Create Interactive Tour

Windows Analysis Report
VenomRemote_Cracked.exe

Overview

General Information

Sample Name:	VenomRemote_Cracked.exe
Analysis ID:	697970
MD5:	83626a159e3399dc2bec680220ba8969
SHA1:	c8fb91953976291310ddc645e2b9275277c57ec2
SHA256:	0e59d8a36fc73b40178732c2e9dec9143ceb3dfd590547221dbce65983042141
Tags:	AsyncRATexeVenomRAT
Infos:

Detection

Quasar

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

Yara detected Generic Downloader

.NET source code contains very large array initializations

Found strings related to Crypto-Mining

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sample file is different than original file name gathered from version info

PE file contains strange resources

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Binary contains a suspicious time stamp

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

VenomRemote_Cracked.exe (PID: 5628 cmdline: "C:\Users\user\Desktop\VenomRemote_Cracked.exe" MD5: 83626A159E3399DC2BEC680220BA8969)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
VenomRemote_Cracked.exe	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0xcf2dff:$name: ConfuserEx 0xd730db:$name: ConfuserEx 0xd9d645:$name: ConfuserEx 0xd9d792:$name: ConfuserEx 0x1c79f7e:$name: ConfuserEx 0x1c79fde:$name: ConfuserEx 0x1c7a045:$name: ConfuserEx 0x2610ad3:$name: ConfuserEx 0x2610b42:$name: ConfuserEx 0x2640eae:$name: ConfuserEx 0xcf2f80:$compile: AssemblyTitle 0x25baaef:$compile: AssemblyTitle 0x2611e73:$compile: AssemblyTitle 0x26121c0:$compile: AssemblyTitle 0x26121d2:$compile: AssemblyTitle 0x2612509:$compile: AssemblyTitle 0x2623ddb:$compile: AssemblyTitle 0x262ca57:$compile: AssemblyTitle 0x26440d7:$compile: AssemblyTitle
VenomRemote_Cracked.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
VenomRemote_Cracked.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
VenomRemote_Cracked.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.552026273.0000000007D60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.266219699.0000000002882000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: VenomRemote_Cracked.exe PID: 5628	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: VenomRemote_Cracked.exe PID: 5628	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
0.0.VenomRemote_Cracked.exe.2f58218.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.VenomRemote_Cracked.exe.67119b0.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.VenomRemote_Cracked.exe.7d60000.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.VenomRemote_Cracked.exe.69919d0.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VenomRemote_Cracked.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: VenomRemote_Cracked.exe	ReversingLabs: Detection: 57%
Source: VenomRemote_Cracked.exe	Virustotal: Detection: 44%	Perma Link
Source: VenomRemote_Cracked.exe	Metadefender: Detection: 34%	Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: VenomRemote_Cracked.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VenomRemote_Cracked.exe PID: 5628, type: MEMORYSTR

Machine Learning detection for sample

Source: VenomRemote_Cracked.exe

Joe Sandbox ML: detected

Bitcoin Miner

Found strings related to Crypto-Mining

Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp

String found in binary or memory: cryptonight

Source: VenomRemote_Cracked.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: KoiVM.Runtime.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Confuser.DynCipher.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: ConfuserEx.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Confuser.Core.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: costura.mono.cecil.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: (l%costura.antire.runtime.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: GalaSoft.MvvmLight.WPF4.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: "GalaSoft.MvvmLight.Extras.WPF4.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Confuser.CLI.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: costura.mono.cecil.rocks.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: KoiVM.Confuser.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: C:\Users\Ilham-PC\Documents\Visual Studio 2015\Projects\Siticone.UI\Build\Release\Siticone.UI.WinForms\Siticone.UI.pdb source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.antire.runtime.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: (l!costura.mono.cecil.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: (l'costura.mono.cecil.rocks.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Practices.ServiceLocation.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: costura.mono.cecil.pdb.dll.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: mono.cecil.pdb source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 1dnlib.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: C:\Users\Ilham-PC\Documents\Visual Studio 2015\Projects\Siticone.UI\Build\Release\Siticone.UI.WinForms\Siticone.UI.pdbBSJB source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Beds Protector GUI.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: mono.cecil.pdbKcostura.mono.cecil.pdb.dll.compressedKcostura.mono.cecil.pdb.pdb.compressed!mono.cecil.rocksOcostura.mono.cecil.rocks.dll.compressedOcostura.mono.cecil.rocks.pdb.compressed!mono.httputilityOcostura.mono.httputility.dll.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Confuser.Protections.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: GalaSoft.MvvmLight.Extras.WPF4.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: KoiVM.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: costura.mono.cecil.mdb.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: (l%costura.mono.cecil.pdb.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: antire.runtimeKcostura.antire.runtime.dll.compressedKcostura.antire.runtime.pdb.compressed/bunifu.dataviz.winforms]costura.bunifu.dataviz.winforms.dll.compressed!bunifu.licensing)Bunifu.Licensing.dll1bunifu.ui.winforms.1.5.3_costura.bunifu.ui.winforms.1.5.3.dll.compressed?bunifu.ui.winforms.bunifubuttonmcostura.bunifu.ui.winforms.bunifubutton.dll.compressedCbunifu.ui.winforms.bunifucheckboxqcostura.bunifu.ui.winforms.bunifucheckbox.dll.compressedObunifu.ui.winforms.bunifucircleprogress}costura.bunifu.ui.winforms.bunifucircleprogress.dll.compressedQbunifu.ui.winforms.bunifucolortransition source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: mono.cecil.mdbKcostura.mono.cecil.mdb.dll.compressedKcostura.mono.cecil.mdb.pdb.compressedCcostura.mono.cecil.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: KoiVM.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Beds Protector.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Confuser.Runtime.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: costura.mono.cecil.pdb.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: ^'Microsoft.Practices.ServiceLocation.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: (l%costura.mono.cecil.mdb.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: (l%costura.mono.cecil.pdb.dll.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Confuser.Renamer.pdb source: VenomRemote_Cracked.exe

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_09D00980
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_09D09C73
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_09D09C78

Networking

Yara detected Generic Downloader

Source: Yara match	File source: VenomRemote_Cracked.exe, type: SAMPLE
Source: Yara match	File source: 0.2.VenomRemote_Cracked.exe.67119b0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VenomRemote_Cracked.exe.7d60000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VenomRemote_Cracked.exe.69919d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.552026273.0000000007D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: VenomRemote_Cracked.exe, 00000000.00000002.543082921.000000000389E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: CLIENT_VERSIONthttp://gdata.youtube.com/feeds/api/videos/{0}?v=2&alt=jsonDFailed to get youtube video data: Lhttp://vimeo.com/api/v2/video/{0}.json@Failed to get vimeo video data: ork Manager.<br><br> <b>LICENSE MODULE</b><br> The license module enables you to work without interruptions. Issues with the module can be caused by:<br><br> (i) <i>Framework Manager is not installed</i><br>(ii) <i>HDD formatting</i><br>(iii) <i>OS reintallation</i>,<br>(iv) <i>Siticone Files Deletion</i>, or<br>(v) <i>Any other issues</i>.<br><br> For assistance, please contact our support centre at: <i>support@siticoneframework.com</i>PMissing Manager or the Module is corrupt4Download Framework Manager4Contact Our Support CentreHmailto:support@siticoneframework.comDhttps://www.siticoneframework.com/ equals www.youtube.com (Youtube)
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Shttps://www.youtube.com/embed/hr0itfdwMPg)Welcome on Venom Rat equals www.youtube.com (Youtube)

Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dashboard.ngrok.com/status
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dynupdate.no-ip.com/nic/update?hostname=
Source: VenomRemote_Cracked.exe, 00000000.00000003.280319341.0000000008605000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w0
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gdata.youtube.com/feeds/api/videos/
Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://pastebin.com/api/api_login.php
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://pastebin.com/api/api_post.php
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://pastebin.com/raw.php?i=cSuccesfully
Source: VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vimeo.com/api/v2/video/
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: VenomRemote_Cracked.exe, 00000000.00000003.279885486.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279785073.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280113298.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280150127.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280186456.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279885486.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com-
Source: VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280046273.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280113298.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280150127.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280186456.0000000008620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com9
Source: VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280046273.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comIta
Source: VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280046273.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279885486.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280113298.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280150127.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280186456.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comand410
Source: VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280046273.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comb
Source: VenomRemote_Cracked.exe, 00000000.00000003.279823811.0000000008625000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279785073.0000000008620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.cometh
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280046273.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279885486.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280113298.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280150127.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280186456.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: VenomRemote_Cracked.exe, 00000000.00000003.282815704.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: VenomRemote_Cracked.exe, 00000000.00000003.282283072.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.282306417.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.282325798.0000000008620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/u-rS5
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: VenomRemote_Cracked.exe, 00000000.00000003.279111607.0000000008605000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.278972221.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: VenomRemote_Cracked.exe, 00000000.00000003.279111607.0000000008605000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn#zK
Source: VenomRemote_Cracked.exe, 00000000.00000003.279160745.000000000861F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn%3.
Source: VenomRemote_Cracked.exe, 00000000.00000003.279111607.0000000008605000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn-z5
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: VenomRemote_Cracked.exe, 00000000.00000003.279111607.0000000008605000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnC
Source: VenomRemote_Cracked.exe, 00000000.00000003.279111607.0000000008605000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnM
Source: VenomRemote_Cracked.exe, 00000000.00000003.290759341.0000000008621000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.290740374.0000000008620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.google.com
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.venomremote.com
Source: VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.anonfile.com/upload
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.auth.gg/csharp/AInvalid
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.licensing.bunifu.io/
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bunifuframework.com/
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bunifuframework.com/checkout/?edd_license_key=
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bunifuframework.com/checkout/?edd_license_key=crackedbycdolo&download_id=1128601
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bunifuframework.com/checkout?edd_action=add_to_cart&download_id=
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bunifuframework.com/free-download
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bunifuframework.com/free-download/
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bunifuframework.com/support.
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bunifuframework.comGhttps://bunifuframework.com/support
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dashboard.ngrok.com/status
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://google.com
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://kutt.it/bunifu-device-remover
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pastebin.com/raw/GzQpLxfL
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pastebin.com/raw/grsxLEjEChttps://pastebin.com/raw/6MbzmXfSAYou
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pastebin.com/raw/inRtatWqChttps://pastebin.com/raw/ZwT1BfVd
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scanmybin.net/api/new/
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scanmybin.net/api/new/Bhttps://scanmybin.net/api/status/
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scanmybin.net/api/scan/
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scanmybin.net/api/status/?https://scanmybin.net/api/scan/
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scanmybin.net/result/
Source: VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/516730/what-does-the-visual-studio-any-cpu-target-mean&
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/latest/w32/putty.exeIExploit
Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: VenomRemote_Cracked.exe, 00000000.00000002.543082921.000000000389E000.00000004.00000020.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.siticoneframework.com/
Source: VenomRemote_Cracked.exe, 00000000.00000002.543082921.000000000389E000.00000004.00000020.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.siticoneframework.com/pricing.htmlFSoftware
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.youtube.com/embed/hr0itfdwMPg)Welcome

Source: VenomRemote_Cracked.exe, 00000000.00000002.542481877.0000000003808000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: VenomRemote_Cracked.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VenomRemote_Cracked.exe PID: 5628, type: MEMORYSTR

System Summary

.NET source code contains very large array initializations

Source: VenomRemote_Cracked.exe, Venom_Binder/Words.cs

Large array initialization: .cctor: array initializer size 3006

Source: VenomRemote_Cracked.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: VenomRemote_Cracked.exe, type: SAMPLE

Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25

Source: VenomRemote_Cracked.exe, 00000000.00000002.542481877.0000000003808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000000.270756931.00000000030E4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVenomRemote.exe8 vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000002.543082921.000000000389E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.UI.dll8 vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBunifu.Licensing.dllB vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: txtOriginalFilename vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: lblOriginalFilename vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: get_OriginalFilename vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: set_OriginalFilename vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: txtCompanyName#txtProductVersion'txtOriginalFilename vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Copyright:'lblOriginalFilename%Original Filename: vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Trademarks!OriginalFilename vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.UI.dll8 vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.UI.dll8 vs VenomRemote_Cracked.exe
Source: VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs VenomRemote_Cracked.exe

Source: VenomRemote_Cracked.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_03ACC954	0_2_03ACC954
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_03ACED88	0_2_03ACED88
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_03ACED98	0_2_03ACED98

