hxxps://mega[.]nz/file/w5QHiRza#KWghkl8Z4g96VlObyOrPS3OBWtWQJHoTJye_ku_qvds

General

Target

https://mega.nz/file/w5QHiRza#KWghkl8Z4g96VlObyOrPS3OBWtWQJHoTJye_ku_qvds

Score

9^/10

themida

Malware Config

Signatures

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Kangaroo Patcher.exe	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Kangaroo Patcher.exe	Nirsoft

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Vape_v4.08.exe	themida

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
1624	chrome.exe
1624	chrome.exe
4264	chrome.exe
4264	chrome.exe
3560	chrome.exe
3560	chrome.exe
3988	chrome.exe
3988	chrome.exe
4448	chrome.exe
4448	chrome.exe
1752	chrome.exe
1752	chrome.exe
260	chrome.exe
260	chrome.exe
260	chrome.exe
260	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1912 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

4264 chrome.exe
4264 chrome.exe
4264 chrome.exe
4264 chrome.exe
4264 chrome.exe
4264 chrome.exe
4264 chrome.exe
4264 chrome.exe

pid	process
1912	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	1912	7zFM.exe
Token: 35	1912	7zFM.exe
Token: SeSecurityPrivilege	1912	7zFM.exe
Token: SeSecurityPrivilege	1912	7zFM.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
1912	7zFM.exe
4264	chrome.exe
1912	7zFM.exe
1912	7zFM.exe
4264	chrome.exe
4264	chrome.exe
1912	7zFM.exe
4264	chrome.exe
4264	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

chrome.exe

pid	process
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe
4264	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

2396 OpenWith.exe

pid	process
2396	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4264 wrote to memory of 1248	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 1248	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 4804	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 1624	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 1624	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe
PID 4264 wrote to memory of 5024	4264	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/w5QHiRza#KWghkl8Z4g96VlObyOrPS3OBWtWQJHoTJye_ku_qvds
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb64424f50,0x7ffb64424f60,0x7ffb64424f70
2⤵
PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1996 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
2⤵
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4056 /prefetch:8
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5228 /prefetch:8
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4192 /prefetch:8
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4496 /prefetch:8
2⤵
PID:3812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
2⤵
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6056 /prefetch:8
2⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
2⤵
PID:408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:8
2⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4352 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
2⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3260 /prefetch:8
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 /prefetch:8
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5836 /prefetch:8
2⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5832 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4436 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5232 /prefetch:8
2⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5720 /prefetch:8
2⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2400 /prefetch:8
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4612 /prefetch:8
2⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6408 /prefetch:8
2⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,17882698427628611850,9332899969645420631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6436 /prefetch:8
2⤵
PID:2388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4720

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Vape_v4.08.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1912

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\Kangaroo Patcher.exe
Filesize
4.6MB

MD5
1f759cd41e647fce566d60749bf7e0ab

SHA1
5120d55459ccc731f0a80706801a3779dc871178

SHA256
bf5ec385d397154f22d2383cb6d33d206fafde02313607bf565e39dce858653f

SHA512
72153e3acf7185b755fa69384c3d431cc20ab0dd91fd48d6f4c4f5bc8f110d4e89ae8c3ba2b780c870e2cff1bb51949ff9046758883b12f2656a3ad34185850f

Download Submit
C:\Users\Admin\Desktop\Vape_v4.08.exe
Filesize
7.6MB

MD5
7407fd99ee1940051b4f543656ea9b0a

SHA1
7149b25db501b75111ac77fe4bcfe6915058757a

SHA256
bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd

SHA512
804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d

Download Submit
C:\Users\Admin\Downloads\Vape_v4.08.rar
Filesize
16.0MB

MD5
72d665e58b17ff50b056e205fb9a9504

SHA1
ee644927d78fd48543939cf3d871d3bbcfbf779b

SHA256
f1a8f64ca660c8978443cbaf5119050730aca0954f60e7ef0a2a9ff2c24fa119

SHA512
d95d3ea4932090423564d98706fa4877fc53b746e09cc4b799b65b12fb4ec0bd3c98a2bf49e59f510bf9635a253870f0bfad737a00c8e6dac794247dbc603015

Download Submit
\??\pipe\crashpad_4264_ISSQILPLPPTIFWPG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads