asyncrat | hxxps://gofile[.]io/d/tA2w62

Resubmissions

22-12-2024 02:29

241222-cylz4aznbn 10

20-12-2024 02:05

241220-ch85paxjfq 10

20-12-2024 00:53

241220-a8n64avrej 10

Analysis

max time kernel
958s
max time network
958s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-12-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/tA2w62

Score

10^/10

asyncrat skuld stormkitty default collection discovery evasion persistence phishing privilege_escalation ransomware rat spyware stealer upx

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1314414095461777419/8hYVVlssdJOsLuwWhq5QQqRTlg-3pzMhiKB5tYVl8wS1FN6rDNu-iZ34u_-J5bahL4e7

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

Mutex

hsmjkjueubdhudn

Attributes

delay
1
install
true
install_file
test.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/5680-633-0x000000001DC00000-0x000000001DD22000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x002700000004621d-383.dat	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2280	netsh.exe
5112	netsh.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Control Panel\International\Geo\Nation	test.exe

Executes dropped EXE 2 IoCs

pid	Process
4420	test.exe
5680	test.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	test.exe
Key opened	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	test.exe
Key opened	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	test.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	start.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
133	discord.com
134	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
123	icanhazip.com
125	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2476	ARP.EXE

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
8	tasklist.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2F1.tmp.jpg"	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5024-327-0x0000000000560000-0x000000000149C000-memory.dmp	upx
behavioral1/memory/5024-326-0x0000000000560000-0x000000000149C000-memory.dmp	upx
behavioral1/files/0x00290000000463a5-341.dat	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d495f5cc-d6d7-42b2-9582-7fa0b67f27d1.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241222022922.pma	setup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2484	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3172	cmd.exe
3892	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5108	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	test.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
6012	WMIC.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2296	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
64	ipconfig.exe
5108	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5368	systeminfo.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Control Panel\Desktop\WallpaperStyle = "2"	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Control Panel\Desktop\TileWallpaper = "0"	test.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0\0\0 = 6400310000000000965985141000434c49454e547e3100004c0009000400efbe9659021496599a142e000000d9620400000028000000000000000000000000000000d1f3ff0043006c00690065006e007400730046006f006c00640065007200000018000000	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0\0\0\0\MRUListEx = ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0\0\0\0\0\0\NodeSlot = "36"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0\0\0	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0\0\0\0	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\SniffedFolderType = "Generic"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0 = 800031000000000096590114100056454e4f4d527e312e33285f0000640009000400efbe96590114965901142e0000007e62040000002a00000000000000000000000000000072e9ca00560065006e006f006d005200410054002000760036002e0030002e003300200028002b0053004f005500520043004500290000001c000000	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0 = 800031000000000096590114100056454e4f4d527e312e33285f0000640009000400efbe96590114965901142e000000915f040000002b00000000000000000000000000000072e9ca00560065006e006f006d005200410054002000760036002e0030002e003300200028002b0053004f005500520043004500290000001c000000	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\json_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\json_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0\0\0\0\0\NodeSlot = "35"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\.json	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\MRUListEx = 00000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0\0\0\0\0	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202020202020202020202020202020202020202	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\json_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0\MRUListEx = 00000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\SniffedFolderType = "Generic"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\json_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\0\0\0\0 = 5c003100000000009659a214100031323730307e312e3100440009000400efbe9659851496590c152e0000005062040000002b00000000000000000000000000000057d78c003100320037002e0030002e0030002e003100000018000000	Venom RAT + HVNC + Stealer + Grabber.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
988	msedge.exe
988	msedge.exe
2240	msedge.exe
2240	msedge.exe
3208	identity_helper.exe
3208	identity_helper.exe
5960	mspaint.exe
5960	mspaint.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
4916	msedge.exe
4916	msedge.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
4420	test.exe
4420	test.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5280	Venom RAT + HVNC + Stealer + Grabber.exe
4124	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	start.exe
Token: SeDebugPrivilege	3132	taskmgr.exe
Token: SeSystemProfilePrivilege	3132	taskmgr.exe
Token: SeCreateGlobalPrivilege	3132	taskmgr.exe
Token: 33	3132	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3132	taskmgr.exe
Token: SeDebugPrivilege	5280	Venom RAT + HVNC + Stealer + Grabber.exe
Token: SeDebugPrivilege	4420	test.exe
Token: SeDebugPrivilege	5680	test.exe
Token: SeSecurityPrivilege	3480	TiWorker.exe
Token: SeRestorePrivilege	3480	TiWorker.exe
Token: SeBackupPrivilege	3480	TiWorker.exe
Token: SeIncreaseQuotaPrivilege	6012	WMIC.exe
Token: SeSecurityPrivilege	6012	WMIC.exe
Token: SeTakeOwnershipPrivilege	6012	WMIC.exe
Token: SeLoadDriverPrivilege	6012	WMIC.exe
Token: SeSystemProfilePrivilege	6012	WMIC.exe
Token: SeSystemtimePrivilege	6012	WMIC.exe
Token: SeProfSingleProcessPrivilege	6012	WMIC.exe
Token: SeIncBasePriorityPrivilege	6012	WMIC.exe
Token: SeCreatePagefilePrivilege	6012	WMIC.exe
Token: SeBackupPrivilege	6012	WMIC.exe
Token: SeRestorePrivilege	6012	WMIC.exe
Token: SeShutdownPrivilege	6012	WMIC.exe
Token: SeDebugPrivilege	6012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6012	WMIC.exe
Token: SeRemoteShutdownPrivilege	6012	WMIC.exe
Token: SeUndockPrivilege	6012	WMIC.exe
Token: SeManageVolumePrivilege	6012	WMIC.exe
Token: 33	6012	WMIC.exe
Token: 34	6012	WMIC.exe
Token: 35	6012	WMIC.exe
Token: 36	6012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6012	WMIC.exe
Token: SeSecurityPrivilege	6012	WMIC.exe
Token: SeTakeOwnershipPrivilege	6012	WMIC.exe
Token: SeLoadDriverPrivilege	6012	WMIC.exe
Token: SeSystemProfilePrivilege	6012	WMIC.exe
Token: SeSystemtimePrivilege	6012	WMIC.exe
Token: SeProfSingleProcessPrivilege	6012	WMIC.exe
Token: SeIncBasePriorityPrivilege	6012	WMIC.exe
Token: SeCreatePagefilePrivilege	6012	WMIC.exe
Token: SeBackupPrivilege	6012	WMIC.exe
Token: SeRestorePrivilege	6012	WMIC.exe
Token: SeShutdownPrivilege	6012	WMIC.exe
Token: SeDebugPrivilege	6012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6012	WMIC.exe
Token: SeRemoteShutdownPrivilege	6012	WMIC.exe
Token: SeUndockPrivilege	6012	WMIC.exe
Token: SeManageVolumePrivilege	6012	WMIC.exe
Token: 33	6012	WMIC.exe
Token: 34	6012	WMIC.exe
Token: 35	6012	WMIC.exe
Token: 36	6012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6124	WMIC.exe
Token: SeSecurityPrivilege	6124	WMIC.exe
Token: SeTakeOwnershipPrivilege	6124	WMIC.exe
Token: SeLoadDriverPrivilege	6124	WMIC.exe
Token: SeSystemProfilePrivilege	6124	WMIC.exe
Token: SeSystemtimePrivilege	6124	WMIC.exe
Token: SeProfSingleProcessPrivilege	6124	WMIC.exe
Token: SeIncBasePriorityPrivilege	6124	WMIC.exe
Token: SeCreatePagefilePrivilege	6124	WMIC.exe
Token: SeBackupPrivilege	6124	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe
3132	taskmgr.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
5960	mspaint.exe
5960	mspaint.exe
5960	mspaint.exe
5960	mspaint.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5680	test.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
4124	OpenWith.exe
668	mspaint.exe
668	mspaint.exe
668	mspaint.exe
668	mspaint.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe
5280	Venom RAT + HVNC + Stealer + Grabber.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3260	2240	msedge.exe	83
PID 2240 wrote to memory of 3260	2240	msedge.exe	83
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 1356	2240	msedge.exe	84
PID 2240 wrote to memory of 988	2240	msedge.exe	85
PID 2240 wrote to memory of 988	2240	msedge.exe	85
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86
PID 2240 wrote to memory of 3156	2240	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
984	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	test.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	test.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/tA2w62
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffdc4d146f8,0x7ffdc4d14708,0x7ffdc4d14718
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2768
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff700035460,0x7ff700035470,0x7ff700035480
    3⤵
    PID:476
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3672 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=220 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4232683671622297908,14174784479971052874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:5784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5716