Source: VenomRemote_Cracked.exe	ReversingLabs: Detection: 57%
Source: VenomRemote_Cracked.exe	Virustotal: Detection: 44%
Source: VenomRemote_Cracked.exe	Metadefender: Detection: 34%

Source: VenomRemote_Cracked.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VenomRemote_Cracked.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: VenomRemote_Cracked.exe, VenomS/Forms/VenomLogin.cs	Base64 encoded string: 'kwBPZ0ubY1vrM8FoBi6L0H4k7wr1NcznROh2Gd1y5sxMpSiWoMQTUMSTYwkXQ9Nt'
Source: VenomRemote_Cracked.exe, VenomS/Security.cs	Base64 encoded string: 'gd8JQ57nxXzLLMPrLylVhxoGnWGCFjO4knKTfRE6mVvdjug2NF/4aptAsZcdIGbAPmcx0O+ftU/KvMIjcfUnH3j+IMdhAW5OpoX3MrjQdf5AAP97tTB5g1wdDSAqKpq9gw06t3VaqMWZHKtPSuAXy0kkZRsc+DicpcY8E9+vWMHXa3jMdbPx4YES0p66GzhqLd/heA2zMvX8iWv4wK7S3QKIW/a9dD4ALZJpmcr9OOE='
Source: VenomRemote_Cracked.exe, VenomS/OnProgramStart.cs	Base64 encoded string: 'RmFpbGVkIHRvIGJpbmQgdG8gc2VydmVyLCBjaGVjayB5b3VyIEFJRCAmIFNlY3JldCBpbiB5b3VyIGNvZGUh'

Source: classification engine

Classification label: mal88.troj.evad.mine.winEXE@1/0@0/0

Source: VenomRemote_Cracked.exe, VenomS/Forms/cAES256.cs	Cryptographic APIs: 'CreateDecryptor'
Source: VenomRemote_Cracked.exe, VenomS/Forms/FBuilder.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VenomRemote_Cracked.exe, VenomS/Forms/FBuilder.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VenomRemote_Cracked.exe, VenomS/Forms/VenomLogin.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VenomRemote_Cracked.exe, VenomS/Forms/VenomLogin.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VenomRemote_Cracked.exe, VenomS/Forms/Lisence.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VenomRemote_Cracked.exe, VenomS/Forms/Lisence.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: VenomRemote_Cracked.exe, VenomS/Forms/Lisence.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VenomRemote_Cracked.exe, VenomS/Forms/Lisence.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VenomRemote_Cracked.exe, VenomS/Forms/FSettings.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VenomRemote_Cracked.exe, VenomS/Forms/FSettings.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: VenomRemote_Cracked.exe, VenomS/Forms/SetupBuild.cs	Suspicious method names: System.Void VenomS.Forms.SetupBuild::set_PayloadResources(System.String)
Source: VenomRemote_Cracked.exe, VenomS/Forms/SetupBuild.cs	Suspicious method names: System.String VenomS.Forms.SetupBuild::get_PayloadResources()
Source: VenomRemote_Cracked.exe, VenomS/Forms/SetupBuild.cs	Suspicious method names: System.String VenomS.Forms.SetupBuild::get_PayloadName()
Source: VenomRemote_Cracked.exe, VenomS/Forms/SetupBuild.cs	Suspicious method names: System.Void VenomS.Forms.SetupBuild::set_PayloadName(System.String)
Source: VenomRemote_Cracked.exe, VenomS/FrmMainDark.cs	Suspicious method names: System.Void VenomS.FrmMainDark::encryptPayloadToolStripMenuItem_Click(System.Object,System.EventArgs)
Source: VenomRemote_Cracked.exe, VenomS/FrmMainDark.cs	Suspicious method names: System.Void VenomS.FrmMainDark::buildPayloadToolStripMenuItem_Click(System.Object,System.EventArgs)

Source: VenomRemote_Cracked.exe, VenomS/Forms/FrmTaskManager.cs

Task registration methods: 'get_CreateParams'

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: VenomRemote_Cracked.exe

Static file information: File size 40408576 > 1048576

Source: VenomRemote_Cracked.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: VenomRemote_Cracked.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: VenomRemote_Cracked.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2660400

Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: KoiVM.Runtime.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Confuser.DynCipher.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: ConfuserEx.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Confuser.Core.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: costura.mono.cecil.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: (l%costura.antire.runtime.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: GalaSoft.MvvmLight.WPF4.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: "GalaSoft.MvvmLight.Extras.WPF4.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Confuser.CLI.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: costura.mono.cecil.rocks.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: KoiVM.Confuser.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: C:\Users\Ilham-PC\Documents\Visual Studio 2015\Projects\Siticone.UI\Build\Release\Siticone.UI.WinForms\Siticone.UI.pdb source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.antire.runtime.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: (l!costura.mono.cecil.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: (l'costura.mono.cecil.rocks.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Practices.ServiceLocation.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: costura.mono.cecil.pdb.dll.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: mono.cecil.pdb source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 1dnlib.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: C:\Users\Ilham-PC\Documents\Visual Studio 2015\Projects\Siticone.UI\Build\Release\Siticone.UI.WinForms\Siticone.UI.pdbBSJB source: VenomRemote_Cracked.exe, 00000000.00000002.549917724.0000000006991000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.546828047.000000000650C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Beds Protector GUI.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: mono.cecil.pdbKcostura.mono.cecil.pdb.dll.compressedKcostura.mono.cecil.pdb.pdb.compressed!mono.cecil.rocksOcostura.mono.cecil.rocks.dll.compressedOcostura.mono.cecil.rocks.pdb.compressed!mono.httputilityOcostura.mono.httputility.dll.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Confuser.Protections.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: GalaSoft.MvvmLight.Extras.WPF4.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: KoiVM.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: costura.mono.cecil.mdb.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: (l%costura.mono.cecil.pdb.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: antire.runtimeKcostura.antire.runtime.dll.compressedKcostura.antire.runtime.pdb.compressed/bunifu.dataviz.winforms]costura.bunifu.dataviz.winforms.dll.compressed!bunifu.licensing)Bunifu.Licensing.dll1bunifu.ui.winforms.1.5.3_costura.bunifu.ui.winforms.1.5.3.dll.compressed?bunifu.ui.winforms.bunifubuttonmcostura.bunifu.ui.winforms.bunifubutton.dll.compressedCbunifu.ui.winforms.bunifucheckboxqcostura.bunifu.ui.winforms.bunifucheckbox.dll.compressedObunifu.ui.winforms.bunifucircleprogress}costura.bunifu.ui.winforms.bunifucircleprogress.dll.compressedQbunifu.ui.winforms.bunifucolortransition source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: mono.cecil.mdbKcostura.mono.cecil.mdb.dll.compressedKcostura.mono.cecil.mdb.pdb.compressedCcostura.mono.cecil.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: KoiVM.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Beds Protector.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Confuser.Runtime.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: costura.mono.cecil.pdb.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: ^'Microsoft.Practices.ServiceLocation.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: (l%costura.mono.cecil.mdb.pdb.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: (l%costura.mono.cecil.pdb.dll.compressed source: VenomRemote_Cracked.exe, 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.pdb source: VenomRemote_Cracked.exe
Source:	Binary string: Confuser.Renamer.pdb source: VenomRemote_Cracked.exe

