asyncrat | hxxps://mega[.]nz/file/nbBWmIIR#1zclxrRPl4NowyFwXWM0yD31MKtngoV33AUjt8iW83E

Analysis

max time kernel
185s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2024, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/nbBWmIIR#1zclxrRPl4NowyFwXWM0yD31MKtngoV33AUjt8iW83E

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

127.0.0.1:9001

91.92.254.89:4449

91.92.254.89:9001

Mutex

fefewfewfewf

Attributes

delay
1
install
true
install_file
Realltek Audio Service 86x.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023614-391.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
3520	Realltek Audio Service 86x.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2424	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133681560636207679"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
1288	Venom RAT + HVNC + Stealer + Grabber.exe
3520	Realltek Audio Service 86x.exe
3520	Realltek Audio Service 86x.exe
3520	Realltek Audio Service 86x.exe
3520	Realltek Audio Service 86x.exe
3520	Realltek Audio Service 86x.exe
3520	Realltek Audio Service 86x.exe
3520	Realltek Audio Service 86x.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: 33	1420	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1420	AUDIODG.EXE
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3520	Realltek Audio Service 86x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2316	5036	chrome.exe	86
PID 5036 wrote to memory of 2316	5036	chrome.exe	86
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 2308	5036	chrome.exe	87
PID 5036 wrote to memory of 4092	5036	chrome.exe	88
PID 5036 wrote to memory of 4092	5036	chrome.exe	88
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89
PID 5036 wrote to memory of 3260	5036	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/nbBWmIIR#1zclxrRPl4NowyFwXWM0yD31MKtngoV33AUjt8iW83E
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe5fbbcc40,0x7ffe5fbbcc4c,0x7ffe5fbbcc58
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,7314089352850834767,14373632147526636003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,7314089352850834767,14373632147526636003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,7314089352850834767,14373632147526636003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,7314089352850834767,14373632147526636003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,7314089352850834767,14373632147526636003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,7314089352850834767,14373632147526636003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3668,i,7314089352850834767,14373632147526636003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5212,i,7314089352850834767,14373632147526636003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5008,i,7314089352850834767,14373632147526636003,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2344

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2524

C:\Users\Admin\Desktop\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\Desktop\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Realltek Audio Service 86x" /tr '"C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe"' & exit
  2⤵
  PID:3884
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Realltek Audio Service 86x" /tr '"C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE4F7.tmp.bat""
  2⤵
  PID:4156
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2424
- - C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe
    "C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3520

C:\Users\Admin\Desktop\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\Desktop\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
PID:2820

C:\Users\Admin\Desktop\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\Desktop\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
PID:1192

C:\Users\Admin\Desktop\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\Desktop\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8a0ee92df036cf36472e879686d86b1d

SHA1
61bfd6e3e521376d4fe6c045b677aaffbb550fd8

SHA256
f755416535e5411b0e8a4103a525175899493dcb16c5710ef22cdc2eb7f1ae6d

SHA512
3240bef4c86697912679a4a05cde0306eb64a413d7c680f86be975125497126e66d7cc2961a9214ed50fb35071a2fe5ad1f51aeafe3ac6e849c821bc2a47be22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
e047dd0543f7533b46fcd743260a99ab

SHA1
9cecb5d0b8273eb43704f69efa5923d9f2763c6a

SHA256
81bb146f96117f1bb60d426a8969cb41d1c3346b30a6cdfcd153378b36ecd089

SHA512
f1e26594cad57f3394cbd6fa7efff6306f97d9b9f4a704c4464f7d2eac9a6eba22b9dff56e4af73ded67623ade17993c4b98958c84d9be2162cce261702d0c61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\00\00000000

Filesize
2.6MB

MD5
570c8ef005baff5716a4570b87f230b8

SHA1
2f47a3bb863d7efdde7e8533f483d27141d9dc02

SHA256
edd8ebc8a44fd91289c218dace0e28709fedcb10ead9524d800e26918920f935

SHA512
debfafed9db8f637ed52acda2e2185408fa805f9e0b37a65404099b99bf5dccbfbf2a9897cc700f4ab4738eb12b3c0ecd97df9b3710215d3884417dfd8eadbf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log

Filesize
11KB

MD5
3b6310759684b762906e6efaa69f5432

SHA1
f30376fa0677eaabe5c8079988c71d46af121acf

SHA256
ab82cc71cf2282aa9a904aa46846cc2e4a94d6f958b96c36f8351d217c46453b

SHA512
4cf3dc6a4bbae0d5670240d2e3a5f1f8f65dd9c478122c860e0cf2fd872951cf29fcb5de4de51b6477a192d627df4fb7f2992da8636ca68158bc0d944bda524f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG

Filesize
373B

MD5
675b17512c289a5de219b7f525483614

SHA1
e088f0c99f23c5bad0fbaf2f094f099b00c2f6d3

SHA256
1853fe35aee231cef12198c96a8d7ccb2fc56eb7c89231a365a891493e6377bb

SHA512
0a2845b603ac4d8ff925100191895994caf3c9bc0b6f6beea514200f01d7727f871c0259477df2ed6f4e60431c0f40d4770a35b9239f406acea38e8efcd35116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
373B

MD5
ef6948153dd3bd556eeeda2a4c943cd0

SHA1
95b3994d89ba2fc3d67b3176735107e2ee31c406

SHA256
fbcc04a11c9084babe6584cc911cbe97777ab93d880a494ac3fec2566d3b0a48

SHA512
d13d1a0fb5de8b0b8703122ba9a7774ed76b6dbee2ef7a7154266bf42f9fa993f1b7df7f40c48fd5c1797f885ce45098f7040943f379cf3e6b2b6ce19e88ee2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
373B

MD5
f30b89b09d61c7e6babbfe20b9d93729

SHA1
5e77a513c05c75afe8dc000d48a5f8a7304b9a43

SHA256
7138637a01458647c3bed89fe163188eeabdbf879e4a10b52959fdf6de3d215f

SHA512
1b5d967842e1cc777a594aebf701d0aaa324085e482aeb856a70a8337e07331f452b1f627c83f89cd653fb84831e5d28f0683761368a852969c2c4463bd7cdfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
373B

MD5
58b38838991ead1d7ecb0c46d12d8b65

SHA1
8633a01c1e7b1a06fb85bbd846acd7fda1967d7f

SHA256
c0a32554c880a877d0f9a78c10e744ed237b22a49af69a25aa50c80c2e1fb88b

SHA512
0d4c55fa4657bef97fc8a9c2f5bfd5d6ef6585116296cef3fae55c1875a9900740e96ae3bbc01ea95455abba74fe969285c48dc77190b7b6fc2d223c0dab2ebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
373B

MD5
db74a750fb7ef5ebbc31cb59396de7a5

SHA1
4b691548b79682cec1050c5f5487b0a737ef1348

SHA256
dcb4d331d62d51da545180ca128d0f23c00b69111733b50fdb031cd62dd2f5e7

SHA512
38180ec66c92c024b613330dcb7dc5d5911025ba811cf244d6c87a37e123a42469fcaa5b4d055dea3f95edefe01d8b821e7522ab759766b8b949fa7df92008ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe5838ed.TMP

Filesize
333B

MD5
c6b188b993b21fa05fc39e7b25539f5b

SHA1
b635a5762f5132965d6cdb317b0c66f28bae6220

SHA256
ad15eb10980713f776c0708b76ba2a565802d95e3710df097c4bf39f8352f146

SHA512
5f1b294feae8dd0df9c5f85cf3f8ecd5130a6f71ef5d4322a167d6b5c225883cc9239dc6f2893c5d4478881772c5dfac4737ab69a52521e2266e01ea2ecc0711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2eaafd1eb849c847aee05e15fb097190

SHA1
49790cefeea4da8bbc15ecd58f84a0dc9c345d49

SHA256
9acc62b21a6442df101ba2715870ebb5b674f7803eb731eaae2bc3c3efdfbc4b

SHA512
11fa7bc0b86ef3aa038e10b85638780630a57d5a3df61f7b69efab14f5863f6726ded3fc3cc46b6b8d6de07afceb6677c9f575817413655806a4ae43f02ec73a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8ad337ce5837d1a6b584502a229472c8

SHA1
7550f3e222055282a1a11a9c3477b87e37477204

SHA256
9d1c59657c4ec0a2548cc4d521eb23ab4719c957baed64a2115c21da81fe42b2

SHA512
cf0fe61fae496f43f3b8749b1bbefab2d551c157f32d4c8c0ca11bd72cba6a68434f2e54061746327e11e58559e16991232ea2deea48eb691b0a7128291ae8eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e9f2ed08243096ae2d5568ce438aac76

