hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

30-01-2025 16:48

250130-vbellsxja1 10

30-01-2025 02:38

30-01-2025 02:32

30-01-2025 02:25

30-01-2025 02:21

30-01-2025 02:17

30-01-2025 02:13

Analysis

max time kernel
112s
max time network
112s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-01-2025 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
31	1116	msedge.exe

Executes dropped EXE 2 IoCs

pid	Process
1736	VanToM-Rat.bat
4180	Server.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
14	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 482074.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:SmartScreen:$DATA	VanToM-Rat.bat
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1116	msedge.exe
1116	msedge.exe
4748	msedge.exe
4748	msedge.exe
3452	identity_helper.exe
3452	identity_helper.exe
3808	msedge.exe
3808	msedge.exe
2736	msedge.exe
2736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
1736	VanToM-Rat.bat
4180	Server.exe
4748	msedge.exe
4748	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1736	VanToM-Rat.bat
4180	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 864	4748	msedge.exe	78
PID 4748 wrote to memory of 864	4748	msedge.exe	78
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 4796	4748	msedge.exe	79
PID 4748 wrote to memory of 1116	4748	msedge.exe	80
PID 4748 wrote to memory of 1116	4748	msedge.exe	80
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81
PID 4748 wrote to memory of 4520	4748	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3db23cb8,0x7ffc3db23cc8,0x7ffc3db23cd8
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,17973972852604328041,16697334814052366526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:4528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3708

C:\Users\Admin\Downloads\VanToM-Rat.bat
"C:\Users\Admin\Downloads\VanToM-Rat.bat"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1736
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
672aa9998500f389512f35df5df9b6d6

SHA1
68ae93e92ca112b77f60ba182cb905cea97c48cb

SHA256
4a5cb34bd3b36d88434962a7a0d0763391fc0c87a965b0a6d81e0f3b59ddcd69

SHA512
d3bf445fc755312b8a20bdf579642723d7cfdaabd0cae3557d5db6fabf5504488de4cb9d89faea7263e22639a9783871b08ae3dd2e61227e9a51b12aa2758e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2048f9cad61027a6d506eeb6c961f426

SHA1
ff511f77cce67b81ab9f93cb2a7961a6523dd8f0

SHA256
e6c9b748dbf2a897ec6894263942ecd7f1a0afcc60558062e4cb12266fbe42dd

SHA512
ee069b0fd3375e5bc0fe9a43822f8d619b969bc696cc6613ee9ee0c817fb57dc81b2c27472a034a666052d84a769dce14b9012a189c5c490c07220302a9ec061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
649B

MD5
21e796395035d40fe46813a8b1478b34

SHA1
edcb07c41ca0aade09f9563e57e2f49e98b39cec

SHA256
11a416570141e1645676bb111ba4aeced1256e7e5d60876a6f862579f067d16d

SHA512
ef18986c801f0ff727c554038b65843e2323d896e5eec2ad1bf5866684b5c5dcb82cc5c2e4f8d8316112a3ea2b5cf43cffa5ff0abd43851b41865255944bc9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b4b606713564c273c7cc8d6935bb0532

SHA1
23e2f5db06299976e8694238dc14890f3741f3e5

SHA256
00b3ae2a039971e9f05942b7302f60b3d1fa264f10c90c64231bb7013a308ab6

SHA512
f4525632f9a731f09a448e75f21f7f4f5f80428120ea736dafa4842f2ed5eb1afc94d2a33296a76fd3b00afdf271e828a0c8be1e232a415066fa059530636bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b173e05edede955fe8cc8afb38c2e519

SHA1
82978faa350fadec35f6b6583018c2b83563b327

SHA256
b9c4812407862b350c1099fa3a0ed2f0dfcd3854e560d13cdffa8aa692224476

SHA512
7ecbe719ce7482490ab60e2253853c56d75b8344dc08f49ec16d13a306985c2d9094beece82f1c526be71c7b6b26415f2e9a74ec28460408d5ea32e99173b27c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4d116e1e0e51d8d5f021efaead25264e

SHA1
8dc16434b03b75cd16514695843abb4d22c960df

SHA256
1f7be97560228fb78257c5e3c03231dab273dd4582d0b91fd6eb0d236ec9f579

SHA512
a6ad214e4c196734d0044479a34ccd202b12ae88916bea0a070021c378e65676e1b035e37f3bb43115d976a4828dc0968c2271af66489d2a03ce14d93df007a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
365723e0b1f57a890bbf8dc5f81f6bff

SHA1
d9ea143036a93eee601f58e62c1fc3712fb2a9ba

SHA256
d8bbea66f006d0e86adb1a10ad52d5953dc53faf4c4d23972bfd432346021da6

SHA512
083cbdc7b125dcf6ce23e95a0c3009b4b0933ad6ea22d72a28dd5a73fc16fb6cb0eeafd6e4cef80764ef8169a3e19e7beb84a0544c91b2619bd26aee9f14d51b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
040d24c7a6d30e8ee50162b22fdcaaee