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: VenomRemote_Cracked.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VenomRemote_Cracked.exe.2f58218.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.266219699.0000000002882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VenomRemote_Cracked.exe PID: 5628, type: MEMORYSTR

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D02628 push ebp; iretd	0_2_09D02902
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D029D9 push ebp; iretd	0_2_09D029DA
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D02908 push ebp; iretd	0_2_09D0290A
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D02928 push ebp; iretd	0_2_09D0292A
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D00928 pushad ; iretd	0_2_09D00929
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D02898 push ebp; iretd	0_2_09D02902
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D09878 pushfd ; iretd	0_2_09D0987A
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D09830 pushfd ; iretd	0_2_09D09832
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D09829 pushfd ; iretd	0_2_09D0982A
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D0BBB0 pushfd ; ret	0_2_09D0BBB1
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D0BB60 push esp; ret	0_2_09D0BB61
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D02B09 push esi; iretd	0_2_09D02B0A
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D02D90 push edi; iretd	0_2_09D02D92
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D02D99 push edi; iretd	0_2_09D02D9A
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D02DB9 push edi; iretd	0_2_09D02DBA
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D01DA1 push eax; iretd	0_2_09D01DA2
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D01DA9 push eax; iretd	0_2_09D01DAA
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D02D71 push edi; iretd	0_2_09D02D72
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Code function: 0_2_09D02D79 push edi; iretd	0_2_09D02D7A

Source: VenomRemote_Cracked.exe

Static PE information: 0xDB2E689F [Thu Jul 11 18:49:03 2086 UTC]

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe

Window / User API: threadDelayed 5935

Jump to behavior

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe TID: 5232

Thread sleep time: -59350s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: DetectVirtualMachine
Source: VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: VMware.png

