Resubmissions
23-12-2024 22:49
241223-2rzp2strcr 1023-12-2024 20:50
241223-zmqv8s1kcx 123-12-2024 00:33
241223-awp8masnbx 1022-12-2024 22:33
241222-2gks5s1ndn 1022-12-2024 02:35
241222-c24pbazpfq 10Analysis
-
max time kernel
810s -
max time network
794s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 22:49
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/tA2w62
Resource
win10v2004-20241007-en
Errors
General
-
Target
https://gofile.io/d/tA2w62
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1314414095461777419/8hYVVlssdJOsLuwWhq5QQqRTlg-3pzMhiKB5tYVl8wS1FN6rDNu-iZ34u_-J5bahL4e7
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
seoxswihfmeawbbqo
-
delay
1
-
install
true
-
install_file
file.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Skuld family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/1132-284-0x000000001E370000-0x000000001E492000-memory.dmp family_stormkitty -
Stormkitty family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023d9f-238.dat family_asyncrat -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1252 netsh.exe 3536 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 2 IoCs
pid Process 4320 file.exe 1132 file.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" start.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: file.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 108 discord.com 107 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 97 icanhazip.com 101 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
pid Process 3220 ARP.EXE -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 6068 tasklist.exe -
resource yara_rule behavioral1/memory/3788-185-0x0000000000D40000-0x0000000001C7C000-memory.dmp upx behavioral1/memory/3788-186-0x0000000000D40000-0x0000000001C7C000-memory.dmp upx behavioral1/files/0x000a000000023d95-268.dat upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4044 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4068 cmd.exe 2592 netsh.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 4496 NETSTAT.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier file.exe -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 5760 WMIC.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3440 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4496 NETSTAT.EXE 6096 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2960 systeminfo.exe -
Modifies registry class 60 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.json OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\json_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.json\ = "json_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1\0\0\MRUListEx = ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings mspaint.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1 = 8000310000000000975958b6100056454e4f4d527e312e33285f0000640009000400efbe975958b6975958b62e00000062e70100000004000000000000000000000000000000a9fed900560065006e006f006d005200410054002000760036002e0030002e003300200028002b0053004f005500520043004500290000001c000000 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1\0 = 8000310000000000975958b6100056454e4f4d527e312e33285f0000640009000400efbe975958b6975958b62e00000002270200000003000000000000000000000000000000a9fed900560065006e006f006d005200410054002000760036002e0030002e003300200028002b0053004f005500520043004500290000001c000000 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1\0 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1\0\MRUListEx = 00000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\鰀䆟縀䆁 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\鰀䆟縀䆁\ = "json_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\json_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\json_auto_file\shell\edit\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\json_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\json_auto_file\shell\edit OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\json_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1\0\0\NodeSlot = "6" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\json_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\json_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 0100000000000000ffffffff Venom RAT + HVNC + Stealer + Grabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Venom RAT + HVNC + Stealer + Grabber.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1\0\0 = 7e0031000000000097595ab6100056454e4f4d527e312e3328530000620009000400efbe975958b697595ab62e000000933c020000000c0000000000000000000000000000002cf0be00560065006e006f006d005200410054002000760036002e0030002e0033002000280053004f005500520043004500290000001c000000 Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Venom RAT + HVNC + Stealer + Grabber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Venom RAT + HVNC + Stealer + Grabber.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings explorer.