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\JoinFormat.jpeg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:6048

C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\start.exe
"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\start.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5024
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\start.exe"
  2⤵
  - Views/modifies file attributes
  PID:984

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3132

C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5280
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt
  2⤵
  PID:2872

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5240

C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\test.exe
"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\test.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "test" /tr '"C:\Users\Admin\AppData\Local\Temp\test.exe"' & exit
  2⤵
  PID:1528
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "test" /tr '"C:\Users\Admin\AppData\Local\Temp\test.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E56.tmp.bat""
  2⤵
  PID:1312
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Sets desktop wallpaper using registry
    - Checks processor information in registry
    - Modifies Control Panel
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:5680
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3172
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4916
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3892
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:1988
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:5392
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:6044
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6128
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe"
      4⤵
      PID:5616
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5368
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:984
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:6012
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:4860
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:5580
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:1012
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:448
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:1068
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:6040
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:2468
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:2488
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:6072
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:2060
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:1888
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1908
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6124
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:8
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:64
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:1872
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:2476
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5108
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:2484
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2280
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.baidu.com/
      4⤵
      PID:5400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffdc4d146f8,0x7ffdc4d14708,0x7ffdc4d14718
        5⤵
        
        PID:5036

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4248
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt
  2⤵
  PID:4052

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt
1⤵
PID:480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4124
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\credit.json
  2⤵
  PID:5676

