Resubmissions
23-12-2024 00:33
241223-awp8masnbx 1022-12-2024 22:33
241222-2gks5s1ndn 1022-12-2024 02:35
241222-c24pbazpfq 10Analysis
-
max time kernel
1797s -
max time network
1167s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
22-12-2024 22:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/tA2w62
Resource
win10ltsc2021-20241211-en
General
-
Target
https://gofile.io/d/tA2w62
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1314414095461777419/8hYVVlssdJOsLuwWhq5QQqRTlg-3pzMhiKB5tYVl8wS1FN6rDNu-iZ34u_-J5bahL4e7
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
iridzxfptjhf
-
delay
1
-
install
true
-
install_file
test.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Skuld family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/1212-1284-0x000000001D070000-0x000000001D192000-memory.dmp family_stormkitty -
Stormkitty family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x002800000004638a-1264.dat family_asyncrat -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2612 netsh.exe 2552 netsh.exe -
A potential corporate email address has been identified in the URL: 6633dd5dcff475e6fb744426_&@2x.png
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation Clie!nt.exe -
Executes dropped EXE 2 IoCs
pid Process 4608 Clie!nt.exe 1212 test.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 test.exe Key opened \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 test.exe Key opened \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 test.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" start.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 101 discord.com 102 discord.com 103 discord.com 161 discord.com 200 discord.com 201 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 191 icanhazip.com 193 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
pid Process 5944 ARP.EXE -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3348 tasklist.exe -
resource yara_rule behavioral1/memory/5256-254-0x0000000000F10000-0x0000000001E4C000-memory.dmp upx behavioral1/memory/5256-255-0x0000000000F10000-0x0000000001E4C000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241222223326.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20290eda-b155-4a74-997c-e421ebb44e7e.tmp setup.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\CbsTemp TiWorker.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4968 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3416 cmd.exe 2972 netsh.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 4612 NETSTAT.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 test.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier test.exe -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 4444 WMIC.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 456 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 5572 ipconfig.exe 4612 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2512 systeminfo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\ˣ OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\潤瑭敲e⾊␐耀燐輁ˣ\ = "json_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\D1ᵠ輅ˣ\ = "json_auto_file" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\ˣ\ = "json_auto_file" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\json_auto_file OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\.json\ = "json_auto_file" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\json_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\json_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\MRUListEx = ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\.json OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\D1ᵠ輅ˣ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\json_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\json_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0 = 7e00310000000000965944b4100056454e4f4d527e312e3328530000620009000400efbe965941b4965944b42e0000005b620400000028000000000000000000000000000000cb449400560065006e006f006d005200410054002000760036002e0030002e0033002000280053004f005500520043004500290000001c000000 Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\NodeSlot = "6" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\瑴i0㾑⾈┐耀\ = "json_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\潬灯s媽⾶☘耀 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084745894-3294430273-2212167662-1000\{713DEC04-3E6F-4B4A-A637-87521958E7F3} msedge.