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Users\user\Desktop\VenomRemote_Cracked.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VenomRemote_Cracked.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: VenomRemote_Cracked.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VenomRemote_Cracked.exe PID: 5628, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: VenomRemote_Cracked.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VenomRemote_Cracked.exe PID: 5628, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Virtualization/Sandbox Evasion	1 Input Capture	11 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Timestomp	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	21 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VenomRemote_Cracked.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.ClipBanker
VenomRemote_Cracked.exe	44%	Virustotal		Browse
VenomRemote_Cracked.exe	34%	Metadefender		Browse
VenomRemote_Cracked.exe	100%	Avira	TR/Dropper.MSIL.Gen7
VenomRemote_Cracked.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnM	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnC	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.carterandcone.com9	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.founder.com.cn/cn-z5	0%	Avira URL Cloud	safe
https://scanmybin.net/api/status/?https://scanmybin.net/api/scan/	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comb	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
https://bunifuframework.com/free-download/	0%	Virustotal		Browse
http://www.carterandcone.comIta	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://api.licensing.bunifu.io/	0%	Avira URL Cloud	safe
https://bunifuframework.com/checkout/?edd_license_key=crackedbycdolo&download_id=1128601	0%	Avira URL Cloud	safe
https://bunifuframework.com/free-download/	0%	Avira URL Cloud	safe
https://bunifuframework.com/checkout/?edd_license_key=	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn#zK	0%	Avira URL Cloud	safe
https://scanmybin.net/api/new/Bhttps://scanmybin.net/api/status/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn#zK	0%	Virustotal		Browse
https://bunifuframework.comGhttps://bunifuframework.com/support	0%	Avira URL Cloud	safe
http://www.carterandcone.com-	0%	Avira URL Cloud	safe
https://www.siticoneframework.com/	0%	Avira URL Cloud	safe
http://www.venomremote.com	0%	Avira URL Cloud	safe
https://bunifuframework.com/support.	0%	Avira URL Cloud	safe
https://bunifuframework.com/checkout?edd_action=add_to_cart&download_id=	0%	Avira URL Cloud	safe
https://bunifuframework.com/free-download	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn%3.	0%	Avira URL Cloud	safe
https://scanmybin.net/api/new/	0%	Avira URL Cloud	safe
http://www.carterandcone.cometh	0%	Avira URL Cloud	safe
https://www.siticoneframework.com/pricing.htmlFSoftware	0%	Avira URL Cloud	safe
https://scanmybin.net/result/	0%	Avira URL Cloud	safe
https://scanmybin.net/api/scan/	0%	Avira URL Cloud	safe
http://dynupdate.no-ip.com/nic/update?hostname=	0%	Avira URL Cloud	safe
https://bunifuframework.com/	0%	Avira URL Cloud	safe
https://api.auth.gg/csharp/AInvalid	0%	Avira URL Cloud	safe
http://en.w0	0%	Avira URL Cloud	safe
http://www.carterandcone.comand410	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.founder.com.cn/cn-z5	VenomRemote_Cracked.exe, 00000000.00000003.279111607.0000000008605000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comn-u	VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280046273.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279885486.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280113298.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280150127.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280186456.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/u-rS5	VenomRemote_Cracked.exe, 00000000.00000003.282283072.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.282306417.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.282325798.0000000008620000.00000004.00000800.00020000.00000000.sdmp	false		high
https://scanmybin.net/api/status/?https://scanmybin.net/api/scan/	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnM	VenomRemote_Cracked.exe, 00000000.00000003.279111607.0000000008605000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bunifuframework.com/free-download/	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/questions/516730/what-does-the-visual-studio-any-cpu-target-mean&	VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.licensing.bunifu.io/	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://dashboard.ngrok.com/status	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.fontbureau.com/designers?	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bunifuframework.com/checkout/?edd_license_key=	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/grsxLEjEChttps://pastebin.com/raw/6MbzmXfSAYou	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
https://bunifuframework.com/checkout/?edd_license_key=crackedbycdolo&download_id=1128601	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scanmybin.net/api/new/Bhttps://scanmybin.net/api/status/	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn#zK	VenomRemote_Cracked.exe, 00000000.00000003.279111607.0000000008605000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bunifuframework.comGhttps://bunifuframework.com/support	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.siticoneframework.com/	VenomRemote_Cracked.exe, 00000000.00000002.543082921.000000000389E000.00000004.00000020.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	VenomRemote_Cracked.exe, 00000000.00000003.279885486.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279785073.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280113298.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280150127.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280186456.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://kutt.it/bunifu-device-remover	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.founder.com.cn/cnC	VenomRemote_Cracked.exe, 00000000.00000003.279111607.0000000008605000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com-	VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279885486.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://pastebin.com/api/api_post.php	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.sajatypeworks.com	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.venomremote.com	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bunifuframework.com/support.	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://bunifuframework.com/free-download	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://bunifuframework.com/checkout?edd_action=add_to_cart&download_id=	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn%3.	VenomRemote_Cracked.exe, 00000000.00000003.279160745.000000000861F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com9	VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280046273.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280113298.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280150127.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280186456.0000000008620000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scanmybin.net/api/new/	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.google.com	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.fonts.com	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pastebin.com/raw/inRtatWqChttps://pastebin.com/raw/ZwT1BfVd	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.urwpp.deDPlease	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.anonfile.com/upload	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.carterandcone.cometh	VenomRemote_Cracked.exe, 00000000.00000003.279823811.0000000008625000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279785073.0000000008620000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comb	VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280046273.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	VenomRemote_Cracked.exe, 00000000.00000003.290759341.0000000008621000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.290740374.0000000008620000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://vimeo.com/api/v2/video/	VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.siticoneframework.com/pricing.htmlFSoftware	VenomRemote_Cracked.exe, 00000000.00000002.543082921.000000000389E000.00000004.00000020.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://scanmybin.net/result/	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://gdata.youtube.com/feeds/api/videos/	VenomRemote_Cracked.exe, 00000000.00000002.544779526.000000000555F000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.544687010.000000000553D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pastebin.com/raw.php?i=cSuccesfully	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
https://scanmybin.net/api/scan/	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/GzQpLxfL	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
http://dynupdate.no-ip.com/nic/update?hostname=	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/embed/hr0itfdwMPg)Welcome	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	VenomRemote_Cracked.exe, 00000000.00000003.279111607.0000000008605000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.278972221.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comIta	VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280046273.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	VenomRemote_Cracked.exe, 00000000.00000003.282815704.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bunifuframework.com/	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://api.auth.gg/csharp/AInvalid	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w0	VenomRemote_Cracked.exe, 00000000.00000003.280319341.0000000008605000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	VenomRemote_Cracked.exe, 00000000.00000002.553842537.0000000009802000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dashboard.ngrok.com/status	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
https://google.com	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
http://pastebin.com/api/api_login.php	VenomRemote_Cracked.exe, 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.carterandcone.comand410	VenomRemote_Cracked.exe, 00000000.00000003.279971328.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280046273.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279885486.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280006083.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280113298.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280150127.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.280186456.0000000008620000.00000004.00000800.00020000.00000000.sdmp, VenomRemote_Cracked.exe, 00000000.00000003.279920954.0000000008620000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	697970
Start date and time:	2022-09-06 09:22:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	VenomRemote_Cracked.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.mine.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 26 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.703729193206116
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VenomRemote_Cracked.exe
File size:	40408576
MD5:	83626a159e3399dc2bec680220ba8969
SHA1:	c8fb91953976291310ddc645e2b9275277c57ec2
SHA256:	0e59d8a36fc73b40178732c2e9dec9143ceb3dfd590547221dbce65983042141
SHA512:	6640d88a9aff7507d8372317e34422aa7a493d00194c945c2292d20445e0e0b6a0004ef90e8c263fe683b352292d89b28bdcb5fa4135be4333d4ef7076119f09
SSDEEP:	393216:OFdlmXJTD1jJTDQMvfOjmM27kv1Bx0bQox/UlGkNCoIZZJTD2Mm1Zg6YH3mH1gfB:GLxMvDUjCbQa/O11t1Zg6kmH1gEEE
TLSH:	7697F1273960F6C4F6BB19FC0370D62A83241E7A1A245931648876FD6DD1E96F18C3FA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h................0...f.........^"f.. ...@f...... ........................i...........`................................

File Icon


Icon Hash:	f44929b692c4ec30

Static PE Info

General

Entrypoint:	0x339225e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0xd30000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0xDB2E689F [Thu Jul 11 18:49:03 2086 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00D32000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2662208	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2664000	0x28d0e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x268e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2660264	0x2660400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2664000	0x28d0e	0x28e00	False	0.5958345279051988	data	6.427138604052956	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x268e000	0xc	0x200	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x2664220	0x10032	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x2674254	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x2684a7c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0x2688ca4	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x268b24c	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x268c2f4	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x268c75c	0x5a	data
RT_VERSION	0x268c7b8	0x36c	data
RT_MANIFEST	0x268cb24	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

• VenomRemote_Cracked.exe

Click to jump to process

Memory Usage

• VenomRemote_Cracked.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	09:23:07
Start date:	06/09/2022
Path:	C:\Users\user\Desktop\VenomRemote_Cracked.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VenomRemote_Cracked.exe"
Imagebase:	0xa80000
File size:	40408576 bytes
MD5 hash:	83626A159E3399DC2BEC680220BA8969
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.552026273.0000000007D60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.544331184.00000000054B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.270393873.0000000003021000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.266219699.0000000002882000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	233
Total number of Limit Nodes:	20