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\passwords.json
1⤵
PID:4216

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\cookies.txt
1⤵
PID:3308

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\cookies.json
1⤵
PID:5068

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\bookmark.json
1⤵
PID:5784

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\history.json
1⤵
PID:5980

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\note.json
1⤵
PID:5068

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\Logs.txt
1⤵
PID:2972

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\Directories\Startup.txt
1⤵
PID:3064

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Desktop.jpg"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3148

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Info.txt
1⤵
PID:4600

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Process.txt
1⤵
PID:3932

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\ProductKey.txt
1⤵
PID:4724

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Windows.txt
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\test.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8978379b8b4dac705f196c82cddb401

SHA1
873169c69e4aaa8c3e1da1c95f3fc6b005f63112

SHA256
83528bc9af5e037e40f14bece26788301e4555a6164b31e6010d93d7d18f0afa

SHA512
2d73194d03ea51d4154ee9556950dee1e666720c4b53fe671cf2e7647889d480c2941757d6b9b4c60a29a6799478450136f4847b0bec5d4b6aa630d9ca856308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c8c74ab5c035388c9f8ca42d04225ed8

SHA1
1bb47394d88b472e3f163c39261a20b7a4aa3dc0

SHA256
ea821d15371cdfef9f4c01c71fbe39f9db7bfd61e6a83e09b14886c5756cd9d9

SHA512
88922af80d561b3cf10963160d245044554f9011e4aec4fd40c740b06e5e87e9bc16ed309e296f549d9244b6cc93f627d6dd010eb2d325b38cbb1d43d8b95157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5658ff31d231b00e0c37dc560602b600

SHA1
7372c6eb5d8425372172fde6f9aa7b601415024d

SHA256
e5c7112d6fc42f3e052c399056d0da7345325e8f4690baf3a22c019874afdea1

SHA512
c1b65e8be6e8964baa6bff259322db9f11951f9f1e0099ce3f8344fea36aeb6c19c5b40ee0d864f083a09db3cd47dbe76a1c0904be1cc290d5a1914194b413f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
298db1cfae68ac563f463825a0b2eee1

SHA1
52a1e3f64efc008cbd86eb6963233c8774b53e71

SHA256
44ed1ace955803c17e1140faa3e843c7a8198c710d181700ae51cc005342e820

SHA512
655ce1ba6a6d2c540b2935bc597a44b73c2ce5b7fa9cfd91a42095793939f5b4dbb95a6e9e05ef45328c2665c6805132ec7d1451c5afd9f7146914f148d089d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b4cd9e2bda993e5e33a5b28cff1f8ecb

SHA1
c97a0595416270b3cdd19cd6dcb6f4a1e111ec85

SHA256
99e0eae8936b286c3810fc36dd01224b2eef26f513c661269c19d776b5674cb2

SHA512
f52e4485660cbe49fb5b27d6a9c11679724e0af8a6b76db48871166088943331f6592a86ea72b8c08b758995209421d434c7a88eeb553254cd126d80554a9e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
7071df57d9e4d47a0c6dd9732c4a7b3c

SHA1
091c091388f2edd377c3fc08af160699270a4b9d

SHA256
c1b39023f1a97695a2a99a8b0ac638d07b6a2d5f6b642aa1dd02a17aa321d6dc

SHA512
a19d7c5764bc946feab8f1c1a0998d8a05d766688c2d56b4fb2215a17884aab6d4e4a0d90a7aa92457c4bf7511a412014ce0d3cb6721ac2694945f68c2c9739a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
1311b2e81593e7bf6804113cdd6b253c

SHA1
0bb7180fc5d630408eb54b3d0982975bc73585a0

SHA256
c288c0854a16d7b532d3e92d1136c14a7c72d6f786e745a31c81c9d1e7ef604c

SHA512
a8e6e094f25e595fa9fe810be2002a04b9a5027ad040d2504cd424ff51b4fa56348e625abb1d9b0ca399871169d9a7a674ea5f4a06f4111596f75a8555dfdf07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
7430c8c64775385d61141fed47068e4a

SHA1
94c148301704ba0d28bac145d0c9c60c41134be9

SHA256
d1cc04fd1fe202b49a02cf12a54fd002506a23164c3d8304d2e31a669143333f

SHA512
67d44aaf355792847408bf62db26583c72bd630b166b4003240b4e307aee14d3f9390e0648eb604547ba332d1da731d7805ef5ace1676152c9b9f4057cb26cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
4475da96de4f3da9dcf88b98c63197f6

SHA1
46ac57ed196f774eb3fbc4694e344831e71c450c

SHA256
3d8e56c7172644b0aa2def55907d30d5789a7e7496d5f5b81ef915e3b9bff1f8

SHA512
7429c27b18ba089141ddce13237b8d4fedd8f98bf7782d631bd16878d9797fdcc4116db8ceee604135d52f20ca2b308d7bb33a701966d81edc197c4416869052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
398B

MD5
054568993cd4c4fcedbf559589abc4db

SHA1
82366ba4a4c8c3c16a3c50ad6686fbcbb4b2df63

SHA256
c042126132833156891ef94b0fc5f9ae53fab59f6a91caccab8d0df5ab4185df

SHA512
5bdfb9f85ee4d6157c6d5531197b404b2e15d0a7a005b9eacc914ab61326ea0d385b65a26117c6738cbb5b9bbaf63521e78eec9d07ec36b1b2fe6f19a5a135a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
550B

MD5
5467b3bd9714d71768c6c24aab01f75e

SHA1
8a4cd70a5ac92da848d8fb2870c6e60c4851fa38

SHA256
38494e1d7a705f74ea4a62bcfc8ab4712e1f8920705f4978e2c0dd765e3f410d

SHA512
e924da3a67dfb487233b903c91d71400cbebda5ca6a45dd76eaf86e39681ed696598d792e23148d01708f02bb7bf104173385771b4a2066b09f0eb624746d84d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
550B

MD5
14e44147f751a8e6f90bc422407aee54

SHA1
e4225a2f22564afd79c14266f9f08efed2f4eeb4

SHA256
02fa5c5e95a7a9a7b0c0eb9aacc9b20f595aeb0bfa14efefcd89859e0c6de2c2

SHA512
2e3ead8d63746487d91114dc241434a489494f0737473834d052f2a165f20a16b07af44eb783677cf88091d05e4906543f1ab4b066ec0e100570faf5650135d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
624B

MD5
495e237d12c30bb2b898e0111e1d380a

SHA1
93a11dd3cc5e0251a686b8aaa9803a8f113bc577

SHA256
a71a8e138bb791422ef63f860638120fd0dced7f4bbf80d9a81f92e3bc9daf8b

SHA512
2463d2484c83836231f0e16a781abbab571c5e1f27c6bcb57b458add4938ea41459529cb84e0eacd7ab792379ce12360ce459ff86cd994168e649161286df461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5883a2.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
794ba0eb1f106871767b83f6445cb30e

SHA1
25f06d0b3ddae7369eeab3bf75f4e2adef3a4389

SHA256
def1d279fb14b8295bf57fc15127b8cbeb044989c95ee97af534358ca1841eed

SHA512
fe6990fe4f86814d528bea01bdc53b8b158b9064c213b7fc774e5737378b7e6163d150e0808833696f6b727fb833b800ba2e40c6c1f658f065f846ebd83dad74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
53cd366978dce282a85c9224d57f9f6c

SHA1
7013c32b66b4910ff2ca77e11298774a313d0cb0

SHA256
e67cee86dccb8368f2b6abc36f93ef631927150cbd66528955f146f035dc1b64

SHA512
eac7b2fd45b65dd77a4d18a2ace6cc58ca32401d4ab551248564ae4384593e0b972bb66e308d318ed854fc42c2bc007cfa726f4db8c4da578ff5200bd6b5ec79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e3d54c9fbc45baae14fdd178f6b459e

SHA1
07ee34d0cd33bcdb152bd1b84995cf08a3d8e7ee

SHA256
1f8e84c63da449dd8ad7555b3afa51acca45a03975d383fcff22a5adcfd7e464

SHA512
7b3c5051323d863dff05afa02c84e84a0bbba3f3758d21304c9e51e7ed5dd3ed12e831e8c2e37b162c46065d997736d0f554fd9f0f3a3ad2353b8b92d627afdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b972ffcaa4a0fd4c37b0fa2bc0fe002

SHA1
dcf66a960fdf29c27916d09b3242ef2eeca52077

SHA256
fda0a59c2f0a25c84165671842765e61f04cf7b7035417410b6325232c8444e5

SHA512
5e5a3443d1c23ba17005c3018c451589a03741971ab14725cc8ed18591ebc5eb0d4035eae904d625c52bb56a299f9159966363f75e1c36b51188085eec078507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea6212d1ed30a2b3780ad2c37776592c

SHA1
2500e9ba90945b93d4d24a737ae995cca2186626

SHA256
c8177cf4c97f2df45fe50903bc48642ea139c9efda64ab00aff0f6b5235bf0e5

SHA512
530802d266d94563420572db5a79e48ddaeaf1ebe47e7b071dbd3a9b5e6297448d9cfef663fdf8c866a3d8b6b752d5c08b83e6ad6b8084cc2e27fb81c87e6460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9fc36cd33149bd1ff6805d9dbf4d16c8

SHA1
a79a77f755b5f8ada35985dca61048a5d80435aa

SHA256
44b86ecc2cb44faa6b1b00dc8338fa0eb3da94f61b571000fc361ef48831a5d4

SHA512
f2b58462260d2d91e481c59246f4155c0f685c464f18926ff04dededf8edc5f9c381ceeec222ea910dc550d96d2ac83b2865d04ab62db020d6a0d18238faf3b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
55182d891d98ec9d988cec04bac8752d

SHA1
e18a06e1498ff69c1c2697df7e195cf922a92e01

SHA256
08dc082566b36f693f93e341a5eb4e93a95d5bfed35b952f5ddcf4a5d51e963d

SHA512
35b9bf0c05da26bcebb4e259deca27c84e28521aff5a27af8205624581d1b0a7da6350ee7de0a2329c9cbc1d8cf205c1487638196232cbe794aaa91b0d86d0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
671cfbd0275770e681ef4ede37140969

SHA1
ac145dd046e86ab6aff6340664c509c4fd5f1746

SHA256
dfafdb318c177ff96d9b85ed518f229398c3f5161f0ca48ff427516292b9d823

SHA512
d76a8d3a91d1e5e84b35cfa815736c1d0bd7252381f4e540a8d7102385224167b995f698559c95fa18ed3a50e14a58fb0a96bcedb57d4770df50f98c6d331faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
536B

MD5
7ecd4418c269604439eeb57243f53623

SHA1
44cf0b46ed81644ebe408667f8345fea3197e4e5

SHA256
40ce359e49bb1cd55add0ecea190449246c16ad945645e6211610778f110b0b9

SHA512
129ec333b595aae2e49c94faec73205bc209c6746dbe690cac906c10ed30e398c1bcb8d2934d0af914df9042d2faf96082a1291bb5f00b8068c71459e9810ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
420d8bcce9629442351025b26c5e687f

SHA1
258546fc22aa28b40878743c248eaf4d422d292f

SHA256
db3a7799ed58200dcaa03bc7838c2a3b9e796432263f3049d76a6486c5719de7

SHA512
a4eb4804fba4186b109bb4e3054845632370e377ae7959fb2c15fd92d599eb3da72042cd19c92a8c3d898f75afa84efcb42d4959c2caa0cc85eaf40163e761a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ca4e2.TMP

Filesize
370B

MD5
b437e8c9120d23fc862c032f94d6f549

SHA1
73d80a2906306e3775806eb82293e50f281bb913

SHA256
d7cc9eefbedd528a7827522b70c71e07b4c0b2e7a446ff5fa25f976736e308bc

SHA512
3966afe4af512110ea5b197cc067fd1cc469f34bc43a39d3e5ab8eca3da015b14dd467008f3ab4a507ff51907827faffbdebe6a3f1266bdd073fb6e246341730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8687a9b7637234fe8e8c4b9e49b1c884

SHA1
55bb16382c9783a23353b255a5194294c0fb5ef8

SHA256
6e304d40a497103de61a4484a6deeb7792a5a1da3b67559f39032813eba8a74b

SHA512
faa43e9579b3f94417492f46afb2fdefeba9932a67c9b8398ad8b794a95a2b306a55df6c77d0c13e0937a8115d537d5a7cc746e1d11348e1a3de4640cab64586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
93dda07ada2e2804ebc78ea6a1b0faa0

SHA1
5f6b45f915e8b828393d20cea17e3f435eaa7a07

SHA256
c39d4c1ba03921d69fff4235524dba76dcddbe920eed007ae87f3d3dd65e00ba

SHA512
59ce9ee28f2e59dfd9613db095fea16dda83060f962db3c3c542106a5a15a08595607699eb2ed4685863925171598d14d0cdb8cfc0887b321e868155806f9541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7c6a234f53e535eb37f2ea865c11bb31

SHA1
e7c1b2588857542af1a1faf776744ebca460332e

SHA256
0774360dd26cb75d1e19dc1022d3ae7aef244b0f63dfe58cda7e8b6e4f5fe16f

SHA512
8a8e8d5113a80947342189a48f386ae23aaa2ba3e8ecab2c1c61961feff6644973e5a6babb9970a78b29e726e55bb09790df65d8d42a1001c13d1c1092fff7d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3fde8f364700e828171cafbb46376504

SHA1
a9d2958ca25d3ae8aa205b4ed53f5870a3a1564a

SHA256
ea8e695faf19030aef2e39dc72712652965c6a4c08548ff522e1ba7aeb7f22a2

SHA512
27bdea7390a43e529ac0707a2f7338d328df26a436bc4fb840d2e8188f40b956ff1afc59a3b49ab3a1ac1dc90ff35c38dd28b6ac996d859cc845174406c2f97f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
12986ba51b8e3f800be6bb1bd01fc27e

SHA1
4668cabc2dcee66923cbc415cc8e8eb5fbed17af

SHA256
6e66292432d0006f5594ff39c28b323d19882f3d10292032cf470ac33e897d94

SHA512
259f69afd23b2358dad66d52275ef7d70876855ff6a5479c2fff6c4ee3fb4128868ba8f060485ac56c333ccc0c2844a3b88110356b65f17ea9d5a1a656ec7606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8af82e869d4aa3b6580a7c45d0582897

SHA1
53b3be7e5474cf6dcc62c05a8f29e43603cd43dc

SHA256
83cb4fe225b61833e07ace48540ae0923ea123f423d5f50716e9fff68a0f65f3

SHA512
4fd8d8817b24f3b644191f57f58b4770b0cf2b3c1ae65b64a63a43519af24f46b08de245d917b6da14701495c016464234dcc4973ecc5b823590a46fad0b347b

Download Submit
C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_qkamrgd2yxc3i0qepbewoqwa2m5juegt\6.0.3.1\user.config

Filesize
1KB

MD5
3fb8d2a2cd510948957ef43af5de1a6a

SHA1
165c56b69c45db04546436b8cfcd21bf543fe1e3

SHA256
095a2b7ce003847ea27f3eb98eca1c5bf9098c194c137c550bed549fe8d46306

SHA512
ddf025953f0487612cab831866ce03285aa810a406d0a92d4491a2d26c7eaba2c4108c230309732a7ab6184c1578419164afe2fdc8e0179d8584bfbc7e75f1c6