SHA1
a1df580bafcc9a8110e2eb212194a7e4b4df3c0d

SHA256
5655f415730d2cc559cb536626ec629bdadfa29cc38f13039682b8cbdc76ccba

SHA512
d9098c3c68a5ad31fbf3484430bee2980def896ad76332f6772345b619a4789e59bcf1b66b8f0e8833a9b36d269bf14e4d891e81c5e5a2c31882b23d44ecb183

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b553dac99807b830a2f0f51cdaeb7e89

SHA1
580e393c109f512cf07d66d193338ed741155770

SHA256
d61a0a98aa8043915670948622dfcd9d63be3d7b95ead128b39a027346fc4513

SHA512
2181f3467f15eff0828216721973338ea74adef0b4d0aad70fe2086a63da11f4e27bd16a2fb2f462771c7368deb91d2d148d2e687825c36bee70e3b141be5654

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53817b71f287a0e2f3131394595cb361

SHA1
2685d768d8df6739039a128b5f64a6f7d83e3b88

SHA256
875cc13e69739136662ebcbdf9517a63acf6e7870df8680892adabd2c47cc2c7

SHA512
1a8f560b108b6ae8d0f97e2d4198534c6bde5b90b3566a603999e43c1de715965226586eb20b039debf5d54b2e674d9a4cb1bc263bbc8de5da655f9d9874e4b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bbea152d764d834654a9252444dc5a6

SHA1
74ceef0c199ea2ad7ce7f780393c4951bcf96559

SHA256
142b6b524bea2e29487f656a7f954efb1c5396b4a8a04c805011cad22bc88a22

SHA512
a8dc3920586ccb69b625e8939fc02fe38abac177c3a61df0938112811cc8e9fa4d2d59ce274726a5780dd1de1d26a92e9673818fb695079694364ebbef88fa51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d77a3b6d25dea2adcc0805a50a5e6e6b

SHA1
adbfb834ace1dcee64fcd48bc4f6db31fa37bb05

SHA256
724c734d128082a6c824c887f215d005b165b706cab1a2fc3efbdee2cfedd397

SHA512
ea11c975205abce63cec33900ed850f561c97a5ebdd725481c227a0a4f30daf54afa3c355870d7cd13b23d84f405eb9b6ffb47dfc06b6bd84c4b21f699a20b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
802887bc1030b4e73501eab0521b5e5b

SHA1
5997e3e75c1e1b05d8e6071a20d6904f9c03d008

SHA256
55fed32bc995b81131d7cf286d89085c06664997adff85e6f42def5ea8cbb8de

SHA512
745cde9d02c6b356098f2c93d1251a20bda3385d83eb4d1f8b6646981b582fb15a303efae48c55d6569bd14757d6a9b4a16d41ddb2e780e3bcfef080032db8a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b37bcdf2958659de156dbc40fd10e7e5

SHA1
540caa6449288e95735275c5f52b980f24dc8748

SHA256
e30a3582b1fd1bb66ff899909b6ff451a1c8ca391066c8e6298488dbdc13be8a

SHA512
27d348cdd2a68f7618e21813c0b18bf9550d57bab0e91faad44504c1febb66b9ebabe78f6f69c2cdcd2b724e60defccc0e43b8c737d3c1353f60ebf9d831b32a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
88274a1b9cd078f4997b957a503a6bbb

SHA1
8058e717405d7351b956e5408339dd1d911ae3a6

SHA256
51d761bf60c6f41375d4fcc4929b275200fe0c990a39ccbfab22052ad173fb30

SHA512
361e6b9666d8d0ffd15bbcd692b7551d32a23ec3abe67dcba0c55adfe26098c4fb2e2b76e7d437e4195b158db8e6eba69bb4317d66c858ff65a86c99d34d07e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
16fa3d561e536c2cece2f1d66ef2603e

SHA1
0956c75b4d535add37db0c42710e2639f95470cc

SHA256
54c582c8f348ac7a073638e03939982895b1905d60e9a2fdf7f9a018099a671a

SHA512
2e9be7604fd6cd9cc6861fcae37a3bb29d486cd8d50d256e9ba9dc3c9d15245870ac41e0d55bd77183917940545c33cf65f45ad6160c9813987fb267f96d1643

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b691b564bf5239a71a68620298de47b

SHA1
ab08e09621ba35f64b06d4dec6ffc18f1547fb72

SHA256
704dbcce7c659ef687b2300eb9c430feabbfb6b3617240c28dddf881020d5ddc

SHA512
6fdbfde97ef01d5edbae5fb2fc65ce016009d77d21cedf78af363008fac9f5ea88ac41eae080e137336cdcf9839803dbd8ba12746ff1b25076fb1fdb06fbe3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c32dd0e371f750430cba1e1f88ec9dd5

SHA1
8aed93258c7d9d2f23c24ba9d27d16b1be0affb8

SHA256
71ff97041f111848fe352ab54eb9775f986920c44deea0e506b89f00bf317b16

SHA512
9589d58e67c797e29a758a3a964662070e05cc9e3aebbae76279fb5107dbb03e0d7827250a442b2cf84e94aaa30973487fa3108cde965d03fe1ef25b1286c9c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
7c2adfc11f551a2ae26884950c8d7a01

SHA1
93f46d1eb96ef33b6e4048fa7c151c74e95fd054

SHA256
9703261404efd5795110a40fbf3579c65803bda5d012d6268979fa11137a3c85

SHA512
f46d20b88c752551dadc6652d90cd0c9d7916cba15d00775f242eb48d19e22c7f8346db037d55df682de734ddd35cff22591f049453e819ab736e29cd8f94d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a0dbaa71-0486-4ba9-8b5d-e3a2abb38642.tmp

Filesize
9KB

MD5
ed3234f569d44bb585fdfacd9a79149f

SHA1
06dbae52b051cc3373325e4fd91b506aa04430ea

SHA256
d486e1285eccd6d7ee8ce88ec232e15d368056c04fd480b4f9d72d1945adf98f

SHA512
0a0a17b7877fd7ac482f8c586d21196abb5d163e1fe3f4711d1040619f317d465759096439265f40180251eb3d14af1b21b4a421be738c0aa4fb929652ab3d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
f7f71e5dcb87df7101a2cd1660041360

SHA1
73ab6b76de8a169922dc2a122d3d80ca46b35559

SHA256
e76b46d0f626a9bbea699fdb0034c20fca39e3624aa6fce88559b651661fc591

SHA512
b670fdec90e980f798c381f5723454a684d7eaedd04dc2406638d3a82a749d0fc4d6b593b7cc10341ecea4cd63204ed7dab181857f0732d744d636c375222840

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
772506a14ddc9d5a26d5bfdc3d2009dc

SHA1
a39affe41ce6bb1d07bf0b1d2c189b602705843d

SHA256
2704730bc8bee967dab004ecb3e25511e4a643fcb9d0ce0f4a96dafd02b1a0d2

SHA512
0f7e8e5d64fd9f7388904a95f279317c396e3deab3b1a5e9a8e56efe145f0f7e96d013597497a3be32e52c560f552755a5fe3bebe053d053a4aae6b907d26452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Venom RAT + HVNC + Stealer + Grabber.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE4F7.tmp.bat

Filesize
170B

MD5
e70b3656768cc0988d0bd5d896a49d02

SHA1
df4d399979cb852b0ec9277f6947d9d84cccf827

SHA256
f80c1d6270c86a17eb73bb5843807683bb9d1a7ad166bede5f4684cbbc0c2245

SHA512
8b9ea4dc64145c8ece4b2bf60729520d41eea72f1b965568068737105d8eec0c30aadbca7796ac5cc83d052861235abf0e9843ee2fddc828c14aa914912c66b4

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe

Filesize
82KB

MD5
401cdb3441eaa85c7d5d85b8cfe0fe54

SHA1
6bbb659c5c2b30c24313efa7a3775b78cbf385c5

SHA256
f1cf79e0ebbb693d10ca8b96d6c6aae0176c3a3417512bacaf0016207e60492d

SHA512
fb70afc7e5a382b3970cf92feaa12c4cfeba7a7dbca0d0f8736b5a38c0e4c42204cf4975081eab940524332fd3067bc4d5da053b55e71f983e01bc20454822bf

Download Submit
memory/1288-380-0x00007FFE489D3000-0x00007FFE489D5000-memory.dmp

Filesize
8KB

Download
memory/1288-381-0x0000000000C00000-0x0000000000C1A000-memory.dmp

Filesize
104KB

Download
memory/1288-383-0x00007FFE489D0000-0x00007FFE49491000-memory.dmp

Filesize
10.8MB

Download
memory/1288-388-0x00007FFE489D0000-0x00007FFE49491000-memory.dmp

Filesize
10.8MB

Download