_cleaner.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4EFE6110.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\DISMHOST.EXE-6ABCD507.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-18665B15.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-4DE02988.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\WLRMDR.EXE-C2B47318.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-A5891C91.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1589E4C3.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-2C52326A.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-5AC380EC.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\AgGlFaultHistory.db	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-16AF9B6E.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-976DB280.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-B2C296EF.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-E45D8788.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-01E21A55.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C49B46E3.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-B1A87C0F.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\PfPre_f64fdd25.mkd	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0521102C.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\BYTECODEGENERATOR.EXE-C1E9BCE6.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\MICROSOFTEDGEUPDATESETUP_X86_-B591C890.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FCAF5656.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\SHUTDOWN.EXE-E7D5C9CC.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-AED2006F.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-DB926CB0.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E8196656.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-EDE0F878.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-06226CEB.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\TRUSTEDINSTALLER.EXE-3CC531E5.pf	venom_cleaner.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-A73FB9CB.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7E8D1C35.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\APPLICATIONFRAMEHOST.EXE-CCEEF759.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-97BCF638.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FDF50724.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0A03C9B5.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-6F2A95AF.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-99F89D15.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-766D3C5B.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVESETUP.EXE-ADFC0EFD.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-5B70F332.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf	venom_cleaner.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0\ProcessorNameString	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString	venom_cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	venom_cleaner.exe

Enumerates system info in registry 2 TTPs 27 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS\BIOSReleaseDate	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS\SystemManufacturer	venom_cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "0c0549aa-40a977ce-f"	venom_cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS\BIOSVendor	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS\SystemProductName	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	venom_cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 8 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4716	ipconfig.exe
2640	ipconfig.exe
276	ipconfig.exe
2736	ipconfig.exe
292	ipconfig.exe
2776	ipconfig.exe
304	ipconfig.exe
288	ipconfig.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3116	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 41ff86de804eb72d	venom_cleaner.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3236	venom_cleaner.exe
3236	venom_cleaner.exe
3236	venom_cleaner.exe
3236	venom_cleaner.exe
3236	venom_cleaner.exe
3236	venom_cleaner.exe
2784	msedge.exe
2784	msedge.exe
1920	msedge.exe
1920	msedge.exe
4280	identity_helper.exe
4280	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	2184	vssvc.exe
Token: SeRestorePrivilege	2184	vssvc.exe
Token: SeAuditPrivilege	2184	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1888	WMIC.exe
Token: SeSecurityPrivilege	1888	WMIC.exe
Token: SeTakeOwnershipPrivilege	1888	WMIC.exe
Token: SeLoadDriverPrivilege	1888	WMIC.exe
Token: SeSystemProfilePrivilege	1888	WMIC.exe
Token: SeSystemtimePrivilege	1888	WMIC.exe
Token: SeProfSingleProcessPrivilege	1888	WMIC.exe
Token: SeIncBasePriorityPrivilege	1888	WMIC.exe
Token: SeCreatePagefilePrivilege	1888	WMIC.exe
Token: SeBackupPrivilege	1888	WMIC.exe
Token: SeRestorePrivilege	1888	WMIC.exe
Token: SeShutdownPrivilege	1888	WMIC.exe
Token: SeDebugPrivilege	1888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1888	WMIC.exe
Token: SeRemoteShutdownPrivilege	1888	WMIC.exe
Token: SeUndockPrivilege	1888	WMIC.exe
Token: SeManageVolumePrivilege	1888	WMIC.exe
Token: 33	1888	WMIC.exe
Token: 34	1888	WMIC.exe
Token: 35	1888	WMIC.exe
Token: 36	1888	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 1920	3236	venom_cleaner.exe	87
PID 3236 wrote to memory of 1920	3236	venom_cleaner.exe	87
PID 1920 wrote to memory of 4140	1920	msedge.exe	88
PID 1920 wrote to memory of 4140	1920	msedge.exe	88
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2732	1920	msedge.exe	89
PID 1920 wrote to memory of 2784	1920	msedge.exe	90
PID 1920 wrote to memory of 2784	1920	msedge.exe	90
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91
PID 1920 wrote to memory of 772	1920	msedge.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\venom_cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\venom_cleaner.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://venomcheats.net/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa81146f8,0x7ffaa8114708,0x7ffaa8114718
    3⤵
    PID:4140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:2732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
    3⤵
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
    3⤵
    PID:2720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
    3⤵
    PID:3664
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 /prefetch:8
    3⤵
    PID:1184
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
    3⤵
    PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
    3⤵
    PID:656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7656354024531234187,293474083663918419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
    3⤵
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:
  2⤵
  PID:4876
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
  2⤵
  PID:548
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
  2⤵
  PID:3664
- - C:\Windows\system32\net.exe
    net stop winmgmt /Y
    3⤵
    PID:672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop winmgmt /Y
      4⤵
      PID:288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset
  2⤵
  PID:2368
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /release
  2⤵
  PID:5080
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /renew
  2⤵
  PID:4444
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  PID:3960
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /renew
  2⤵
  PID:5100
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ip reset
  2⤵
  PID:4288
- - C:\Windows\system32\netsh.exe
    netsh int ip reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset
  2⤵
  PID:292
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh interface ipv4 reset
  2⤵
  PID:300
- - C:\Windows\system32\netsh.exe
    netsh interface ipv4 reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh interface ipv6 reset
  2⤵
  PID:4716
- - C:\Windows\system32\netsh.exe
    netsh interface ipv6 reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh interface tcp reset
  2⤵
  PID:1888
- - C:\Windows\system32\netsh.exe
    netsh interface tcp reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int reset all
  2⤵
  PID:3960
- - C:\Windows\system32\netsh.exe
    netsh int reset all
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /release
  2⤵
  PID:2928
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /renew
  2⤵
  PID:2228
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  PID:1848
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /renew
  2⤵
  PID:4844
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
  2⤵
  PID:284
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c1e04a19e24a2b526bac72adaea4f54

SHA1
96b4cca11be2db9b5d7c10a89fa53b2e2b446d06

SHA256
f72f794acc15839a6a8aa6d7c76c7cfc5b0d23f39bdfe66470e00e5dd3e58024

SHA512
847c38999a2d5348ff9399c70042ddcc1d2e8dcede9dc4e56f8c931bf5594232feaf7c80a2757265769c13b69fac6511b821c404d724b06649f0e63b69d752f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
232961198bcb5886cb56d4a2a1f6dcfe

SHA1
19b116062f944c71ba903a406b145bc1606db46b

SHA256
a3e6e3c8eb7427b2125d9eff5053d2204eee2ef6603da7242610702111c1227e

SHA512
63f1829f803cc94eef80b775618c03720ca8478a2f6fcc7bb1c5172f7df1e8e7415d4e5b04301bb2fe84ce135a3c0b6e1788b4629135b629633e1ef105f29140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
97b08937f57644b4bb162601a28a8efa

SHA1
814d88f88cb8ea2f6f244025aaa51b30f73d8aba

SHA256
cb12441a261edd34d3920e747450f2c6c6cafc86453305266d8c9dce0887a480

SHA512
a2a69fe2b8c96cf786aae47a450eaea2bc8c7e975bfd6c36d763aa947f67a2809a4f1395df16c4eede12efcb9789c33bec69935a60c4234e6909a5d5da8a3d03

Download Submit
memory/3236-0-0x00007FF6E9F60000-0x00007FF6EA789000-memory.dmp

Filesize
8.2MB

Download
memory/3236-4-0x00007FF6E9F60000-0x00007FF6EA789000-memory.dmp

Filesize
8.2MB

Download
memory/3236-2-0x00007FF6E9F60000-0x00007FF6EA789000-memory.dmp

Filesize
8.2MB

Download
memory/3236-46-0x00007FF6E9F60000-0x00007FF6EA789000-memory.dmp

Filesize
8.2MB

Download
memory/3236-3-0x00007FF6E9F60000-0x00007FF6EA789000-memory.dmp

Filesize
8.2MB

Download
memory/3236-1-0x00007FFAC5910000-0x00007FFAC5912000-memory.dmp

Filesize
8KB

Download