SHA1
0b24c574da5655c55a304df9e82b9c6dc84bdacb

SHA256
6659d104c2b0102f918c0fe26c870abb7671b816579a56b4ac12ee6023adfe3e

SHA512
5caad1026e5f7df3b2b46560dfbf1748e1efa5982a7a8d042bdecc1337b90b03e92b689c8853ec52a0a6dbd19b2e3126606c443df9c7b822a4cf08a57e7254d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5919a8.TMP

Filesize
48B

MD5
4839425add05bee8e1993066fbb0cff5

SHA1
cc3af6c1152b4673ec41b3020a15ded112538f02

SHA256
0d1020fd9c96c470634f6d57e96f77cb07c325039a615712788f9cf754992f44

SHA512
9a90ee198749ff52efedb6b227e8cfd32c836c2ba295aebefcc988cccf140befb63a677b8225641f815b89d3bae797723f6c9deb303975775e6191031494645b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
971787c41309f8c061791acdec1e1c34

SHA1
3ba4cd1cabf279ec2a3e26b08c5671f1b9d251d6

SHA256
dd93b9f960c73aad152b2efebadd054ecf11d58a4bf2167978a3ad3b7d63669b

SHA512
180d7add359e5f0089a32bee69c5ae9d06ca1015857706de3c6bbac67db48e0f8b50c3571cc8495c3671deb39e876ea95299609eb8eabe4f27153af21a4fdead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e2753cfffb14ed3463bcdb2737752f5b

SHA1
62865eb88cd4015edd4d3992718575650c1762c2

SHA256
fdfa10b00aec9f5ae10caebd9a0bc19f23f5ad67b9d771d55080763229bdab00

SHA512
d0528da72aa386dd2388d832293ab44dfbf522187d99fdc03f8a82289843a8e392c1a732421de32d7da64a848711b6794ba2bb279a143f5b0ad19b8af1b5f1ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
13d5964f92998fcd9d4be1e6420c4483

SHA1
53b2165cbcba532ba683a77fb0011681e32ed419

SHA256
1fe727b9bd0a8111afc68b3173a76b0e1fe1be3233ef3d7941834e88395482fe

SHA512
987c3942679464aa5b19b58ed71bbf00c3808c2c671e956aa02af0eaaaf7a8b1cadeadf98d497785f523032c3fb220d22305c649c07dec2f0ff80a9f7479cbec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581bc0.TMP

Filesize
874B

MD5
e4b6c90dea8ef982de4d7dec2c78398f

SHA1
5d97c148083e3e520c19f421a32168b85eca18b4

SHA256
d492b187ddceeb28676344287cb7646e81af05ee6ca03b600d0979a6c2276c20

SHA512
68e46aad09877ce3c123b0ffe008670b52094a0b7e38c469898535382d65dc2425b58b7430c1ddc0048e611e75009256e475a3e518321944c4c7f20613a3c419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7cc567575b31569cdb87e711bc818334

SHA1
2236833cc42d7503f9d4a56a79a6a8e62269bf54

SHA256
353227c765cd96e6f7daa5917bc4a11646b0a24abad8121620b56a6e7c0851fb

SHA512
09746e709db93b526763ba2d5f821234c8898d55b43355e4927eacffa66da85a7ea39a07f05d6db8e73a738a7ba938b0e29afc03d546a8c440ed6ac3e09092e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e6d9e79841657828fd24d02396e29312

SHA1
7f41516a05d10940dca513497759e2d9841535d0

SHA256
e22f50c00bca9548e4cf201ed383b276c1d9f52190b5d392d4a0b55a69f04b6f

SHA512
1dc4380fdd5a85197263cd632918bb08b063b731fc033b503f0cc7463206d92ac43a47e3a1b934d1f569ccc117290ecf216d27b6e6987d285df43ddadf93c96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
39B

MD5
7b3afea60421bbb95c700f49165bf550

SHA1
ba0e7a079884966f14c04789008a1b3ba2253d9e

SHA256
3f331c4de18b623e9ce3d32ad470bfdf8769642693b453e8d9af9b258ca28c7e

SHA512
c96097c961a643b99c2148f29df5338cce83042704cbfd55e9d4aef3f723b0a93d7fc893c3ec1ff031890e21f4912dd63f09391c944fe46f79d0fd7b46b8187d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 482074.crdownload

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/1736-260-0x000000001EEC0000-0x000000001F1D0000-memory.dmp

Filesize
3.1MB

Download
memory/1736-259-0x000000001CD00000-0x000000001CD4C000-memory.dmp

Filesize
304KB

Download
memory/1736-258-0x0000000001930000-0x0000000001938000-memory.dmp

Filesize
32KB

Download
memory/1736-257-0x000000001CB10000-0x000000001CBAC000-memory.dmp

Filesize
624KB

Download
memory/1736-256-0x000000001C5A0000-0x000000001CA6E000-memory.dmp

Filesize
4.8MB

Download
memory/1736-255-0x000000001BF20000-0x000000001BFC6000-memory.dmp

Filesize
664KB

Download