Executed Functions

Function 09D00980 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.556232577.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d00000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d9d0d84b6dfb852fb68d82ad0c241019e86396dab46d7f717e659a339fcc09
Instruction ID: eeb0840f7d29ca028482071d2daaa031ec62dc9d1fe15655ead6d22a203c1357
Opcode Fuzzy Hash: 17d9d0d84b6dfb852fb68d82ad0c241019e86396dab46d7f717e659a339fcc09
Instruction Fuzzy Hash: 50E1B374E45218DFDB24DFB4D854BAEBBB2BB89300F20A1AAD419B7291DB349D40CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03ACBEA0 Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 03ACBF10
GetCurrentThread.KERNEL32 ref: 03ACBF4D
GetCurrentProcess.KERNEL32 ref: 03ACBF8A
GetCurrentThreadId.KERNEL32 ref: 03ACBFE3

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ac1abc7d453ba8e70e119acede5efb5d3053012ccab986244ddc7b0fe2d5c620
Instruction ID: 22fa02826eeb1970d17e509b1727f06914378218b8c6a616a51e58bddf16dfce
Opcode Fuzzy Hash: ac1abc7d453ba8e70e119acede5efb5d3053012ccab986244ddc7b0fe2d5c620
Instruction Fuzzy Hash: 055152B49042498FDB14CFA9D989BEEBBF1AF48308F24845EE409A7350C7359844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 03ACBEB0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 03ACBF10
GetCurrentThread.KERNEL32 ref: 03ACBF4D
GetCurrentProcess.KERNEL32 ref: 03ACBF8A
GetCurrentThreadId.KERNEL32 ref: 03ACBFE3

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c459add9f39c9752b9511baede04b56840ab062aad2bb788a2ad291e6d51f568
Instruction ID: e735aa97d13ba01e962f08c12e991a3f7f849c15cf538b4d436e4d8b56720f86
Opcode Fuzzy Hash: c459add9f39c9752b9511baede04b56840ab062aad2bb788a2ad291e6d51f568
Instruction Fuzzy Hash: 875132B49002499FDB14CFA9D589BEEBBF1EB88304F24845EE019A7350D7359844CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03AC9EB0 Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 03ACA0F6

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: eb1516455048a88b1ae73386823346896cf6c13e79962bdcde8b3e2b037b5986
Instruction ID: 84d8c2409e58dcfd7eceb98beee2ff3533d3716c9f738a577fffcc511382bdc3
Opcode Fuzzy Hash: eb1516455048a88b1ae73386823346896cf6c13e79962bdcde8b3e2b037b5986
Instruction Fuzzy Hash: B0713470A10B499FD724DF29C1447ABB7F5BF88304F04892ED48ADBA40DB75E8498B91

Uniqueness

Uniqueness Score: -1.00%

Function 03AC4108 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03AC5C61

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ab1c626335b3d2e6df656d73c7818a0afa895635b20cf828ed3d676b0508c846
Instruction ID: 405684a9469649d6f263a12a47f0188b44c813a72fd5b7455430c35be3bbb434
Opcode Fuzzy Hash: ab1c626335b3d2e6df656d73c7818a0afa895635b20cf828ed3d676b0508c846
Instruction Fuzzy Hash: DC411570C0461CCBDB20DFA9C888BDDBBB1FF49304F25806AD418AB241D7716949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03AC5BA8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03AC5C61

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6151f7ce5156205ecbf1429dbf6c5494a5d1b0bc974556306d6475f5cdc0d644
Instruction ID: 459315373b9f9779696e18a45db70ea5b2ea2263ee1d6ea57f7fd221fd8044b9
Opcode Fuzzy Hash: 6151f7ce5156205ecbf1429dbf6c5494a5d1b0bc974556306d6475f5cdc0d644
Instruction Fuzzy Hash: 0241F3B1C0461CCBDB24DFA9C888BDEBBB1FF49308F25806AD418AB251D7756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03ACC0D0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03ACC15F

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cfb0325092d35dbba3e483ff3f5f7ecf354dc1540a0174cdb9e4d4a33088215f
Instruction ID: 1104d2b4af5ed5eb464ce61cc2c15f4dee83e4d9c607c914de8bd459fb789500
Opcode Fuzzy Hash: cfb0325092d35dbba3e483ff3f5f7ecf354dc1540a0174cdb9e4d4a33088215f
Instruction Fuzzy Hash: 0521D4B5900249AFDB10CF99D984ADEBBF4EB48324F14841AE915A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03ACC0D8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03ACC15F

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: db1cbb03024cf7622b8d228c360c174adbf5fd5c7ba7bfd82e4d02023fe3ff16
Instruction ID: 97147a5d171892188017caf139f03d7dd088a8e7b31862caedf63d9cf91c9528
Opcode Fuzzy Hash: db1cbb03024cf7622b8d228c360c174adbf5fd5c7ba7bfd82e4d02023fe3ff16
Instruction Fuzzy Hash: 6621C4B5D00258AFDB10CFAAD884ADEFBF4FB48324F14841AE915A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03AC9AC8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03ACA171,00000800,00000000,00000000), ref: 03ACA382

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3fc6afdfe17b619c377799d903b738997292b2c17449123b3744f4c1d2cf1147
Instruction ID: a2b7e535fca04f3b078a4b166e16684dba992c646ce224e433eecd7ede7182d6
Opcode Fuzzy Hash: 3fc6afdfe17b619c377799d903b738997292b2c17449123b3744f4c1d2cf1147
Instruction Fuzzy Hash: 5F11F4B69003489BCB10CF9AD488AEEFBF4EB88324F05842ED915A7700C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03ACA310 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03ACA171,00000800,00000000,00000000), ref: 03ACA382

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 427fef723e91359e22edd2a1115c9bd48f7a52745c57f249666970c24eb69870
Instruction ID: 6c827284bfd316671fae2c23d0be3221c23c0ce2fad091b64e24abf7b3787b85
Opcode Fuzzy Hash: 427fef723e91359e22edd2a1115c9bd48f7a52745c57f249666970c24eb69870
Instruction Fuzzy Hash: D911C2BA9002499BDB10CF99D484BDEFBF4AB88324F15852ED919A7600C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09D0CF48 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 09D0CFB2