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\瑴i0㾑⾈┐耀 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\json_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\燐輁ˣ OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 8000310000000000965941b4100056454e4f4d527e312e33285f0000640009000400efbe965941b4965941b42e00000059620400000028000000000000000000000000000000eb80e600560065006e006f006d005200410054002000760036002e0030002e003300200028002b0053004f005500520043004500290000001c000000 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 8000310000000000965941b4100056454e4f4d527e312e33285f0000640009000400efbe965941b4965941b42e0000005a620400000028000000000000000000000000000000071fe400560065006e006f006d005200410054002000760036002e0030002e003300200028002b0053004f005500520043004500290000001c000000 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\潬灯s媽⾶☘耀\ = "json_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\潤瑭敲e⾊␐耀燐輁ˣ OpenWith.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4968 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3208 msedge.exe 3208 msedge.exe 2280 msedge.exe 2280 msedge.exe 1068 identity_helper.exe 1068 identity_helper.exe 5608 msedge.exe 5608 msedge.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4492 Venom RAT + HVNC + Stealer + Grabber.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
pid Process 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5256 start.exe Token: SeDebugPrivilege 4492 Venom RAT + HVNC + Stealer + Grabber.exe Token: SeDebugPrivilege 2888 Venom RAT + HVNC + Stealer + Grabber.exe Token: 33 2116 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2116 AUDIODG.EXE Token: SeDebugPrivilege 4608 Clie!nt.exe Token: SeDebugPrivilege 1212 test.exe Token: SeSecurityPrivilege 2356 TiWorker.exe Token: SeRestorePrivilege 2356 TiWorker.exe Token: SeBackupPrivilege 2356 TiWorker.exe Token: SeIncreaseQuotaPrivilege 4444 WMIC.exe Token: SeSecurityPrivilege 4444 WMIC.exe Token: SeTakeOwnershipPrivilege 4444 WMIC.exe Token: SeLoadDriverPrivilege 4444 WMIC.exe Token: SeSystemProfilePrivilege 4444 WMIC.exe Token: SeSystemtimePrivilege 4444 WMIC.exe Token: SeProfSingleProcessPrivilege 4444 WMIC.exe Token: SeIncBasePriorityPrivilege 4444 WMIC.exe Token: SeCreatePagefilePrivilege 4444 WMIC.exe Token: SeBackupPrivilege 4444 WMIC.exe Token: SeRestorePrivilege 4444 WMIC.exe Token: SeShutdownPrivilege 4444 WMIC.exe Token: SeDebugPrivilege 4444 WMIC.exe Token: SeSystemEnvironmentPrivilege 4444 WMIC.exe Token: SeRemoteShutdownPrivilege 4444 WMIC.exe Token: SeUndockPrivilege 4444 WMIC.exe Token: SeManageVolumePrivilege 4444 WMIC.exe Token: 33 4444 WMIC.exe Token: 34 4444 WMIC.exe Token: 35 4444 WMIC.exe Token: 36 4444 WMIC.exe Token: SeIncreaseQuotaPrivilege 4444 WMIC.exe Token: SeSecurityPrivilege 4444 WMIC.exe Token: SeTakeOwnershipPrivilege 4444 WMIC.exe Token: SeLoadDriverPrivilege 4444 WMIC.exe Token: SeSystemProfilePrivilege 4444 WMIC.exe Token: SeSystemtimePrivilege 4444 WMIC.exe Token: SeProfSingleProcessPrivilege 4444 WMIC.exe Token: SeIncBasePriorityPrivilege 4444 WMIC.exe Token: SeCreatePagefilePrivilege 4444 WMIC.exe Token: SeBackupPrivilege 4444 WMIC.exe Token: SeRestorePrivilege 4444 WMIC.exe Token: SeShutdownPrivilege 4444 WMIC.exe Token: SeDebugPrivilege 4444 WMIC.exe Token: SeSystemEnvironmentPrivilege 4444 WMIC.exe Token: SeRemoteShutdownPrivilege 4444 WMIC.exe Token: SeUndockPrivilege 4444 WMIC.exe Token: SeManageVolumePrivilege 4444 WMIC.exe Token: 33 4444 WMIC.exe Token: 34 4444 WMIC.exe Token: 35 4444 WMIC.exe Token: 36 4444 WMIC.exe Token: SeIncreaseQuotaPrivilege 2980 WMIC.exe Token: SeSecurityPrivilege 2980 WMIC.exe Token: SeTakeOwnershipPrivilege 2980 WMIC.exe Token: SeLoadDriverPrivilege 2980 WMIC.exe Token: SeSystemProfilePrivilege 2980 WMIC.exe Token: SeSystemtimePrivilege 2980 WMIC.exe Token: SeProfSingleProcessPrivilege 2980 WMIC.exe Token: SeIncBasePriorityPrivilege 2980 WMIC.exe Token: SeCreatePagefilePrivilege 2980 WMIC.exe Token: SeBackupPrivilege 2980 WMIC.exe Token: SeRestorePrivilege 2980 WMIC.exe Token: SeShutdownPrivilege 2980 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
pid Process 4492 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 2888 Venom RAT + HVNC + Stealer + Grabber.exe 4492 Venom RAT + HVNC + Stealer + Grabber.exe 1212 test.exe 5640 mspaint.exe 5640 mspaint.exe 5640 mspaint.exe 5640 mspaint.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe 4752 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 3428 2280 msedge.exe 81 PID 2280 wrote to memory of 3428 2280 msedge.exe 81 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3464 2280 msedge.exe 82 PID 2280 wrote to memory of 3208 2280 msedge.exe 83 PID 2280 wrote to memory of 3208 2280 msedge.exe 83 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 PID 2280 wrote to memory of 3196 2280 msedge.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2852 attrib.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 test.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 test.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/tA2w621⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x40,0x130,0x7ffb32e846f8,0x7ffb32e84708,0x7ffb32e847182⤵PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:2336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:3892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:82⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:1672 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x118,0x12c,0x13c,0x120,0x7ff79a485460,0x7ff79a485470,0x7ff79a4854803⤵PID:2172
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4968 /prefetch:82⤵PID:1268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:12⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵PID:816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:12⤵PID:3556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5504 /prefetch:22⤵PID:5260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:12⤵PID:5684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:12⤵PID:5756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:12⤵PID:5640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6592 /prefetch:82⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:12⤵PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2716 /prefetch:82⤵
- Modifies registry class
PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:12⤵PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5079476009955286359,17253654325218969552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵PID:5304
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5064
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2248
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5828
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\start.exe"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\start.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5256 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\start.exe"2⤵
- Views/modifies file attributes
PID:2852
-
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4492 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt2⤵PID:1200
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:5728
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2888
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:5780
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3dc 0x33c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Clie!nt.exe"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Clie!nt.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "test" /tr '"C:\Users\Admin\AppData\Roaming\test.exe"' & exit2⤵PID:5752
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "test" /tr '"C:\Users\Admin\AppData\Roaming\test.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEAB5.tmp.bat""2⤵PID:6000
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:456
-
-
C:\Users\Admin\AppData\Roaming\test.exe"C:\Users\Admin\AppData\Roaming\test.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1212 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe"4⤵PID:2784
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:2512
-
-
C:\Windows\system32\HOSTNAME.EXEhostname5⤵PID:1480
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername5⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Windows\system32\net.exenet user5⤵PID:2508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user6⤵PID:3284
-
-
-
C:\Windows\system32\query.exequery user5⤵PID:4916
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"6⤵PID:1172
-
-
-
C:\Windows\system32\net.exenet localgroup5⤵PID:4864
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup6⤵PID:2444
-
-
-
C:\Windows\system32\net.exenet localgroup administrators5⤵PID:2336
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators6⤵PID:5304
-
-
-
C:\Windows\system32\net.exenet user guest5⤵PID:2732
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest6⤵PID:5392
-
-
-
C:\Windows\system32\net.exenet user administrator5⤵PID:760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator6⤵PID:3708
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\system32\tasklist.exetasklist /svc5⤵
- Enumerates processes with tasklist
PID:3348
-
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:5572
-
-
C:\Windows\system32\ROUTE.EXEroute print5⤵PID:5580
-
-
C:\Windows\system32\ARP.EXEarp -a5⤵
- Network Service Discovery
PID:5944
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano5⤵
- System Network Connections Discovery
- Gathers network information
PID:4612
-
-
C:\Windows\system32\sc.exesc query type= service state= all5⤵
- Launches sc.exe
PID:4968
-
-
C:\Windows\system32\netsh.exenetsh firewall show state5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2612
-
-
C:\Windows\system32\netsh.exenetsh firewall show config5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2552
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3416 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:5128
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2972
-
-
C:\Windows\system32\findstr.exefindstr All5⤵PID:2740
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵PID:4880
-
C:\Windows\system32\chcp.comchcp 650015⤵PID:2392
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3888
-
-
-
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
PID:1276 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt2⤵PID:4924
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\Directories\Startup.txt1⤵PID:3892
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Info.txt1⤵PID:4668
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Process.txt1⤵PID:1168
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\ProductKey.txt1⤵PID:3196
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Windows.txt1⤵PID:1652
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Desktop.jpg"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:5840
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt1⤵PID:1692
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4752 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\autofill.json2⤵PID:5996
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\bookmark.json1⤵PID:2736
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\cookies.json1⤵PID:2988
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\credit.json1⤵PID:2572
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\history.json1⤵PID:4456
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\passwords.json1⤵PID:4468
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\passwords.json1⤵PID:5344
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
5System Information Discovery
6System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\142ec1ed5de3d8d04753df23f495dbbb\Admin@WIJCJEAG_en-US\System\Process.txt
Filesize611B
MD5fbd4156442733cb74a0320d598942c00
SHA19a054268bff4dd66541ad52fdbf04fcf2b864ba2
SHA256be69073ff4615dc12cba54196845a57e00f1a726675b601d9acec5dcda7c82e1
SHA512f11d86ce202fdc4a31baed6640cbfe11cf3241d5ff64bcb0d897976de5e610c114d3b84d9853448708bd432c45a05780bdf003c1f9148f67360e699040c009b5
-
C:\Users\Admin\AppData\Local\142ec1ed5de3d8d04753df23f495dbbb\Admin@WIJCJEAG_en-US\System\Process.txt
Filesize3KB
MD5900d3848d540d65bede06c1b87c0c47e
SHA1a03a2806abc556ccfb7a3d537c665f4dff494f56
SHA2567bb791d634ca146f1eb818fbb4d48f4ddd54b583038cfa96704cc63aabfc0efa
SHA512c874cd9b95442d0ef85b517f44ae3f4cb320f94ff3802f3421e42837d90c78df91b45defe155ab2fbbcb74a4829e2187955de051dd769f1430929cd0dfb545cb
-
C:\Users\Admin\AppData\Local\142ec1ed5de3d8d04753df23f495dbbb\Admin@WIJCJEAG_en-US\System\Process.txt
Filesize4KB
MD524731802feb799361ce2ceafd6805505
SHA149b8f93fb6fe35400560cae7dbcdd84542918ef2
SHA25687925fbb3bc1c491dbf5cfc4e00788bd0b249a0ede163fedac2fb845313cc4cf
SHA5128f0db5783430dacc054bc765e83c488d6e7b136a6a9307cef4dfb10de201a4a7aa96bb2fe45b883c2ea9656804e69329a6032aced7faaff94553bae7d32aff2b
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Venom RAT + HVNC + Stealer + Grabber.exe.log
Filesize2KB
MD516e2b4a3cd12d6535d958e0b3e2ee274
SHA16da38dab2df139701bf3ac9ef4bb05e296958fff
SHA256a6155b995d6e16c857711223275a9148ae4f0f7686c3558dcee716e53cc765df
SHA51299fd8b8c55b31f0ada4200df93a7040b18ded0798af1ceb12ab1295c79389f06dbee9355f1e5a9040060cf55f2aa356e3580ab90067fc7be7187b0b506874036
-
Filesize
152B
MD5aee441ff140ecb5de1df316f0a7338cd
SHA182f998907a111d858c67644e9f61d3b32b4cd009
SHA2565944b21c8bdfb7c6cb0da452f8904a164cc951c6a4bb3a306eaebcad2d611d67
SHA51254a2c1d4c8791ebc6324c1be052b7b73cbd74057d0ea46400cfd8e60f9a884ade60d838777eba7001cf44c924f63cba1a9708a6c71bf966f63f988c49ca70d31
-
Filesize
152B
MD5821b1728a915eae981ab4a4a3e4ce0d1
SHA18ba13520c913e33462c653614aece1b6e3c660a2
SHA25636c38bde1e74c5ee75878f275a411e528c00eaa3091e7c4adfa65b8b7d28fb3b
SHA512b8fd54808711878ed567f474f174db662e2457b6c246f625e148944532c70d94d87e96ef6febfb657895dd0eadc25906c9106fa75c6b2d3bd37ca6786f03a8b7
-
Filesize
2KB
MD527ef451259e375eeb9232d96988044a5
SHA12dd412bd0d5f77d73a69a25501339a589ae2978e
SHA2567861f74714bbfc6b796fc04853653cd287eb1ba5cbf790634c5336d94232c2a4
SHA5127871d3eb9ad7bdd834e3128ae2a0df895d8929cef42e9fcc566ef755cf24d07a6c1b19c542ec7ea641839cd93480280efc0b2a72d38a11ad57d2781f87493ed4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5f625fe73388ec1cc95dc49e55d7926d1
SHA108863722fb1ca7b417b6af79adf256608ab7b838
SHA2569a8e5fec16d629efaecbcaf72b492a84e7dc3376486ac276b5c00905487517bc
SHA512c5e7b8e875e0265be846ca9d5531c8a2115290c4903dfd7fba2831d75ed31f1403387dc2c1b9015a3cc7ccd6d64389ba600be7c02426327e3ebf6f77422ee052
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD54ac3092433225dc2b41986d618e98070
SHA10ab2b6c84897e57f7a0c98c9fad0c44bc84c07e5
SHA256a335e4798a625f7c296bbb4c653433f029a161fabcc01a2b132d494d71c76b62
SHA512f903566f1be71d2eedb53d7a8eb7cde98b0d778a486bccacaabfcf3601a853ab44379796c1a2350240a289d8ad94513082301b67af0907ad8043cecd07e162d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD55d05d8395db5e182b1f1f7738e7c2546
SHA181d49155e9bcd69688fbe8782c20f514b062f864
SHA2562e5054926234c1c4c52b92206263439cf8819498120c7a6b82afa03bf5d89dd9
SHA512e87e001d71821ec22faa41169da0ce371b511b6dd04d4ff3ee811de836d1bfc34c29d399affed372e445c4d1209786792eae4d2c6d2dd90a993f6d03069c876b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD52d7ab07b49a7ffd8c6dc1076a45acf2b
SHA107db9e48001af1b9e2d4e0f1620838f91093b5f1
SHA256d4e62713420cd1a2545527ad5c3fa1587e9bc4ae9bad0882a57e84ef4be855ef
SHA5126593d3509470a97ba22729a19e1d3b97d8b75e5bb7770a7419eb60221b107f926cc8e505d42d0a4b2627a4dae134b91f0915d2580842fe0e6af82d3ea4862c4c
-
Filesize
28KB
MD5c130324109860afdf25033c16cedd67e
SHA11be0e4af53b1554323c230987cb95ec6dbbefc3e
SHA256d0aa41fa0df3078189cb504db722a4cc6d8774eff5b18ec457f2cec851f56021
SHA51242c16438fc7f05362c95dc11d29e57734f526a60a2d3fb4d446ba64859a6a808773386983bf00b8ab745ee27555b24abf5dbd8ba1b81a6d2ad2910bc678b607c
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
264KB
MD5496d2145bd71ca6c1afddbbc1606f0dc
SHA1ff13a272735eedcf82ca523c1c9bdff6849df7d2
SHA256156e7f3bebc9c390e0736d15d1f789bfabe3cd4a808abc44dd17e4f7ff6f8a10
SHA512e1948901b35b03707c8a20dd22ce69b0b26dc1f1ee5ed9beeced2e712ca78127685e2165b156b36774ccb4b65b06ac16e30ffe8db8f23fea797fe3b2ac2df360
-
Filesize
124KB
MD54db3c3f29517852cde7f4d7986869baf
SHA100d27cb349b22d91df41a49cacd4535466d56886
SHA2569dfcfd69fdeedb069a0f48ec8a1a8f7a9e6d6d786485aabce967e595ce09f706
SHA512015f058a5eedc1d892e6974b1dfe660feb19a137b9c66d6ffe34184619bf75cbc8633d5c30c2b45c2e1ccd1b5982fe776cd0ac46bfed97e0c606e684d1564282
-
Filesize
48KB
MD52e8d91936332a4c6a47d01c53480023d
SHA10e10764b2dcdbd5fafc49673841924b96ba724fc
SHA256a91d8ea7150a5c4d31df1493024f3a748630721a774e1fd730cb27e1f42a9d59
SHA512dbc2c0eb7149289f0990fc4bf0e2ff6b64497510c5229e2d8091e37dcf4e66a438f1f946210f0a747bf95743b7697453e6b456e7f9c9c135e2ce7d02c158508a
-
Filesize
1KB
MD541ef72af670083bcb1fc179a3c4d8787
SHA1e4190c1913179c688df3797266d39f0f69bd9122
SHA256758bccdc68fd3aa249817f70c9bb775303105739ee79426c69d8a8f4630dea65
SHA512207fc065d1de7d5ceaec91f81532e748d27ce7ff8172e1e75f774650213e8a687fe47a5d353510d2a9dddac5244d1faa0508fadb642d68298193f8a35ce6bd82
-
Filesize
2KB
MD5828ae8646497fae0aa57e8ffadca6cc6
SHA12873f700698d6e21969cac9564f7795fbc86381e
SHA2565bdf3812fb84ae5caed02ef90e56bd33c8363f2196d3396ec8293c84916fdfd0
SHA512c6f4b2d8f750766b02961e0498ab5fe04427418060a1ef392af7b4fc0c7a329813936d33ae4e3c6461ede4a477fd7470c416f17dc191d2cb916ae47cc70d4638
-
Filesize
2KB
MD5f96eb8c2e4c3c16b9f9c259959ebc3b8
SHA1eb621b5f0dde3bec2a4357f5ddabc886229e125a
SHA2564b3b014358d70523eda973a33317f1f34675409a1f23e16326134d34913d8d1c
SHA5129ea51f0a2add7f054bef28185cae0f177c2d9f56c1a38687f1051856e4c92c3eaf11ef5b13d6efc51c63583dbe04c09d8b60d1489e44011bffa033fee4b57497
-
Filesize
398B
MD5054568993cd4c4fcedbf559589abc4db
SHA182366ba4a4c8c3c16a3c50ad6686fbcbb4b2df63
SHA256c042126132833156891ef94b0fc5f9ae53fab59f6a91caccab8d0df5ab4185df
SHA5125bdfb9f85ee4d6157c6d5531197b404b2e15d0a7a005b9eacc914ab61326ea0d385b65a26117c6738cbb5b9bbaf63521e78eec9d07ec36b1b2fe6f19a5a135a1
-
Filesize
2KB
MD5bb6e09ce8874013fbfdb2d4f4e98bafc
SHA1610eed6ee2defc33f5dfa14dec357d40ffdeb907
SHA25672cb30add05e01b5e5dd5b7a8f1768d7f706ab349fac4b20a192c614e1e18406
SHA51234a94e4d698933482229bdc1766410da351c1ebabdd465f3c778683511a532059af5d59e64a45b1032f85180e72cefe67cca8799d77f94a8c5d56550167b1ffa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe587078.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD5fdf35e455a608ea5db9f3723b1c85e9a
SHA1a22d84c33fcb0108c774be4f035d883d4e87681d
SHA2567e4d5e56acc8aadbc621d0ce62c71b3c8f7aada577aa559a6f989f844b485a99
SHA5126d0a09d49a60550363e479c9f68ab961c3498995af847edf65a0ad77e4331f314150b32ccbc7d79dcf6a4d21d2662791029e16e0c78209d5ed6b9a425bd935ca
-
Filesize
5KB
MD5597c9e71018298ff75ab5e854ae1b65f
SHA12faa28e33927903453f0d61895445426174a43bb
SHA2567fa18d6a89b970d4bd99faa32b67b50fae26a8ff1c9edf5c1efb4db6b05ed08f
SHA512d20832bf25a7dcc51506368a7669e395948bd96bb3962333fdd06e44bf7ecbf12042d5dfbaf7177e4e95bf35b42b31834da413e9e2a4f0268ddba5793e3ab40e
-
Filesize
5KB
MD52821d5671d96d1bc313e8102723983e5
SHA1fee60b2773720d25f2caf6886b37b48f012365a9
SHA25606dfaf92dfda78196cf33499929687baf81c950dbc0f527932ed30d9a13790ef
SHA51227137442bbd6896596701556a88e355e8b1a7c75bd7d11009c2bd589698604749d4703c37dd216e638ddce8d1aafc14073151e2d186ec64f34a3b37cdc94b9ba
-
Filesize
7KB
MD51de10388b69367d36f2baef3740a55df
SHA1392e64ddb6a373b82a1e53acc7544e5d2c60a9be
SHA256106c9153df7ae1d1ae8595148de3d9bc5b9bf2a8e3c52871a576627c346e8f5f
SHA512717d033186120aa6c2acafefc6450528dad8799a55cd5835ae53211a7c246a06119ea28a983c6f1c554dc90b291c86971f7faaeaf5946fec85d25fcca5e52326
-
Filesize
6KB
MD57fc993c0ac4e0b25555c7e8296c92ebd
SHA148dca9441efeeacff4c8e35ad3e9d4b2f6d3f40f
SHA25697ca5623c34af7d230c624305803ac1c893f7b77da533323370231394181dbfa
SHA512844e8fe839f54653a9aca7e482537985a843e028584c59731f571d0acab2b938913c1f419a6758564daf6deea3467718a36fd0b69e5077bcbf2c5ce927bb42d7
-
Filesize
6KB
MD59e7c65ba5c9a7a86ccaa3fd14e8f38ba
SHA139cda3907100e94b2e52bed39bba9d82c2bc83fc
SHA256c213d6fd70a838a9ff05f5a36217af7926f520f9513c73691097a5c5685c2619
SHA5124589be79e04c1c7de720d676af0f5309d222faa5cbc4d7ae2dda39be3b29491c8f2e37f2cec170889d645b7baca16c6749be2dc8edc6c7b2d06e39ad2aa13465
-
Filesize
24KB
MD540054cb73dd68fcf513186a36e7b28b1
SHA1782f64c46affe72bd6b334c69aae88aa32216b2d
SHA256136f61f0d620207ec049ca6889378a9e89d998a6ef15fbd2a8095482d8d88118
SHA5128689097b5b94b64af0be6b51f176041b25f5464bae229b7344df07a29893d5f13498c3f88f6448b956baa7accb460e31f5ffec6eda35f31b0587b5b0a1e63c76
-
Filesize
24KB
MD5729df10a7e0b722edf6673d36f2040a3
SHA1d082d92cb6eb8c0d79c9ea7e67e8b4828c5ea02b
SHA256e2c498352af617d6d1106ea4d53c59fadc993a1f432068307250cdd0be68f7c0
SHA5121619048945ed9b48ab2568dc546adf5173f2c60d03ee74f4616c3ffafe7182052b760feea19ce288799448c0f613b5e5592e5c547417fd7705997663439e3270
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
2KB
MD5cbd10b6c61b953b6412079e04b1c32b2
SHA1003635208802a8c7a3dcd3030ad0b91e616222f4
SHA256404d54efb12f8a0d93a309df93a2510e4fe4f38def7438027840075597720a5d
SHA51207b51c19dacf22ada77235620e1b585c694df64b18e8061460dbfd50b203fb236bec7459f209bbbd1d01ed2f98f0cce15df3c9fab31a2199ee9c7b23bffc0cfc
-
Filesize
2KB
MD53fd667c1534e7d56a79bb1db6a707d00
SHA13700ee90e47c7ec57e68c7c8970edf8876b7fd8b
SHA2566683bc126ce0da6e0c10a6d1a85952a46c0571c4b4c7e3ad6dbb9e5bb824face
SHA512ee09275b430b72d0cefd1af88570be413103d5d6db2b4ff813b4077a1f9766c24f7194759b154299ea4e573abcb36075bc20dce1c70331c68885c675564ee320
-
Filesize
2KB
MD53ba0b4dbe76597dae18d8aeff3bbfcd9
SHA10c15d1efca6bb0d3d2e8c9480443b3d6528d0647
SHA25656567027ee25ecbf859d9fd4e9c8265c04c40283bd2bce9572b8b880efd30369
SHA5122f84873c7254aba19fc61458a91a03f732a6eade6d5267f506a76f724301efe2964fd9a1930ee9c1f068407199bb8c5b746e35917c5001d2f974a62e8dadc2cd
-
Filesize
2KB
MD556764a4ec6d5ebf374be22415d1a4db7
SHA1b3e558cb88d75ae85aa865f54c181721b4aff96b
SHA256cf337bd109901dfbe5d7d309948c080112e6b3e6fbab3aa13dee5649f2f6f7f0
SHA5120deb85e6c412850993822ef098e13b078ba1684b95996ff1111053abebd76816e48c04840f039fd25462b372b503cf0d327128d2148e0d9ef5054d84aaf0433e
-
Filesize
2KB
MD5b5bfd2567d1856689ff406e0447f85a6
SHA1ae0849ecc71190ba02faf64461447a3566a6aabf
SHA2563b7e6cf9e7f98f4397144b68e32e5ae8186d81ba649addaa685d01bcbb047a15
SHA512acefdc60bbc3e5ee671c28dab11b47009b4abf189745d6d99c790a9ac2bc7ded09099fe5b13a3c301d740461f9477389715ace619dc5c6902114bdffc98caf8e
-
Filesize
1KB
MD530aa6ff9c24477fe9f641e8d89072d67
SHA1ebaeff97b9c9401e3c258b848dc749aa632eadcb
SHA256382ac180e7ae6e79759d4b6787f5b3c8e22edde92377a3ed984e15f415032b45
SHA512c3b42e9657b5f43e1554c148568d3c063602eed68b372694c5ab9bdabea37cc2f227f012e6d993a3b179cf282e4a91729e45e4b2ae16f11d3b3e4c4d88698c66
-
Filesize
1KB
MD5a5702cc4da478c1818a0a66df52abc31
SHA1eedb86378318cda1d4028b180bbaaf778ec6edf0
SHA256e0b44ef6c27906899f63c7553afba36a711c5f062dd96872a063c9fbad611eae
SHA512de7345ba00366ced0f4a67c3b0315ab6f75771e72b0cbb6964aec525394add641bcd333846ed7e1791cbe14ba682bea65c8ba97746783961ed041fb700aa6858
-
Filesize
2KB
MD508d0fb2c3e1d5c0b1fe32a6b55bde27f
SHA1e4457ee28e274693bd4f4fd122e0da5c96df6d2a
SHA2566e288c7ac2ee625f3a5d51656fcc03cdc8a9f7e757f20983121b4af94c978eaa
SHA5120e8c7010be8fbe67592380febdf2759cbe1acbdf95255cd7b639f6275ef5a54c8ef2f31d2d8bf159495ad9cdfed4185d80467b20a496ae79885b47f09e5a8b70
-
Filesize
2KB
MD5a9cb842b37e997b67bdbd0c00a81e178
SHA117d75c5d12e35462ff2e584f97d05454c2330ad9
SHA2568124e7b082aebdf187b199de9d1de96c62e5ddd69a92398135d90f0f32c1f214
SHA512cad08530972539a588a94a7fe808c01fd8618af202810891790e976e6168a612a9d54df910de0eaa87621275d9a44328b1cef32093c34205a04a4f15e20adb7c
-
Filesize
370B
MD51f675c28e1aa9081670f0ec6722dfa74
SHA1d7c2625c12d52abcfa233af6f7d8a4a48f77f62e
SHA2569145033d9c8a2b881b19b9a78ddb23d9177a489b1261b8d6c820147abf09c5bb
SHA5127494c556af378bf480e42fe5f75d6dcc47ea00d7d90bb01d3a69098b8836a913bd0903d0bfeacb0274f9a5dee845bc293c05d5710662ee18e53ac7fcc53631a2
-
Filesize
116KB
MD5d8d8c4fd5afff4f8e7c424b40ffe85c8
SHA1967bbcbb94dbbba81e9a24c9f78560e8f7de702e
SHA256df3a39513959a6964b490a03f7e040f58113449590b02a156a1a170280a0fe2f
SHA512279a45b03d72e6fe5d68c96e094c5fe4e46135ad651cab6e04be89dcd07ffee51f6c4b80336e203f942119f64a4de82b85af6eac92fe9f50d85ebcb58732baa1
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
11KB
MD5a92696f2878b9c80dbc6c290a5d601b5
SHA1e7c28fb8e002a0312512979d8f2c0f3ad561e9e5
SHA256b14a4e96ff5bf3006d3c1e5290fc45743d3a3e5570cc7076adabf046c0985996
SHA5125ac4b602e887c881a2c13953cd4d4a130ca1ac275ec8465553423e9e9583c5d0ec6ca41cb8b282ab632bd95cddae1645694cb68a70dbdfb641e38ccb6ab5a742
-
Filesize
8KB
MD52ba105a815e5e7d98b772e3cafdc103c
SHA1242f1c12322d4604283453f9f20234b01eccb522
SHA2561e8c59d0456a6e21c7ad50163c689bc4271f87355e3ef82510894f57f6d69578
SHA5127852991d551f6a3c90d54854a6ef38b7b89af27af6ef0e4f0f5313a4fa488fbb23a9d904c224604461953243e0cd606d4282c7bcf6375e8ee5fa7646212a2942
-
Filesize
10KB
MD5f62111db5e41fba637b4a6f365f15cdf
SHA1538d39ce8e15f7a74815e26568dbebd59847f99a
SHA256c662adecc0b7bd95a6478a458a8bcf3f3a94244263c4737ea305935599381659
SHA512afdcf5f1af75204ff4d2a2e49458abc0c496280da045875f5a0693ddfe92fd59f27aa60bc2259ed5e14a397319f2b184a834f5b20c7d1c03cf3b4965cfe82c1d
-
Filesize
11KB
MD55903b2f36b9a2f2978561136a959869d
SHA1cbe11ea7129eba67f3a200f601d5e0e2282143fe
SHA256c9b42015339e8a42b79e7736e2c9a8cab6a81fe69ca4fb4776808dcfb8bc01a0
SHA512a869167a3c53747dee8993bb05bf1732f048a7611fcedf451633d7121a2771027b97183f9d07304a771405d5ffea57d38eef07333f51d6a4c5c90c0c164d9f5a
-
Filesize
11KB
MD5961feedc264d29636ac7588349b243e3
SHA183d8e5d5e72ca3be73a5b45f90ec67c442f5c05f
SHA256414f120ba5ee67708fa75f8bef8b5575f3f70499b9709e42b2aa0897ed39bdf2
SHA5121783267d2c545ee6ea4abfc550a3edfa0da8d7238de38d7c73a8301f62f26611a65a5c78796356ce43c4cbf03d5bddb0fcc13b7267cbeeaca4d1f3ed3e4cc080
-
C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_qkamrgd2yxc3i0qepbewoqwa2m5juegt\6.0.3.1\user.config
Filesize1KB
MD53fb8d2a2cd510948957ef43af5de1a6a
SHA1165c56b69c45db04546436b8cfcd21bf543fe1e3
SHA256095a2b7ce003847ea27f3eb98eca1c5bf9098c194c137c550bed549fe8d46306
SHA512ddf025953f0487612cab831866ce03285aa810a406d0a92d4491a2d26c7eaba2c4108c230309732a7ab6184c1578419164afe2fdc8e0179d8584bfbc7e75f1c6
-
C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_qkamrgd2yxc3i0qepbewoqwa2m5juegt\6.0.3.1\user.config
Filesize1KB
MD5ec49b7f5618d420d4c61a527d52c2638
SHA14c627db09339ea9d8266671a866140c5c9377c89
SHA2561e5fc255b1d6ff6b9fcb242f9aade5db7d5ce869a7bad4a216cf92c90f239def
SHA512d33bbc0e55aa55a52b12a476d570bc2f2bb649313d416d94cd7bf73c0e76bdbf016b8cecf2eb3aaafb490e36238a8bec3e41e88201b65d032daaed757ddabd6c
-
Filesize
148B
MD54f437f4bf471893ccdf568b7fc936f6d
SHA1c95deabbc89ab4c2d44afb2e8491648e27bf44d1
SHA256df9de81741a549e83dba270845b150159478d877f57a9f04a212ba069dda23e2
SHA5129292fc319ad614bc24a752fe16768365244e343971d48288fab667acbef06549cb57c14c0529fa02201cef9336f2f52f4014921f439414347a273a144f0ea5ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4084745894-3294430273-2212167662-1000\8d3cd47d18e98cbd02c8d59c530742de_d468e313-c2f9-4f84-a97c-05487374978e
Filesize1KB
MD59c7160f525015f741e6aa9a3f37039e9
SHA1120f459abf791e2f99436de1830619241984c7fe
SHA2562a938d7ae95a4f9625bd05f0a53e344db148f0750891d8ff55a25dbda11341cd
SHA51278c0134a41444c43de5936e036a71906730379e7d34b3ca874f3a9fa26c08bfa01afef43e964a236400efdae4e9438a01130782f98614e6babf428387a67a05d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5fac0c840ab730443dbcfdf3abe3f81d3
SHA171c4080e2947a324f9a4ffea75507091ccd0e620
SHA256148bd26e13fcc00d0025a2d7e6443902acff2fcc49e06b85b005aaa5fc6bd919
SHA5128f92c05c4d7e1f55d1250fd4d4f0459ef0c3d09b2b3b5251281046fe4fb941949337f79f980cb5f6a66fff12cffdd5a5834d5f69403d1116e7706a9ba11fa52e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD58d09c1bea31bec8fc772af35d50906a6
SHA113eaa619e5a84467b6a90e79e393c46d322c5afa
SHA2567f660cc502801fd4fe7bda6a964a91ad248e287b21e8822d6a3900ce806e8fbb
SHA512c45f47e47be392b54c25f5a693848b4c147a609a50b9700b197c620e4bd47b89775b5e3ad334f09a6e1ae71d13262d2a0a239343a084fca923bf61120181bc93
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Clie!nt.exe
Filesize74KB
MD596e0fd46b00d9b069fdd048fe1c70a4f
SHA18dd352978a7fcbbb19aa4420f92586670695d96c
SHA256479c6d3bf8e4bd5d09eea88be6b68ea9a5675f4dbddd43fae08ad6aa9025bf61
SHA512e4f67eeaa03a278bf903684fa777dd7703c968ca3dd64c65b174dba653b0ab4b3e19e1f3671e5829ab4f1a6531be5109e851306b644800192ad4ec9a86be292e
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt
Filesize115KB
MD53fa6ce927e60a0e0e7ef8c6b0762f727
SHA1b4bc81058173f5fc7a69444c3b248d90969550a3
SHA2561b144ad8c6108b7149dbada712182f9905f257618827651c848ff5db88acc68f
SHA5129e459cc633d44244cdefd7ddbc192d23f0cad5e42570f6b7afe0a32a4ef86cf8cdedb50491103dffbb083d19a2f9ba7c642516d8ad88a50d9be9b254e3a754d6
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\autofill.json
Filesize346B
MD5970d6ce5fa1fdae9fdc3d952df3832ea
SHA1a1884b1e4a5f1c9058059cf1bd70b2b02814673b
SHA256b84b0c32165b937e69940e5f537e6b01a42813e02426870690ea31c7dbaeb6f0
SHA5120601b4504bf20ab659ae7b647e9eae4349edeb0055cbb43f2c37922eea0903782cf7f23d66112be3feda224cdb4bc46c8254b2be3ecd8f7687b43aaba2ec3a37
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\bookmark.json
Filesize423B
MD5fbd64865e019a143be04de4653ec2680
SHA1170f5780f52b0a2986cb5b58062829e3c7ed57ac
SHA25638cb7b8cc2acdce5809b6b4bc6017f68061bb5377b3c367ebbc3285eb8b29d67
SHA5121e5477416600a9bb8ce0ca50ba9ffd187f80d467a6e924cd32bfe551d5e0edb2551548d70ac469600bfcb36d5261b15ff95d8b92effe44ae6aecd3d3076f9ccb
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\cookies.json
Filesize5KB
MD56cd3774b65274bd632c04b8b265f6cd5
SHA1d6d3430b644a09c6a92ea0e93bedd6def8c76064
SHA25696131cef83e2247a26aa40b9ac7ffb733286032ff4f14343c490201d93414bb7
SHA5126ac25d7f3d309e256dfb5d42e1cde9685453ec29938172029903b5850cf33b3535d61d96e56813bc8cd666424211077026edb457fa560fd2543a01a26492ffbb
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\cookies.txt
Filesize623B
MD52fa0bdc6aa19d0d8fe113468d1d4768b
SHA133619924f3ec5ddc26a7b645161116c4465d7b3f
SHA256d35c2473f0cc0f3d0767ae6a7482a3973fcfc2fdfab2ece650a453de38409a67
SHA512f5b92dacee0bbf23aac8bb9870097593e2f5e1de350aa60ec7f41358c2499f7b07ba1ded15dba65b443faeb757456a926bad22217cf62be235c209ff84e2d6ef
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\credit.json
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\history.json
Filesize1KB
MD5da1fe00c17994737b456365fa1e9a426
SHA195fa50089cf50dbc2e500f110fc0cfc661bdd46b
SHA256a16b524fb26fce030d6de7b515f3269c511526e3e5f39007eaf25fd7c4b461a7
SHA51275f27fc41cbedbbe88b2936250a0f3f80064ec4cb19a1a6358e711d05b7f63f7ce20baef62cf3b1eb3f121bdb9a19e6305d74a00db020c3441bb96c248d03680
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\passwords.json
Filesize987B
MD553fead135a7c4ccfb2781689cf17f57c
SHA1bc783b6711e8a19c72070f064e9a66409a62cb8c
SHA256ec4c41bb9d06528c7af4c656a5435ee6515f84e2841a366f595a5e2506c8f46f
SHA51242f0dd2c320e7983fd1656a166cf4492c4e3b8fe1c3ac80abd489b66c6fc70909523f37dcd8f25695cc2503fdf8037884917570c4edc1b6bcee83e3a081b7c6f
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\note.json
Filesize900B
MD5e5316a01d40fe5bd0e57e6cd593c6ee6
SHA17df8d9eeb5ca125634b8967d97aeaae982db5048
SHA25617dc64aef3da52024c6effc001dce222b2754f39331dad6c30545b5d4e9a49bf
SHA512f911634554a64840674508169eeca86da01f2caf78481e586c05119854c7e8ff538b912a9f031a3f3cb87ff3ed696caf61fbde4844b1ffd53f26719c91c81856