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2504 msedge.exe 2504 msedge.exe 4924 msedge.exe 4924 msedge.exe 4068 identity_helper.exe 4068 identity_helper.exe 4984 msedge.exe 4984 msedge.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 2256 msedge.exe 2256 msedge.exe 2256 msedge.exe 2256 msedge.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 4320 file.exe 1132 file.exe 1132 file.exe 1132 file.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3560 OpenWith.exe 5628 OpenWith.exe 1132 file.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3788 start.exe Token: SeDebugPrivilege 3192 Venom RAT + HVNC + Stealer + Grabber.exe Token: SeDebugPrivilege 4320 file.exe Token: SeDebugPrivilege 1132 file.exe Token: SeDebugPrivilege 4916 taskmgr.exe Token: SeSystemProfilePrivilege 4916 taskmgr.exe Token: SeCreateGlobalPrivilege 4916 taskmgr.exe Token: 33 4916 taskmgr.exe Token: SeIncBasePriorityPrivilege 4916 taskmgr.exe Token: SeIncreaseQuotaPrivilege 5760 WMIC.exe Token: SeSecurityPrivilege 5760 WMIC.exe Token: SeTakeOwnershipPrivilege 5760 WMIC.exe Token: SeLoadDriverPrivilege 5760 WMIC.exe Token: SeSystemProfilePrivilege 5760 WMIC.exe Token: SeSystemtimePrivilege 5760 WMIC.exe Token: SeProfSingleProcessPrivilege 5760 WMIC.exe Token: SeIncBasePriorityPrivilege 5760 WMIC.exe Token: SeCreatePagefilePrivilege 5760 WMIC.exe Token: SeBackupPrivilege 5760 WMIC.exe Token: SeRestorePrivilege 5760 WMIC.exe Token: SeShutdownPrivilege 5760 WMIC.exe Token: SeDebugPrivilege 5760 WMIC.exe Token: SeSystemEnvironmentPrivilege 5760 WMIC.exe Token: SeRemoteShutdownPrivilege 5760 WMIC.exe Token: SeUndockPrivilege 5760 WMIC.exe Token: SeManageVolumePrivilege 5760 WMIC.exe Token: 33 5760 WMIC.exe Token: 34 5760 WMIC.exe Token: 35 5760 WMIC.exe Token: 36 5760 WMIC.exe Token: SeIncreaseQuotaPrivilege 5760 WMIC.exe Token: SeSecurityPrivilege 5760 WMIC.exe Token: SeTakeOwnershipPrivilege 5760 WMIC.exe Token: SeLoadDriverPrivilege 5760 WMIC.exe Token: SeSystemProfilePrivilege 5760 WMIC.exe Token: SeSystemtimePrivilege 5760 WMIC.exe Token: SeProfSingleProcessPrivilege 5760 WMIC.exe Token: SeIncBasePriorityPrivilege 5760 WMIC.exe Token: SeCreatePagefilePrivilege 5760 WMIC.exe Token: SeBackupPrivilege 5760 WMIC.exe Token: SeRestorePrivilege 5760 WMIC.exe Token: SeShutdownPrivilege 5760 WMIC.exe Token: SeDebugPrivilege 5760 WMIC.exe Token: SeSystemEnvironmentPrivilege 5760 WMIC.exe Token: SeRemoteShutdownPrivilege 5760 WMIC.exe Token: SeUndockPrivilege 5760 WMIC.exe Token: SeManageVolumePrivilege 5760 WMIC.exe Token: 33 5760 WMIC.exe Token: 34 5760 WMIC.exe Token: 35 5760 WMIC.exe Token: 36 5760 WMIC.exe Token: SeIncreaseQuotaPrivilege 6036 WMIC.exe Token: SeSecurityPrivilege 6036 WMIC.exe Token: SeTakeOwnershipPrivilege 6036 WMIC.exe Token: SeLoadDriverPrivilege 6036 WMIC.exe Token: SeSystemProfilePrivilege 6036 WMIC.exe Token: SeSystemtimePrivilege 6036 WMIC.exe Token: SeProfSingleProcessPrivilege 6036 WMIC.exe Token: SeIncBasePriorityPrivilege 6036 WMIC.exe Token: SeCreatePagefilePrivilege 6036 WMIC.exe Token: SeBackupPrivilege 6036 WMIC.exe Token: SeRestorePrivilege 6036 WMIC.exe Token: SeShutdownPrivilege 6036 WMIC.exe Token: SeDebugPrivilege 6036 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4916 taskmgr.exe -
Suspicious use of SendNotifyMessage 61 IoCs
pid Process 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe 4916 taskmgr.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
pid Process 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 1132 file.exe 3192 Venom RAT + HVNC + Stealer + Grabber.exe 6084 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 3560 OpenWith.exe 2900 mspaint.exe 5628 OpenWith.exe 5776 mspaint.exe 2476 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4924 wrote to memory of 1544 4924 msedge.exe 83 PID 4924 wrote to memory of 1544 4924 msedge.exe 83 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2864 4924 msedge.exe 84 PID 4924 wrote to memory of 2504 4924 msedge.exe 85 PID 4924 wrote to memory of 2504 4924 msedge.exe 85 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 PID 4924 wrote to memory of 4384 4924 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5020 attrib.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/tA2w621⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffe1fe846f8,0x7ffe1fe84708,0x7ffe1fe847182⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:2028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:12⤵PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:12⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵PID:3036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:12⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5724 /prefetch:82⤵PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8406001655680781509,15706781997748288973,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2256
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2876
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2884
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3092
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\start.exe"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\start.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3788 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\start.exe"2⤵
- Views/modifies file attributes
PID:5020
-
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3192 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt2⤵PID:4504
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\2024-12-23 22-55-37 offline_keylog.log2⤵PID:1452
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2932
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\file.exe"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\file.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "file" /tr '"C:\Users\Admin\AppData\Roaming\file.exe"' & exit2⤵PID:4720
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "file" /tr '"C:\Users\Admin\AppData\Roaming\file.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD8A3.tmp.bat""2⤵PID:2368
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3440
-
-
C:\Users\Admin\AppData\Roaming\file.exe"C:\Users\Admin\AppData\Roaming\file.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1132 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4068 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:4828
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2592
-
-
C:\Windows\system32\findstr.exefindstr All5⤵PID:2340
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵PID:4396
-
C:\Windows\system32\chcp.comchcp 650015⤵PID:4824
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1072
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe"4⤵PID:4320
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:2960
-
-
C:\Windows\system32\HOSTNAME.EXEhostname5⤵PID:5744
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername5⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:5760
-
-
C:\Windows\system32\net.exenet user5⤵PID:5792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user6⤵PID:5808
-
-
-
C:\Windows\system32\query.exequery user5⤵PID:5832
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"6⤵PID:5856
-
-
-
C:\Windows\system32\net.exenet localgroup5⤵PID:5888
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup6⤵PID:5908
-
-
-
C:\Windows\system32\net.exenet localgroup administrators5⤵PID:5924
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators6⤵PID:5940
-
-
-
C:\Windows\system32\net.exenet user guest5⤵PID:5960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest6⤵PID:5976
-
-
-
C:\Windows\system32\net.exenet user administrator5⤵PID:5996
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator6⤵PID:6016
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6036
-
-
C:\Windows\system32\tasklist.exetasklist /svc5⤵
- Enumerates processes with tasklist
PID:6068
-
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:6096
-
-
C:\Windows\system32\ROUTE.EXEroute print5⤵PID:6128
-
-
C:\Windows\system32\ARP.EXEarp -a5⤵
- Network Service Discovery
PID:3220
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano5⤵
- System Network Connections Discovery
- Gathers network information
PID:4496
-
-
C:\Windows\system32\sc.exesc query type= service state= all5⤵
- Launches sc.exe
PID:4044
-
-
C:\Windows\system32\netsh.exenetsh firewall show state5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1252
-
-
C:\Windows\system32\netsh.exenetsh firewall show config5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3536
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd"4⤵PID:2876
-
C:\Windows\system32\whoami.exewhoami5⤵PID:5876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5240
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1348
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4768
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3820
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4908
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:436
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3928
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3736
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2248
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3812
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2456
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5028
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5520
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1452
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5332
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1972
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:804
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4336
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2312
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2240
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4136
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3040
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4788
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5648
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:404
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2296
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3220
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5212
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5724
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3636
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:692
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3624
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5868
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6192
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6236
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6292
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6332
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6392
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6432
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6500
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6540
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6580
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6620
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6692
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6740
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6780
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6828
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6852
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6908
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6968
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7028
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7076
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6220
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:316
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4520
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4852
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6564
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6596
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6084
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7188
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7228
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7332
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7384
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7432
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7488
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7528
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7580
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7612
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7668
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7708
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7772
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7824
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7876
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7968
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8032
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8080
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8112
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8172
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7096
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6440
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7836
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8208
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8240
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8288
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8336
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8400
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8440
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8480
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8584
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8624
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8680
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8712
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8772
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8832
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8868
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8912
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8976
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9012
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9068
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9124
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9160
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9212
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7596
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9084
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9264
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9308
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9372
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9408
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9456
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9568
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9668
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9712
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9760
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9812
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9864
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9912
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9948
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10008
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10040
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10096
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10144
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10208
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9584
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10244
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10296
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10344
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10388
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10444
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10492
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10576
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10632
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10696
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10736
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10780
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10840
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10884
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10968
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11016
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11060
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11108
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11160
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11208
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11240
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7944
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9732
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1776
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11072
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:10716
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11040
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8888
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11292
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11344
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:11388
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4916
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
PID:4956 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt2⤵PID:4536
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x494 0x4501⤵PID:1672
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6084
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3560 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\cookies.json2⤵PID:3184
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\history.json1⤵PID:5420
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\autofill.json1⤵PID:2172
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\bookmark.json1⤵PID:2964
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt1⤵PID:1676
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\Logs.txt1⤵PID:4892
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Desktop.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2900
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:5368
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5628
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Desktop.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5776
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2476
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Process.txt1⤵PID:5032
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\ProductKey.txt1⤵PID:4112
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\System\Windows.txt1⤵PID:2036
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\VenomSteal\Directories\Desktop.txt1⤵PID:2468
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
2Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
7System Information Discovery
8System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
638KB
MD537967b09f68b517683b0d06251fc6d5a
SHA15283278a05e010788b58499b6bb7044452191b86
SHA2562c8759183ef9ab339378354de83afded17cdc919a7faf3066a05e02594fe2d57
SHA5121616ac935a178596377371a8bf113a75b8720f08e731b0f8dadacb4f77c752d818f7408355cbf60d6b4258e78fc390adff481431fe2a2efcebeb9fbd709b972f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5ec48640ffbe921a1fb375f29881cea81
SHA12c4745eb4c04cc335f9c601289e08b48ee3ab7d5
SHA256603d617a08c6dcb7f1a8435a2e6e0add5f4a69f122ad62be6b3212f3adf40e2b
SHA5120b5cf698a0a47fd7cd264543f2f107a539fe36cfc829d30a660e3e903b859f561029f36138447fec854ab7915d692a515d64ea42f11fa91234b86b6e76c3df65
-
Filesize
20KB
MD5e82ad74f2a649d01c1e6518188cc526e
SHA1acfb853f8008fb9f9145194b70c7f15bbc96f833
SHA256e3fef578b0e1923582f9b392c55ad61467cd2c51cdd035cfa767cc65fdd207f2
SHA51226aa2a27125e83bf645792ee3705e973d4bb40fd0bd80ec6e03c8b141b3c3967ba6fd17eb3da28cc0d9601bafdc60c99c14bb149eeeada1b6121e82e09b53f54
-
Filesize
124KB
MD588c6dec20b93f6882b0a190e5e45e576
SHA141177c5400715f232454ab99f64fb18fefc1741a
SHA2562c9f9e0d9d09dc628c0bdf7cb635c4cf9a1cb0ae7a89490fa7019834df9deaa0
SHA512dbfd899016f711d076e43bf856133c9bbb1deeece53b9ad300555bd38da9c3ed81603ba8203dacce11b4e6f7b88d985b755b0d0d2ef16a1f0f256726058bde5b
-
Filesize
937B
MD582ffcd83ea4d1003f58e351e557c0db2
SHA167ed0420478fb410156b1b0928359c0c5bcf98d0
SHA256edf0aca70f85cc876d6474e0643ff759ddae5c6dbf675f670e66b01435bc135d
SHA5125d7191e4b84d531a9dbb0111ca56bfcd24fa97facd2fdb6ae493bcb8050eb079f21494efcfbbb6eda86f1d5a0b0458f29ef04441a8139a659bced9077f9f56de
-
Filesize
1KB
MD59c9cd5a56084680fc21347035ded2f7f
SHA1a53022cdca58590cd172c2db5da9bff8d3941c44
SHA256ed0f6901d7df3b6125f45712cb045050080200741175dc8b7690a661a6cc134a
SHA51218bdb6a9cc294672557aa752b38b68c6bfa17428c71a407903f66938ca1ee0d6a298dcf9bf5a079d5e607cae939b67f1d2130233031c3921588c9fc9b997b4f0
-
Filesize
1KB
MD56d40610d867f5fe9b1530447d501cb20
SHA13387771b9842f962418c40e0a90af4904dec970d
SHA256b1cf1d29ee2339fa0191d127919ca22c316433924e580705d8402c2de95625a6
SHA5127563def77a7cebda7eee1b33630ca15bde7f884df419ff9e30d0f34c82053e08cf24e639149876f8b1b00f1b35398a45a24f2d6af12dddc4003da20922ff3d49
-
Filesize
1KB
MD52672ca8c28275f5cce4b72a30db087a5
SHA1c3ccdca3c7565ce97f03a39fe086b39e1eb85226
SHA256c2c09e1bb1520caf34457500cab3df3226e6f1705b06dfed275502b4d015d466
SHA5123e779561fd171e554a0521d38a4f52446485b9d13ff522abebb16081de54400ba66dbb2541125a3ce87651080aca24c62c90c1bcba7e07ccb0260d1f839faff6
-
Filesize
5KB
MD58d3c890d8d1eae95352acf70ff357c1d
SHA1e8d28a24a596d445db5441bf6491f1aad6333e1f
SHA2568b9aa6c5cbd955bb867e82c4eb4e16307828d3a4703d4dd275d2bac955a98050
SHA512edb87e61d642849f96fe284ddf6e79714d819ee5cbc1f1a955b443b355797bd30fa92d10bca4aa5af3d4ebb5f0aaee65e33589e2fce06084aa7188f1f88a1ca0
-
Filesize
6KB
MD506e127981d74af25b374778c1f440c5d
SHA18d29c0bf3e5d70efaf45469af9ddf75d0eb48e2a
SHA2561cf890d738043bb2bdf10a267859bc57e5104a3981ec0c169b28b803a0e41b3a
SHA512f91cd46fae175c26dd88e21b9c28d9ceb586fbc84584264bea8ad590434716a7d408d763f6192d02c115eb8a660eb8b51ab141211c25bf083301c7aab794f2ce
-
Filesize
6KB
MD56dc49f885fda6858ad4a779fa44907f4
SHA124bdab44dbae8931dd70532326f7251a9f5ae481
SHA25605413702a65448deefde10a35f3b12a28466966748a713921fba65dd973bbc94
SHA5126963280b1a899a348fd95e9149396279a318bb38e6eb34880bd0c0eda9b1d98843b8044363b572d18d7722bc246df03950f23b10d50554fed2ae4d2f299e56d0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD558cef30b88ce0218e692d58223a98abd
SHA173005654419f8c18e32fa7aaee1521a9c314dd88
SHA256e5d26aef8def340768219bd3cd42b9ca7dc5a1ed0983934435f00bdf5960f701
SHA5125c2cc941d54a7c473aa5fef9f5ce6bcaeec20e02f635093f34bf949aafe7de753f5faafa6a8c6c8971347cbc309529a1c87f9f64bdea31ffcb1f9bc2f84acef4
-
Filesize
10KB
MD52468668a6d69c5560b8f073bf7d4f3e3
SHA1014f5b85e7134cce18f8f1338eb656cd0d2e0931
SHA256549a663f082e0ab55a7859d1f765eff6947d6f4171a28b7e5229fc333ec88231
SHA512457d5b685f8829aa68586a092bca7116615faee8636aec37cdbb05c3f9055843d1cd6d8860225c243d691186beed2f661842aa5e3af16ecfa3d0b6ec6f58a023
-
C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_qkamrgd2yxc3i0qepbewoqwa2m5juegt\6.0.3.1\user.config
Filesize1KB
MD53fb8d2a2cd510948957ef43af5de1a6a
SHA1165c56b69c45db04546436b8cfcd21bf543fe1e3
SHA256095a2b7ce003847ea27f3eb98eca1c5bf9098c194c137c550bed549fe8d46306
SHA512ddf025953f0487612cab831866ce03285aa810a406d0a92d4491a2d26c7eaba2c4108c230309732a7ab6184c1578419164afe2fdc8e0179d8584bfbc7e75f1c6
-
C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_qkamrgd2yxc3i0qepbewoqwa2m5juegt\6.0.3.1\user.config
Filesize1KB
MD5ec49b7f5618d420d4c61a527d52c2638
SHA14c627db09339ea9d8266671a866140c5c9377c89
SHA2561e5fc255b1d6ff6b9fcb242f9aade5db7d5ce869a7bad4a216cf92c90f239def
SHA512d33bbc0e55aa55a52b12a476d570bc2f2bb649313d416d94cd7bf73c0e76bdbf016b8cecf2eb3aaafb490e36238a8bec3e41e88201b65d032daaed757ddabd6c
-
Filesize
114KB
MD52ba42ee03f1c6909ca8a6575bd08257a
SHA188b18450a4d9cc88e5f27c8d11c0323f475d1ae6
SHA256a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd
SHA512a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
148B
MD5d40580ebecdc9b0dab484e8cc4822e8c
SHA188c249606ad0848b592836ce2c01778e3a6f8e4a
SHA2560a9b4e62671832dfb1bc2eefceb01a2fb081b1bd292bb61ce7c249d5206f0cb1
SHA512a8104e2bd288fc67b1de1fc815ee213d06d31c598e6f3a5f12ac86d64ad2dbf9e6e7440e5b165bdf0e4c4567e64b2c2855e7735f56f6157aea552943c5e6af68
-
C:\Users\Admin\AppData\Local\c917b216abaf569d685c45bec60a2182\Admin@ZTSLLRFH_en-US\System\Process.txt
Filesize2KB
MD5989af0815d6f331a59f46577501a2f79
SHA1784a3b600d0472fb6ab0b98440afcae208d3db71
SHA2567e6599a651f5bd2859a797e00344411203539312f45cd3810985cf2ce9bfcffe
SHA512c0ef8a617bfeac2005e4865f4bac3281dfe57068714dc2b7505f3a5065ee3dc2a633cbb8173ba3e2b711679bbeb2d2aa99c933643ae17ea88013529f317f37ab
-
C:\Users\Admin\AppData\Local\c917b216abaf569d685c45bec60a2182\Admin@ZTSLLRFH_en-US\System\Process.txt
Filesize4KB
MD5d43354ed590de98f6dfc7b8e713e38de
SHA16868491b44a71ad4fe0b2970df1660dd6c6d05d1
SHA256241cb3a59061feee59a952cc0e3a0769bec8e79912b7c4c326552b11627decdd
SHA512c11f23c7954379f638f3e59fcf052e1760092d8cc51a4e5eaeaa16e52a0b4d1a654205bb1fb92c9e508f70f47d3b40d3819aa98b0cb3e6bcb937ccfc6c1d59b1
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
7.5MB
MD52e62e776b7eeac3dd713f1a6da5f942d
SHA16516d9ef1212939a12a84a396b3c64ecea878c11
SHA25668b1696d3c76eedc131349ecd65a23372082feb83bb66d9d9be296916910e7ea
SHA51204c73c5505e56fd21f1a25c085c99a1c1cc19cbac8004ce3e974e05f9754c5d07051fdfa53f5a0f0b8a89c16412757b1a29cf487c552212531bcac42ead849bb
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\2024-12-23 22-55-37 offline_keylog.log
Filesize119B
MD5737da3e79c7f8248e92ee7a4c77ba84f
SHA1107a09f911748c6adfaf0c278edba155da34b4f8
SHA256277b06e4f46dbbabb56dbe3eca94bc754b8681d0eaf2dbfd6523ee102d083ffe
SHA51255c57e48e77b60eb6685f831a4a43aacd045e1f526753eb151ccc2281717a431b749d948f1e206245075b77aa6f0e2b110d0728032117ca7fb31b20184a89cba
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Information\Information.txt
Filesize113KB
MD57e5a4ef6fc1c01f6d5642547ac9d4011
SHA18b1829ecce3c125d32eb6b9341a246a24b9dd3d7
SHA256af02bcf8c4c8c18933aed214cf19f05f0deb664f3a526db9d0ae0db8f408866e
SHA512b5a5dcfa9fa82c1c47a889c74c6683f1adccadb0bc9b9214df85b740c8cbfc5803d54253960ab58630ccea4d5d12961e564ba80d0947c9d0be28aa1c1760018d
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\autofill.json
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\bookmark.json
Filesize423B
MD5fbd64865e019a143be04de4653ec2680
SHA1170f5780f52b0a2986cb5b58062829e3c7ed57ac
SHA25638cb7b8cc2acdce5809b6b4bc6017f68061bb5377b3c367ebbc3285eb8b29d67
SHA5121e5477416600a9bb8ce0ca50ba9ffd187f80d467a6e924cd32bfe551d5e0edb2551548d70ac469600bfcb36d5261b15ff95d8b92effe44ae6aecd3d3076f9ccb
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\cookies.json
Filesize808B
MD56656b6d6c9f6943e82c588fa4d916917
SHA1ef0d270c0b026f6d1a09da0e40c877f6b85dde06
SHA256966b38990322446e2de91c0124256d7e46976c0b0a713a8c2a0cab9b37776e29
SHA512061d5d8c49233b12284e54762f1379d9e98a1ccac75cf1e17690b215687abada4bcab333ad77ad094bd68d64257d7d78d4a0b21e57cb56fd3aa6c8d914cff03b
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\cookies.txt
Filesize288B
MD5f5811e1291958e804f9646d5626fd115
SHA10aca252ec4e9830ae5a45a6a067f5b62552d280b
SHA256067c68dbeac784e8cf35f2b4ccb9f5efc0aedc4973fe354924738650d837a6c0
SHA512e3c71d400ff80f25d08520cc93d121e67d8a4a202acd4bf30bf9a5ff2807364fa217655fd870e6c875939c2dc723966a4b80178e66b12501aa3b33f05805b476
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\history.json
Filesize150B
MD56a5a7c28ab70e192f919a7f9c2d9c52c
SHA135152c2ebaafa5e536c3d481cd671fe9304237d6
SHA256eb576ab73b61681a3c9b31f96613ec04ba7bd041a1cf7098502414c55853c2e9
SHA512f04fd1a4d631d8ba8851f42ff22853483228738a735080b249a560de07a0686f3b1d4858c012be8ee532f292781cc21e4047afb5c896a60cb1631ad4daa82a86
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\Recovery\passwords.json
Filesize819B
MD5941925eb7f3ffe2e62237361b0a6051e
SHA1b6f340569eddb1f9bf0d0a4fc4e8007c8c2029b5
SHA256d536ddb4b0bee534a568c3af9a793a7c2d4df21f83ccbca8d681f1b2a31040e5
SHA5122291bb32fbff1403ea9b823220a0c8068be190c1a2a7171b38e1524809df90b86360d4d6d5c7a93a88072c555c5edc7a5099483d8ce896cc36e0199e17e25116
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\VenomStealer\Logs.txt
Filesize1KB
MD5b6a9362dbc7c6158d96cc189b80fbf47
SHA1b094a803982376b0c1f590d1b56c2e43d055c2db
SHA256535e85677b13ab18293bfda320d9f90cb9af7ccea0d3428809d8bd758fd7ec7d
SHA512a82f8675a813c28875bd1bbfb157fb8c04d186104d387d8a9d11f2a59f74b6d7acd50f45726616321e31333017903f534083e526de1fdeaae1489629ef27f083
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\ClientsFolder\127.0.0.1\note.json
Filesize874B
MD565fc515d45fe9e5f09d26d4c6749edd9
SHA123d84c9356bc6fb106015e704ecd4d73419ede7c
SHA2569bc6b8d3b283fe65acd6d19f4ea9acbf7b49d47ed60f13677d83fcb35334b5a4
SHA5126ddb5c30edd8d05f1bd88006527466491909b9cf108d5a2102e56c35fd2ce0da0bb1fed910e47de72453ff6de042636f46fecaa6d4b40624b6a9e535b7c34ed5
-
C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\file.exe
Filesize74KB
MD5a52f75568b673c35bc538103de1cf02c
SHA1e107dcf0fa6958af3a8e51b22f8707447790c5ca
SHA2563908752121ec62607e2775ae9a28410a25bd3682a6a62deab57def51822589df
SHA512a354640c422a69dd8cb7201cf5373b5311468dead6b709d1f03c27a008f71e70a58d14252da4e730839e2fcf1694a15bffd649cac6b599a7d707095bfd600c31