Memory Dump Source

Source File: 00000000.00000002.556232577.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d00000_VenomRemote_Cracked.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: addfd299c147168d829a45528167704a1fbfe5c0f202951bd321ffab589c222a
Instruction ID: c8277cc6f353deaad5b876350423fb6c83acebde706b105e1b99d635f852900d
Opcode Fuzzy Hash: addfd299c147168d829a45528167704a1fbfe5c0f202951bd321ffab589c222a
Instruction Fuzzy Hash: 851126B2D002498FDB10CF9AC844BDEFBF4EF88324F04842AE855A7640D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09D0F93C Relevance: 1.6, APIs: 1, Instructions: 50
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 09D0F99D

Memory Dump Source

Source File: 00000000.00000002.556232577.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d00000_VenomRemote_Cracked.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ff071af543ef9b364f60547dfab8f5e6ea46be1526d3a3d73218b71a37ced721
Instruction ID: 91170a975d2754449709d6ad2e5c88e92496ffe7814f97262c5c953cf7872394
Opcode Fuzzy Hash: ff071af543ef9b364f60547dfab8f5e6ea46be1526d3a3d73218b71a37ced721
Instruction Fuzzy Hash: 071136B18003099FDB20CF9AD885BDEFBF8FB48324F148429E454A3640C378A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09D0F940 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 09D0F99D

Memory Dump Source

Source File: 00000000.00000002.556232577.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d00000_VenomRemote_Cracked.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f6ec97a5aa6383cc98e1586565f189a2111cddd1524cb4f5239e20e1876e9020
Instruction ID: 4939458a94250f4a847981bceb274d77bf7729e04280fd79f5bcc1dc6a53685e
Opcode Fuzzy Hash: f6ec97a5aa6383cc98e1586565f189a2111cddd1524cb4f5239e20e1876e9020
Instruction Fuzzy Hash: EE1118B58003499FDB20CF99D985BDEFBF8FB58324F148429E554A3640D378A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09D0694C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,09D0D4C9,?,?,00000000), ref: 09D0D53D

Memory Dump Source

Source File: 00000000.00000002.556232577.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d00000_VenomRemote_Cracked.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ba9370d2dc55cf1efedea49937cbfe5437d90e85fb96ac9f554428d016986c7
Instruction ID: ad34203ef63cab9e8c14514cec3323222279bd06f25d3e1dcae2d415a1d5c668
Opcode Fuzzy Hash: 8ba9370d2dc55cf1efedea49937cbfe5437d90e85fb96ac9f554428d016986c7
Instruction Fuzzy Hash: 7B1106B5C003499FDB20DF99D888BDEFBF8EB98364F14841AE915A7640D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09D0D924 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,09D0DE81,?,?,00000000), ref: 09D0DEF5

Memory Dump Source

Source File: 00000000.00000002.556232577.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d00000_VenomRemote_Cracked.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0f75571301f4da201257254252b0938ccaf5cc75397bd133dc92e954cf743f6c
Instruction ID: 1bf4c91bf6140a01c03894ab940627b13993300875ab366ac6b809902d162c05
Opcode Fuzzy Hash: 0f75571301f4da201257254252b0938ccaf5cc75397bd133dc92e954cf743f6c
Instruction Fuzzy Hash: 791103B58003499FDB20DF99C888BDEFFF8EB98324F14841AE555A7640C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03ACA090 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 03ACA0F6

