asyncrat | hxxps://github[.]com/Litrik002/VenomRAT-v6[.]0[.]3-SOURCE-

Analysis

max time kernel
960s
max time network
964s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Litrik002/VenomRAT-v6.0.3-SOURCE-

Score

10^/10

asyncrat discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

127.0.0.1:4449

Mutex

xtyciqbmxupr

Attributes

delay
1
install
true
install_file
VenomRAT v6.0.3 (+SOURCE).exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
2008	msedge.exe
2008	msedge.exe
3176	identity_helper.exe
3176	identity_helper.exe
2268	msedge.exe
2268	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	528	Venom RAT + H.exe
Token: SeIncreaseQuotaPrivilege	528	Venom RAT + H.exe
Token: SeSecurityPrivilege	528	Venom RAT + H.exe
Token: SeTakeOwnershipPrivilege	528	Venom RAT + H.exe
Token: SeLoadDriverPrivilege	528	Venom RAT + H.exe
Token: SeSystemProfilePrivilege	528	Venom RAT + H.exe
Token: SeSystemtimePrivilege	528	Venom RAT + H.exe
Token: SeProfSingleProcessPrivilege	528	Venom RAT + H.exe
Token: SeIncBasePriorityPrivilege	528	Venom RAT + H.exe
Token: SeCreatePagefilePrivilege	528	Venom RAT + H.exe
Token: SeBackupPrivilege	528	Venom RAT + H.exe
Token: SeRestorePrivilege	528	Venom RAT + H.exe
Token: SeShutdownPrivilege	528	Venom RAT + H.exe
Token: SeDebugPrivilege	528	Venom RAT + H.exe
Token: SeSystemEnvironmentPrivilege	528	Venom RAT + H.exe
Token: SeRemoteShutdownPrivilege	528	Venom RAT + H.exe
Token: SeUndockPrivilege	528	Venom RAT + H.exe
Token: SeManageVolumePrivilege	528	Venom RAT + H.exe
Token: 33	528	Venom RAT + H.exe
Token: 34	528	Venom RAT + H.exe
Token: 35	528	Venom RAT + H.exe
Token: 36	528	Venom RAT + H.exe
Token: SeIncreaseQuotaPrivilege	528	Venom RAT + H.exe
Token: SeSecurityPrivilege	528	Venom RAT + H.exe
Token: SeTakeOwnershipPrivilege	528	Venom RAT + H.exe
Token: SeLoadDriverPrivilege	528	Venom RAT + H.exe
Token: SeSystemProfilePrivilege	528	Venom RAT + H.exe
Token: SeSystemtimePrivilege	528	Venom RAT + H.exe
Token: SeProfSingleProcessPrivilege	528	Venom RAT + H.exe
Token: SeIncBasePriorityPrivilege	528	Venom RAT + H.exe
Token: SeCreatePagefilePrivilege	528	Venom RAT + H.exe
Token: SeBackupPrivilege	528	Venom RAT + H.exe
Token: SeRestorePrivilege	528	Venom RAT + H.exe
Token: SeShutdownPrivilege	528	Venom RAT + H.exe
Token: SeDebugPrivilege	528	Venom RAT + H.exe
Token: SeSystemEnvironmentPrivilege	528	Venom RAT + H.exe
Token: SeRemoteShutdownPrivilege	528	Venom RAT + H.exe
Token: SeUndockPrivilege	528	Venom RAT + H.exe
Token: SeManageVolumePrivilege	528	Venom RAT + H.exe
Token: 33	528	Venom RAT + H.exe
Token: 34	528	Venom RAT + H.exe
Token: 35	528	Venom RAT + H.exe
Token: 36	528	Venom RAT + H.exe
Token: SeDebugPrivilege	1656	Venom RAT + H.exe
Token: SeIncreaseQuotaPrivilege	1656	Venom RAT + H.exe
Token: SeSecurityPrivilege	1656	Venom RAT + H.exe
Token: SeTakeOwnershipPrivilege	1656	Venom RAT + H.exe
Token: SeLoadDriverPrivilege	1656	Venom RAT + H.exe
Token: SeSystemProfilePrivilege	1656	Venom RAT + H.exe
Token: SeSystemtimePrivilege	1656	Venom RAT + H.exe
Token: SeProfSingleProcessPrivilege	1656	Venom RAT + H.exe
Token: SeIncBasePriorityPrivilege	1656	Venom RAT + H.exe
Token: SeCreatePagefilePrivilege	1656	Venom RAT + H.exe
Token: SeBackupPrivilege	1656	Venom RAT + H.exe
Token: SeRestorePrivilege	1656	Venom RAT + H.exe
Token: SeShutdownPrivilege	1656	Venom RAT + H.exe
Token: SeDebugPrivilege	1656	Venom RAT + H.exe
Token: SeSystemEnvironmentPrivilege	1656	Venom RAT + H.exe
Token: SeRemoteShutdownPrivilege	1656	Venom RAT + H.exe
Token: SeUndockPrivilege	1656	Venom RAT + H.exe
Token: SeManageVolumePrivilege	1656	Venom RAT + H.exe
Token: 33	1656	Venom RAT + H.exe
Token: 34	1656	Venom RAT + H.exe
Token: 35	1656	Venom RAT + H.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3512	2008	msedge.exe	82
PID 2008 wrote to memory of 3512	2008	msedge.exe	82
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 2592	2008	msedge.exe	83
PID 2008 wrote to memory of 5008	2008	msedge.exe	84
PID 2008 wrote to memory of 5008	2008	msedge.exe	84
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85
PID 2008 wrote to memory of 4360	2008	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Litrik002/VenomRAT-v6.0.3-SOURCE-
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb48b546f8,0x7ffb48b54708,0x7ffb48b54718
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11062750715984861820,4300796720568025256,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4160 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3224

C:\Users\Admin\Downloads\VenomRAT-v6.0.3-SOURCE--main\VenomRAT-v6.0.3-SOURCE--main\Venom RAT + H.exe
"C:\Users\Admin\Downloads\VenomRAT-v6.0.3-SOURCE--main\VenomRAT-v6.0.3-SOURCE--main\Venom RAT + H.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Users\Admin\Downloads\VenomRAT-v6.0.3-SOURCE--main\VenomRAT-v6.0.3-SOURCE--main\Venom RAT + H.exe
"C:\Users\Admin\Downloads\VenomRAT-v6.0.3-SOURCE--main\VenomRAT-v6.0.3-SOURCE--main\Venom RAT + H.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d723afc7c0000dbf37d7f466fa1e90ac

SHA1
e94bf22d9b67a2bc3e0e4cdfe89c7447238146a6

SHA256
b3ba7a6741b1b0c2c575b9ff937680be1df4f65dd322b8434d207e82bd4bf66f

SHA512
8110167503b6b78e9d8dded48000ae184367832dd6dc0c552c6dc02659a76db2905ada53b4626d8f997de13be965bcb05d0f91cc6a645eb733f1947a159ed1ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
463f615865d92339eb68e23cb603e539

SHA1
1caff5854dcc2665be53c36fafe53602f39fbadb

SHA256
a71ea36b4801d34a72d4cf2e6697acb39eb69abbf866461cc64d84133710759f

SHA512
f77f957a18753ea34c90d48bc81ed4a6ff65a8c42036d2ebc622ea4e5bb7a4d76eb1e9e6367d765edba69e83c973dac2670a97cbee3f95d08259ef667cc8b5a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
38227d929951ad772f33b18088f91763

SHA1
d1133526c4123fe8a1b1db00bdd3b5780b57089e

SHA256
5ed101adb896c82a8b5e041bb5e29edcd0df3e55e35adf2958c1be2500d2f108

SHA512
75934d8e74b27a2a29eb49de7e5e9356424ce4dcd08fdeb651c5a615433fe9e8c1ff83338e4e4d0e282a7068777d36825eae3ddf5c64c63da4123aa221525a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d55f63be22bfe86eaa23fcf98798d238

SHA1
d11caf2af90264bcda4f9dd5582d2dfde4b0bbe4

SHA256
582f0862fe78a11ae2e9d84b131505df8beeca50163d2e6f2b901a5afec29717

SHA512
cffb31390488475c6a280e5c7a1689f6c1467caff79e42bbd4249dbc317aa361b512f27ca7e2f2e65747beae616fee4fa773b3508bc9ad364d51f124718e175c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ece7badaa40546f51f9d3912bf815582

SHA1
413d81ec1f24fc95e73242293b0a9bd930139f44

SHA256
5d4a1040733fe512dcb947e9627904bb47b6c4349a66bfaa15922eab98a27426

SHA512
26193b961813b842cb5a846da80277a32f7805798d6d25400d89420557f9877591456b1813e92cd43fa75730f90ad048d7b1abf2c2b33da3c65aa8d4fda37abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
912d990b71538d654d8a20099133cd5d

SHA1
93b810568de61a378d58965d4df7e0f99ce05a00

SHA256
ec1067f2d78cf84bb774c05c0670dbbb89ac14edeb92cd73155413700be07820

SHA512
b645ea06ef12fd152c35287feffea41a54f10632949971b328170aa63a26970110bdf41d56ccc1ed0cb56ca41ae3c0cd63ceeeea02cbad5100defbd6a02b5118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5817f8.TMP

Filesize
874B

MD5
6574b19feb116a472902870fb915e146

SHA1
646e798adc25158278f91beedafb18e05b3d33bf

SHA256
37570788abb381f85907ab799423314908592d5ea3d58f20eef6340d10690a42

SHA512
68b5fbf3dc9e1d73421a5a3b891b04406f5ffc40c0fa60db8d39e7ee086dd821e4f4568f81d83ede82844f5b67ff5c753bc4bc8963fca2959b8dd8a1f47d9494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c267721b91fd55dc43db5b3460e09056

SHA1
0dacfede5ce0bace5d4da808aebd0a8b57de935b

SHA256
0592b14cf9797782802a52a2161e42b6f1e12024bf3bd20a7cbd571f8686bcdf

SHA512
57d99e5292130e59c85e6886b71edba3ce23c696072a4e401ff7509c707e569b4ddcf4a70db9885174a928789eaddf047113750310212d3850151564940699dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
81656ae0bf174db50e3a502e3694e873

SHA1
0fc56fd0978122d7dc8ce703136557588fe11269

SHA256
967d4b6113b16417eec595c04543ba1fc067671f377be233b061bfeac41729a5

SHA512
f96f0cfd7c9a46751c95b71810754e473a09782769d0ef0560c78c79a57765247a8eaf2ec29028b7fe4c94701a1da2a30b63ab696630d1076b0d3e27b6ecdb79

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/528-292-0x0000000000FD0000-0x0000000000FEA000-memory.dmp

Filesize
104KB

Download