Download Submit
C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_qkamrgd2yxc3i0qepbewoqwa2m5juegt\6.0.3.1\user.config

Filesize
1KB

MD5
ec49b7f5618d420d4c61a527d52c2638

SHA1
4c627db09339ea9d8266671a866140c5c9377c89

SHA256
1e5fc255b1d6ff6b9fcb242f9aade5db7d5ce869a7bad4a216cf92c90f239def

SHA512
d33bbc0e55aa55a52b12a476d570bc2f2bb649313d416d94cd7bf73c0e76bdbf016b8cecf2eb3aaafb490e36238a8bec3e41e88201b65d032daaed757ddabd6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F0.tmp.jpg

Filesize
75KB

MD5
87a406b6106e2a4f755e3e9abaaecce2

SHA1
d7ec0998eb634005cd06e6867c329eac54cf6a54

SHA256
01f2eb82661ecc604933b50c2ec32509e046827838d36681d8acc370c613f874

SHA512
515c2c6638aa2816bed7a0e3b918291f24fba71aedbe6a95ae94dd026a3b07c56bcb75d185a729e25092dc25bcf65b59ab72905918c93ea4cb7e02356254efef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E56.tmp.bat

Filesize
151B

MD5
e2d229f9c25e9864b8b52c15ed5f509f

SHA1
812aa9d061802debbe3537a9122aebdb77307606

SHA256
c59ccce4656a403ac8d3594ba9145a79829a8930b57dc03a7384fdb9cee2b6ce

SHA512
0821f53555e412b4db2213528f9101a5a0529a345e75bf083c65a08060aa88800cf549a11f26a8b011c245d8c7bf905c2264c7af3fb8218a7365f4a63fc4a441

Download Submit
C:\Users\Admin\AppData\Local\a95380a9447964ce995429575eb9bb50\Admin@XCESBOXL_en-US\System\Process.txt

Filesize
3KB

MD5
4167d4c82a25f33d106a58931642a1f0

SHA1
018a2ec5f83961e6339f5a3b1f82ca54a7892b7a

SHA256
0ddd28af80ae32c066a4e4293b208034d4ffda3ed4bdb26b191b8d2dd5be3ba3

SHA512
84edf216912a1dfd9b5604304b220a0580fdb9fc0acb5e770051e5e014a32ddfff30a8ff515cdb4011ba22d8ec2e05d0f4e550847174e02a5a4aa41ad9e7a8a5

Download Submit
C:\Users\Admin\AppData\Local\a95380a9447964ce995429575eb9bb50\Admin@XCESBOXL_en-US\System\Process.txt

Filesize
4KB

MD5
3482a6c178e1ed8f9b19a9ce3fd81a7e

SHA1
36dd3282838a8af1b3ecd8aa4c0ff67ba337cabe

SHA256
19b14b8577578f2b4977bdcad2c3ed8e1df3cfe50f2419a00ca702988f1c34c0

SHA512
abbf0dc595dfc632b13196734994c5ca3b3f3f2f9352dde6307ccff7f9dc7abf661ae4af924e34ce069994343d356de1d2c7e8a093087ce1bba8f8263efadca9

Download Submit
C:\Users\Admin\AppData\Local\a95380a9447964ce995429575eb9bb50\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
2.4MB

MD5
2496987fd4fc45d433c09a693aaeb026

SHA1
dc867340fb1c9f89ac2950c7f9aa00f0d84abda4

SHA256
cbb1e17f6ae868bf08b45c087e615c2975f4006f1ff640455f9121e87b613a29

SHA512
3b6195c546221b3977e039ba04528ac9d4f80159f4183858b6c08c80c44caba115574c178615e7922f8acf179349bd67338c6c01ea7f7f4cb731d63ff5e97dec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
619d1a5b8145f478afa02e9c87100fa8

SHA1
06f5a44648e3724b17301858c487468e36080044

SHA256
f69507a941e3fea99a8471459b8a51298e209f7cc09c6339aa8bd55f8fd3b1c8

SHA512
956e4f4920318f31ca53e00a69428b89f523326ced50c9d096b295be2f59020abbde10bcf0cdcf972b73ad4e294111e2818320d58339e023ef006dec3205beb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7b851f67db36e9c9e23ad0d67338d73f

SHA1
0ecb8ebf408345db81ce9b032dc4785a6d6179a8

SHA256
6214bc451235d6a75242abbb618d9397b7fc60a0027a934487233db3c4edcaf5

SHA512
2943f5a70f7e054bd78d9ccc7057d01f7d42683595d2c0b40668aa43b14c6075b6956c3a9505df6a1204def8cd108af11f8381e2cc0d529b7d4ab7ae7d471ac0

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt

Filesize
114KB

MD5
58403d43b085e6c52a65931d19549fc0

SHA1
5e7a26676b64d3db0e2ee33e297be764eb63f1fe

SHA256
5db478f5ef308be46428b6a0b5f53c2e20d63373e408093be87456292f5cfa22

SHA512
5613098a8f7f922d3dffe65f3c1bd54030db94bc5da0f195a3b31234874c164a4bf4b74abacf3cf7ceae6463d3f42537f72d37a47a7106e54c64ae3793aac2aa

Download Submit
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\bookmark.json

Filesize
423B

MD5
fbd64865e019a143be04de4653ec2680

SHA1
170f5780f52b0a2986cb5b58062829e3c7ed57ac

SHA256
38cb7b8cc2acdce5809b6b4bc6017f68061bb5377b3c367ebbc3285eb8b29d67

SHA512
1e5477416600a9bb8ce0ca50ba9ffd187f80d467a6e924cd32bfe551d5e0edb2551548d70ac469600bfcb36d5261b15ff95d8b92effe44ae6aecd3d3076f9ccb

Download Submit
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\cookies.json

Filesize
296B

MD5
75b0b4253ac6db455f6556725967de17

SHA1
20d9328300529d0246f8b85a8c134d5519e3865c

SHA256
46168e4a3c5a9381b13bff164a0f6a9c76deb1bf34906605ec0eddf8a473472c

SHA512
747132693380e8efb75e43b112f48f52f06fd942eb27ded30f6f261e37b20e2e7264555ceeded34e589cb69ecb64df3844476b8581ff80dc171c8bcef050daed

Download Submit
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\cookies.txt

Filesize
29B

MD5
1725e34c44df1bdbfe33cb8e298378e7

SHA1
cf661945996c517a113e301ec61c664c98753d3f

SHA256
175b8f4812f635e502bb8dbd7ed7b476ad915046fd8f7619ae41b4ce92dfffd1

SHA512
f6e0c45cf2b69bdc16d2b830ea2950977548ecebdfc0c978a541358f794cc3a861b80038e4de0b7e9fac80687a7a74d0d31b8793d4894fd0ba82872f430da668

Download Submit
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\credit.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\history.json

Filesize
293B

MD5
4fdae945fdab864aac47bb70d3e812eb

SHA1
f812b9ff18cb66612cc7f160066029e710ae106c

SHA256
d70bf56b829ff83b98b5c24bb7945722793992f0c295efe83ea86a621ea5c777

SHA512
eff1faa5cb759bf77d90dd743361d61d91ee69169367eee4c7c6e7ab542c04b71ab4652b2b92bb563ea58a0512462bb4ccc8a33144600dd122fde9f082a921cf

Download Submit
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\passwords.json

Filesize
819B

MD5
941925eb7f3ffe2e62237361b0a6051e

SHA1
b6f340569eddb1f9bf0d0a4fc4e8007c8c2029b5

SHA256
d536ddb4b0bee534a568c3af9a793a7c2d4df21f83ccbca8d681f1b2a31040e5

SHA512
2291bb32fbff1403ea9b823220a0c8068be190c1a2a7171b38e1524809df90b86360d4d6d5c7a93a88072c555c5edc7a5099483d8ce896cc36e0199e17e25116

Download Submit
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\Logs.txt

Filesize
1KB

MD5
f48c99ba89237dd8120d5588e74f152f

SHA1
4a9c3eaaa319e69655a74c7219d65a28ec888411

SHA256
37ebb066dd839c75dc47c7b227a851e524b226040e6ef8f3417ae360d2bac0f1

SHA512
b00c35aa39fc73b49835dd6da5696127d2fbb5b6a3d86198fada089282ad68284e962a01ecbc91a8ff891a000b09e744077a7c96f9bdfcf08aceebf60effa357

Download Submit
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\note.json

Filesize
903B

MD5
c833ba9d108a38b960210c03a1ae9a31

SHA1
44fc6d21813167e90f911051c70b6d48a3f4e586

SHA256
49613cb38e57bec06f68f1484df3cb4d00c6e393b2534aec3dc618ef9996f01f

SHA512
9f91bfcded99a54e6d954572f482f1dec279d3b1a837fadd2fab0a0e6adfda602f5922dd87540a1bd5e39d84bfa4d457c1c00c3eadffd0c2d7fe2980ac7c6315

Download Submit
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\test.exe

Filesize
74KB

MD5
36df32309c26a3966186fd43ece3bdab

SHA1
4cc2b206fbf74cb03bfae7f30e544fffb7571c0e

SHA256
df692221fee36a01b0c8dfdf0bbdc3310e76acdd354bb733447f11a6e02ee74b

SHA512
5e8eef00bf3c80763206a77aee888d6377dbbc69d68476bd8a824f12eba209a7cce726229a24a8d3ee2e717a8bb40abb2a9b02391566f76db502dc7d73a3f32c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
7KB

MD5
bf62b258326bda5ed7a21b57020216a6

SHA1
109cb462adb3a4343ee3c2d6716ad2520c51579a

SHA256
acda53173d38abcc98906890a7d28eef9767745ab1ccd442dbb9ba105a2624f3

SHA512
5ee894a3c4f8a6e78c64cf3e6ba4445d6e8875184c21dcd7a24772ec57fa05294705d48fb2a562f4b9c5979f421bbdfbef220b9bff40b81bc9607b412b6c9db9

Download Submit
memory/3132-339-0x000001F3D2380000-0x000001F3D2381000-memory.dmp

Filesize
4KB

Download
memory/3132-329-0x000001F3D2380000-0x000001F3D2381000-memory.dmp

Filesize
4KB

Download
memory/3132-328-0x000001F3D2380000-0x000001F3D2381000-memory.dmp

Filesize
4KB

Download
memory/3132-340-0x000001F3D2380000-0x000001F3D2381000-memory.dmp

Filesize
4KB

Download
memory/3132-338-0x000001F3D2380000-0x000001F3D2381000-memory.dmp

Filesize
4KB

Download
memory/3132-337-0x000001F3D2380000-0x000001F3D2381000-memory.dmp

Filesize
4KB

Download
memory/3132-335-0x000001F3D2380000-0x000001F3D2381000-memory.dmp

Filesize
4KB

Download
memory/3132-336-0x000001F3D2380000-0x000001F3D2381000-memory.dmp

Filesize
4KB

Download
memory/3132-334-0x000001F3D2380000-0x000001F3D2381000-memory.dmp

Filesize
4KB

Download
memory/3132-330-0x000001F3D2380000-0x000001F3D2381000-memory.dmp

Filesize
4KB

Download
memory/4420-424-0x0000000000500000-0x0000000000518000-memory.dmp

Filesize
96KB

Download
memory/5024-327-0x0000000000560000-0x000000000149C000-memory.dmp

Filesize
15.2MB

Download
memory/5024-326-0x0000000000560000-0x000000000149C000-memory.dmp

Filesize
15.2MB

Download
memory/5280-353-0x000001AF54580000-0x000001AF54792000-memory.dmp

Filesize
2.1MB

Download
memory/5280-343-0x000001AF50EE0000-0x000001AF522E4000-memory.dmp

Filesize
20.0MB

Download
memory/5280-361-0x000001AF59770000-0x000001AF59894000-memory.dmp

Filesize
1.1MB

Download
memory/5280-351-0x000001AF54F20000-0x000001AF553A4000-memory.dmp

Filesize
4.5MB

Download
memory/5280-357-0x000001AF50E30000-0x000001AF50E3A000-memory.dmp

Filesize
40KB

Download
memory/5280-350-0x000001AF541E0000-0x000001AF5457C000-memory.dmp

Filesize
3.6MB

Download
memory/5280-349-0x000001AF54880000-0x000001AF54F12000-memory.dmp

Filesize
6.6MB

Download
memory/5280-348-0x000001AF53A20000-0x000001AF541DE000-memory.dmp

Filesize
7.7MB

Download
memory/5280-346-0x000001AF505F0000-0x000001AF506C8000-memory.dmp

Filesize
864KB

Download
memory/5280-463-0x000001AF525B0000-0x000001AF52662000-memory.dmp

Filesize
712KB

Download
memory/5280-464-0x000001AF524F0000-0x000001AF52512000-memory.dmp

Filesize
136KB

Download
memory/5280-354-0x000001AF52880000-0x000001AF5292A000-memory.dmp

Filesize
680KB

Download
memory/5280-347-0x000001AF4FCE0000-0x000001AF4FD30000-memory.dmp

Filesize
320KB

Download
memory/5280-345-0x000001AF4FD30000-0x000001AF4FF82000-memory.dmp

Filesize
2.3MB

Download
memory/5280-344-0x000001AF4FFF0000-0x000001AF50502000-memory.dmp

Filesize
5.1MB

Download
memory/5280-352-0x000001AF4FC50000-0x000001AF4FC70000-memory.dmp

Filesize
128KB

Download
memory/5280-342-0x000001AF34610000-0x000001AF35444000-memory.dmp

Filesize
14.2MB

Download
memory/5680-576-0x000000001C3B0000-0x000000001C42A000-memory.dmp

Filesize
488KB

Download
memory/5680-619-0x000000001CC90000-0x000000001CD14000-memory.dmp

Filesize
528KB

Download
memory/5680-648-0x000000001C480000-0x000000001C490000-memory.dmp

Filesize
64KB

Download
memory/5680-469-0x0000000002420000-0x000000000242A000-memory.dmp

Filesize
40KB

Download
memory/5680-468-0x000000001C9F0000-0x000000001CA0E000-memory.dmp

Filesize
120KB

Download
memory/5680-467-0x000000001CAF0000-0x000000001CC24000-memory.dmp

Filesize
1.2MB

Download
memory/5680-466-0x000000001CA70000-0x000000001CAE6000-memory.dmp

Filesize
472KB

Download
memory/5680-647-0x000000001C470000-0x000000001C47E000-memory.dmp

Filesize
56KB

Download
memory/5680-646-0x000000001C460000-0x000000001C46C000-memory.dmp

Filesize
48KB

Download
memory/5680-633-0x000000001DC00000-0x000000001DD22000-memory.dmp

Filesize
1.1MB

Download
memory/5680-757-0x000000001CA50000-0x000000001CA5E000-memory.dmp

Filesize
56KB

Download
memory/5680-620-0x000000001C450000-0x000000001C45C000-memory.dmp

Filesize
48KB

Download