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d23ed007d5a83dc3e6408317f673afa1423c84fb762575cca2a97d0c31a5bbd0
Instruction ID: db7f3b21e163541e14db18614e3a29658cc90f83dafaf5d83dc778281688b8e9
Opcode Fuzzy Hash: d23ed007d5a83dc3e6408317f673afa1423c84fb762575cca2a97d0c31a5bbd0
Instruction Fuzzy Hash: A611D2B6D002498FDB10CF9AD848BDEFBF4EB89264F15842ED429B7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 037BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.542136137.00000000037BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 037BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_37bd000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285f5cd0b094d864c6fba3c531889b75195086fd511272afbc19ef434d4ab202
Instruction ID: bcb6b4bedc06e9f17aaceb370b580cd6285d8197257211aa76bf9e8ede845625
Opcode Fuzzy Hash: 285f5cd0b094d864c6fba3c531889b75195086fd511272afbc19ef434d4ab202
Instruction Fuzzy Hash: A82106B5504244DFDB24CF50D9C4B56FB79FB88324F24C5A9ED054B206C33AE856C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 037BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.542136137.00000000037BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 037BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_37bd000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0edb1871974e1c1e841b15c9e2777ef907f64fb508cbd0b6f98bab6fb8d67e6a
Instruction ID: 9f0f79b87802211b1dcbfada90abd83215a864c470313b9390b479116c734abc
Opcode Fuzzy Hash: 0edb1871974e1c1e841b15c9e2777ef907f64fb508cbd0b6f98bab6fb8d67e6a
Instruction Fuzzy Hash: B92103B1504244DFDB25DF10D9C4BA6BF79FF88328F2485A9E9054B206C336D856CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 037DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.542244691.00000000037DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 037DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_37dd000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a09b3d884962c95681f20fd852be17fd0d141370abfe26f9c858278369874b1
Instruction ID: 98c4c1f73ed5263659734419d9efed5ecd9cce3655f5faf58eb2656a486f81bb
Opcode Fuzzy Hash: 2a09b3d884962c95681f20fd852be17fd0d141370abfe26f9c858278369874b1
Instruction Fuzzy Hash: 8A21D7B5608248DFDB24DF14E9C4B16BB75FFC8314F28C5A9D9494B246C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 037DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.542244691.00000000037DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 037DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_37dd000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5923f1b58a91829b9c5f0807842361eb9bf35fc629ea7c4135edf01b7f92d43e
Instruction ID: 11a1edb1512037c22d3a29fb1c69c11b8afee410da56503471072e0f6389c173
Opcode Fuzzy Hash: 5923f1b58a91829b9c5f0807842361eb9bf35fc629ea7c4135edf01b7f92d43e
Instruction Fuzzy Hash: 942107B5548244EFDB25CF50D9C4F26BBB5FF88314F24C5ADD9494B242C336E846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 037DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.542244691.00000000037DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 037DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_37dd000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32437bf4511852b3e92dac2c08ba285d2b5943045fb0d7faab04a60f3dde912
Instruction ID: 0cdc3620fa23e26c702cae4d726a2ed51814f5e602b2c0a7c19f87f22a655442
Opcode Fuzzy Hash: a32437bf4511852b3e92dac2c08ba285d2b5943045fb0d7faab04a60f3dde912
Instruction Fuzzy Hash: 5D2180754083849FCB12CF24D994B11BF75EF86214F28C5EAD8498B297C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 037BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.542136137.00000000037BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 037BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_37bd000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4656cdb48ee39e9b11e55f74cabaa4d8bb78fc64102ed704f6aaa9e37dca74a3
Instruction ID: c8eaa40e1c9edc1f3afdff6f873909a8914b8282c07ac6f600deca18c7929fe3
Opcode Fuzzy Hash: 4656cdb48ee39e9b11e55f74cabaa4d8bb78fc64102ed704f6aaa9e37dca74a3
Instruction Fuzzy Hash: 2511D376404280CFCB11CF10D9C4B56BF71FF88324F28C6A9D8454B616C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 037BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.542136137.00000000037BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 037BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_37bd000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4656cdb48ee39e9b11e55f74cabaa4d8bb78fc64102ed704f6aaa9e37dca74a3
Instruction ID: ec33e02ef4e95fe53160175852602391299286de457498bd399e7923dccfbe9c
Opcode Fuzzy Hash: 4656cdb48ee39e9b11e55f74cabaa4d8bb78fc64102ed704f6aaa9e37dca74a3
Instruction Fuzzy Hash: 9811AF76404280DFCB11CF10D9C4B56FF71FB84324F2886A9DC090B616C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 037DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.542244691.00000000037DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 037DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_37dd000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e22c83591918491278036326d260f7c71b63bb847b55bdc3c3c187d8ebc2c10
Instruction ID: 478a25193f955de15fcc5d74af8f042cf00cb13452e824477c5dd7a2a9c3f046
Opcode Fuzzy Hash: 9e22c83591918491278036326d260f7c71b63bb847b55bdc3c3c187d8ebc2c10
Instruction Fuzzy Hash: FB115B75904280DFDB15CF14DAC4B15FBB1FF84224F28C6A9D8494B656C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 037BD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.542136137.00000000037BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 037BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_37bd000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d607046cdf0d9c969c1a6b1c05881dec709c18054de1905f8504993c3897c11
Instruction ID: ca76137f796f936fa9b4e2c11261fcbeda7c7598761db0d4ddebdc6cc7731b87
Opcode Fuzzy Hash: 8d607046cdf0d9c969c1a6b1c05881dec709c18054de1905f8504993c3897c11
Instruction Fuzzy Hash: F501A771408344ABD7308E26DCC4BE6FBB8EF81774F1C855EE9055A246C3799844D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 037BD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.542136137.00000000037BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 037BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_37bd000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05831605532a598dbea27b3d14cf9e988011bfa2d1a31099363ede2efc9b3d73
Instruction ID: 158067ff9c74a1c1ef89b26b50681ab6766ecb3d5dce52c26210eb8df57f2f9e
Opcode Fuzzy Hash: 05831605532a598dbea27b3d14cf9e988011bfa2d1a31099363ede2efc9b3d73
Instruction Fuzzy Hash: C1F04F75404384AEE7208E16DCC4BA2FBB8EB91774F18C55AED185A286C3799844DAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03ACED98 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376e71490cb858c87d75cce3fbeb153633dc0fadb13035bf7efc9ccd329bb0b1
Instruction ID: 165c212d874c85453e6e6b7bd195e112ed019e3481f07d6068df5f073444690d
Opcode Fuzzy Hash: 376e71490cb858c87d75cce3fbeb153633dc0fadb13035bf7efc9ccd329bb0b1
Instruction Fuzzy Hash: 2F12B5F94A17468BEB18CF65E89A2C97FE1B745328F904308F2612BAD1DFB4114ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 03ACC954 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93950e05184b828664e237a196d0a9ad6cc73cf806393032ed40d0b48ea25ae2
Instruction ID: 6bbfe240499e5cae99c29a611a24894e3f75da9bea8fd49dd0aa44e5934650b4
Opcode Fuzzy Hash: 93950e05184b828664e237a196d0a9ad6cc73cf806393032ed40d0b48ea25ae2
Instruction Fuzzy Hash: CDA16F36E202598FCF05DFA5C9449DDBBB6FF84301B15816EE905AB260EB71A916CF80

Uniqueness

Uniqueness Score: -1.00%

Function 03ACED88 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.543755043.0000000003AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ac0000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd25ca15e2073cf2f97914761c728ceab5c51073c4177abb485b74a0f9cc5071
Instruction ID: ff8bd197bd05f99dd809e564d518f17c578e62bc3658897cb658bf08c4634ab0
Opcode Fuzzy Hash: cd25ca15e2073cf2f97914761c728ceab5c51073c4177abb485b74a0f9cc5071
Instruction Fuzzy Hash: 8FC10BB98A17458BDB18DF64E88A2C97FB1BB85328F514308F2617BAD1DFB4114ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 09D09C73 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.556232577.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d00000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07e8f37c6df0ec808c89cb1b7e4d8d129b979324beee2b7fc6dee217f252b99
Instruction ID: 3c847fe13b37ee6ea1235876f12016413429adedec2856325392424578ebe944
Opcode Fuzzy Hash: b07e8f37c6df0ec808c89cb1b7e4d8d129b979324beee2b7fc6dee217f252b99
Instruction Fuzzy Hash: FA41F474E402199FDB04DFA8D468BEEB7F2AB88305F108469E410B7791C778AE45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 09D09C78 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.556232577.0000000009D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d00000_VenomRemote_Cracked.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87c3002ca51b2d5f1807a707358926911887e6a23305c6bd7c5f878e5cc4a0b
Instruction ID: 28de3d47bc0babe23c1ac67f4765d21cbb78eaceaabcf1a81c898e6b16240933
Opcode Fuzzy Hash: a87c3002ca51b2d5f1807a707358926911887e6a23305c6bd7c5f878e5cc4a0b
Instruction Fuzzy Hash: 1631F274E402199FCB04DFA9D468BEEB7B2EB89304F108429E410B7791C778AA45CBA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VenomRemote_Cracked.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: VenomRemote_Cracked.exePID: 5628, Parent PID: 3268

Windows Analysis Report
VenomRemote_Cracked.exe

Function 03ACBEA0 Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Function 03ACBEB0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 03AC9EB0 Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Function 03AC4108 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 03AC5BA8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 03ACC0D0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON