Analysis
-
max time kernel
51s -
max time network
63s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-04-2024 13:08
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000500000002aac0-213.dat family_umbral behavioral1/memory/3564-221-0x00000184B3530000-0x00000184B3570000-memory.dmp family_umbral -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VAPE V4.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts VAPE V4 (injector).exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VAPE V4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VAPE V4.exe -
Executes dropped EXE 3 IoCs
pid Process 3956 CRACKED-V4.exe 3564 VAPE V4 (injector).exe 1628 VAPE V4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VAPE V4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 36 discord.com 1 raw.githubusercontent.com 6 discord.com 24 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1628 VAPE V4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1476 wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 140088.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\CRACKED-V4.exe:Zone.Identifier msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3508 PING.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 760 msedge.exe 760 msedge.exe 860 msedge.exe 860 msedge.exe 4512 msedge.exe 4512 msedge.exe 1604 identity_helper.exe 1604 identity_helper.exe 3312 msedge.exe 3312 msedge.exe 3564 VAPE V4 (injector).exe 3564 VAPE V4 (injector).exe 5024 powershell.exe 5024 powershell.exe 5024 powershell.exe 2376 powershell.exe 2376 powershell.exe 2376 powershell.exe 3300 powershell.exe 3300 powershell.exe 3300 powershell.exe 1348 powershell.exe 1348 powershell.exe 1348 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3564 VAPE V4 (injector).exe Token: SeIncreaseQuotaPrivilege 396 wmic.exe Token: SeSecurityPrivilege 396 wmic.exe Token: SeTakeOwnershipPrivilege 396 wmic.exe Token: SeLoadDriverPrivilege 396 wmic.exe Token: SeSystemProfilePrivilege 396 wmic.exe Token: SeSystemtimePrivilege 396 wmic.exe Token: SeProfSingleProcessPrivilege 396 wmic.exe Token: SeIncBasePriorityPrivilege 396 wmic.exe Token: SeCreatePagefilePrivilege 396 wmic.exe Token: SeBackupPrivilege 396 wmic.exe Token: SeRestorePrivilege 396 wmic.exe Token: SeShutdownPrivilege 396 wmic.exe Token: SeDebugPrivilege 396 wmic.exe Token: SeSystemEnvironmentPrivilege 396 wmic.exe Token: SeRemoteShutdownPrivilege 396 wmic.exe Token: SeUndockPrivilege 396 wmic.exe Token: SeManageVolumePrivilege 396 wmic.exe Token: 33 396 wmic.exe Token: 34 396 wmic.exe Token: 35 396 wmic.exe Token: 36 396 wmic.exe Token: SeIncreaseQuotaPrivilege 396 wmic.exe Token: SeSecurityPrivilege 396 wmic.exe Token: SeTakeOwnershipPrivilege 396 wmic.exe Token: SeLoadDriverPrivilege 396 wmic.exe Token: SeSystemProfilePrivilege 396 wmic.exe Token: SeSystemtimePrivilege 396 wmic.exe Token: SeProfSingleProcessPrivilege 396 wmic.exe Token: SeIncBasePriorityPrivilege 396 wmic.exe Token: SeCreatePagefilePrivilege 396 wmic.exe Token: SeBackupPrivilege 396 wmic.exe Token: SeRestorePrivilege 396 wmic.exe Token: SeShutdownPrivilege 396 wmic.exe Token: SeDebugPrivilege 396 wmic.exe Token: SeSystemEnvironmentPrivilege 396 wmic.exe Token: SeRemoteShutdownPrivilege 396 wmic.exe Token: SeUndockPrivilege 396 wmic.exe Token: SeManageVolumePrivilege 396 wmic.exe Token: 33 396 wmic.exe Token: 34 396 wmic.exe Token: 35 396 wmic.exe Token: 36 396 wmic.exe Token: SeDebugPrivilege 5024 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeIncreaseQuotaPrivilege 3392 wmic.exe Token: SeSecurityPrivilege 3392 wmic.exe Token: SeTakeOwnershipPrivilege 3392 wmic.exe Token: SeLoadDriverPrivilege 3392 wmic.exe Token: SeSystemProfilePrivilege 3392 wmic.exe Token: SeSystemtimePrivilege 3392 wmic.exe Token: SeProfSingleProcessPrivilege 3392 wmic.exe Token: SeIncBasePriorityPrivilege 3392 wmic.exe Token: SeCreatePagefilePrivilege 3392 wmic.exe Token: SeBackupPrivilege 3392 wmic.exe Token: SeRestorePrivilege 3392 wmic.exe Token: SeShutdownPrivilege 3392 wmic.exe Token: SeDebugPrivilege 3392 wmic.exe Token: SeSystemEnvironmentPrivilege 3392 wmic.exe Token: SeRemoteShutdownPrivilege 3392 wmic.exe Token: SeUndockPrivilege 3392 wmic.exe Token: SeManageVolumePrivilege 3392 wmic.exe Token: 33 3392 wmic.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe 860 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 860 wrote to memory of 3108 860 msedge.exe 81 PID 860 wrote to memory of 3108 860 msedge.exe 81 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 3764 860 msedge.exe 82 PID 860 wrote to memory of 760 860 msedge.exe 83 PID 860 wrote to memory of 760 860 msedge.exe 83 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 PID 860 wrote to memory of 1040 860 msedge.exe 84 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1144 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Cyendd/Vape-V4-CRACKED/blob/main/CRACKED-V4.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc19dd3cb8,0x7ffc19dd3cc8,0x7ffc19dd3cd82⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:22⤵PID:3764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵PID:1040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:12⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6132 /prefetch:82⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:1416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,16851059953584889126,16352068135687609589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:3400
-
-
C:\Users\Admin\Downloads\CRACKED-V4.exe"C:\Users\Admin\Downloads\CRACKED-V4.exe"2⤵
- Executes dropped EXE
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VAPE V4 (injector).exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VAPE V4 (injector).exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VAPE V4 (injector).exe"4⤵
- Views/modifies file attributes
PID:1144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\VAPE V4 (injector).exe'4⤵PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵PID:4888
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
PID:1476
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VAPE V4 (injector).exe" && pause4⤵PID:4872
-
C:\Windows\system32\PING.EXEping localhost5⤵
- Runs ping.exe
PID:3508
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VAPE V4.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VAPE V4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1628
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1444
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52740c93dd78962ad9f13777917f70bb3
SHA1a3439adc4e310594bfb88f677ba662a2165cf8f6
SHA2564d834bfed93709866be1efbbb76ab57a6a942d1e2106095acb3643e3a49e879b
SHA512d0ca3a9db1a95bab1f9dc6925cd40ec545bf8cde07fbbef2a51bd18e96c7eb167799a195f62db6f38043155c9acbe2ec5b1607e0e7f76c4e069501edcc35748a
-
Filesize
152B
MD5bc5d52992e41687fa70efc27531f778d
SHA16437d388bc4423de222bc1d10c39e86360497083
SHA256eb037bb42f7cc1e8a3c419f575089582952678145740efa9d1581e58716d7870
SHA512b7cd86df836ae883142bee2d91a300d421b8f7887e0b768dca7025a67901a6fd92f557ef1b8313470abd4630a0f5ac261adcfe9561766f75e6f8d5cc8b8ee5e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5c66f9e7caca183d4780a326a225c65b3
SHA1ba3e4dd26b42d195cb08ae782c6a0243a0b4b813
SHA256e5ee6f895239b967d02ef384c55ec4c28af085bb780906c2f604c3f9cdce59d6
SHA5120f52c18a3bd558b190e667da9c9d8e1b4ea2820cb3094727fb02d9f707ce69192686a8ef9b1acd8937066d2ccc439b5f515141ffd5588bef67c4b0afcf8ec64f
-
Filesize
13KB
MD50ee4a2ccbf9735c7e427829f4a8214d7
SHA1a81159f68380de764c9db237bb8fa39a8ccafff7
SHA256cfc85b57ef5569c4e4731d24dedc0540ffeb70d647eb3319730de118f65f0e6a
SHA5128d3d3fec36d3a056aeb13e56e454abd7ef5a2ffd11df31b6390db6aa7352d5cee3dbd3105c6a9183d4068311bdfaa4e9f28e219c0be0be7ffe6d2ed2e3e2013d
-
Filesize
5KB
MD57672354beeca837dc514258b9fe29500
SHA187eb7a7c5be5c93322efb7aa9b947e7abdc7fc61
SHA25625df869ce65ab467b7dff1ba6e16d72f8c9770b90c9a4b4ee254405ac4291c14
SHA512487f702e4a03daca95989488603a4031a22031b074957b9ae214294b597cc8ff8bf74b9c78ff9bb7c3df79adc8335d6a698896ff6ba259e2096a2334f74572fe
-
Filesize
6KB
MD5dc0fa8769f8cfe1bbc59d6941c02cefb
SHA14296d2671b2250db5cf60b593c626594fcef9eae
SHA2565002eb4c728e3b2a458f500cb96557aff16e493c21643a58d6941b815f88ecde
SHA512249b4eca740e1cc5b6824a99c4e701126a4b3b9be2bdda62f37c4bfb2ffc2f44348a575e16781f57fbd7d124ecf0ce215a01401520a2000978cf0d8dece62849
-
Filesize
1KB
MD5b1ce4b8891b563ae68fae1420f27e2b8
SHA1b550b5fdc1b0c403e2fa0e300bf9ef31dd93b4da
SHA256841a2f6516ef63bdb1e3c2a34129b2dae05f1d32b038575329d6ed3d79bf2445
SHA51245bc6c672e76564a8758c8983c17fe88943e0e5be0fe22a12e71290f6e859c81df0387d21b009009940e157bd78d0f7c3c29df6bb5e99e1464cc0d2ec40c3985
-
Filesize
1KB
MD5ddd4d0afa085420600838c912ab6b622
SHA1ee870345cde861539c2fd503c4c2f51d0eebae0a
SHA2564b87903566bdaa24cba5f29d5f82d9303587104bc7149038159adc41b9aa7bae
SHA5123277b7c7eb2ee2b240067898906e8af9097b315b9aa292ac1d0d41f7ecf60664ef6e216244a48847d55c900f82f76e743c8fc341d8101545ffec70f083dc0d89
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5996d9c5cfd14b9914d57e3600f0e23c6
SHA11970e1481960a5d511dc7a4b157e7350d6081f11
SHA2568251e2de9470f708a246b72c4b928b3e3d8341203c526f04eb0d84711dbc5a78
SHA512edf1b143b45ee80e56bff2ec0bc0943ac7a837c0e304715544e8c6bbbae1c108841a7c4d1811fef5432078d573f3549afb0b08aee78e68b25b8c2918532f3d36
-
Filesize
11KB
MD5efdc66889d8f4d5591bc009ed68a13b8
SHA16444edd89982ceb4594673b31483c727c915b994
SHA2569fbded4d03fd4f18ce1fa04973c636c1fbf5cadac11ae8b817577127fba5fd26
SHA51241dda25c708f5e1269f3676d3b8a1e126392ece18ed8d239793ad010d58091a17f0f1bb86feed29e5ac489087ae3a5c28ec84bf75fc16c64e5daef605fcfcd76
-
Filesize
11KB
MD56ed7c3661bf1adbb13ac6ee97b81bf98
SHA1a0059f71c1bfbab6904042e80cbdd1ec68dedf5c
SHA2569ced5b524a9d476662385170c33514103a9e97cc5670fdfff37c9f5094410cb3
SHA512e56672f5799e132f87598039cc6f11908ffd719f7b974e5b116038c61d9d003937ad8fef37bb5d3630aeab8be2fc53aa16865e53320dc75848185f341171014b
-
Filesize
948B
MD5fa21dd50b4e64421076f843031c8ccf7
SHA12c56e94f130c0d8d77116e939ffee4e37cf982bd
SHA256e4f21aca1e12aafa8de7af24b79a75526e902c7d4b3fea5bdb6e723976997be3
SHA512b8de2bfeb7af06c587dd1f424d410cf83471f31a55a3ea4c4481ce07ffd9bf66ddc1f7775ecd6ac65ac33baaec90ba5a208a9aefc84f31125a50dfb919982687
-
Filesize
1KB
MD557083a8e45ebe4fd84c7c0f137ec3e21
SHA1857b5ea57f7bcf03cadee122106c6e58792a9b84
SHA256f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40
SHA5124bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87
-
Filesize
1KB
MD56954f218ba4c7d0fe9cbf31e88fe3a69
SHA1f6f26b65a7892fdcd1372dedbbb1a7fdd2b1db88
SHA256b33cf6e9bb2ceccfb71165bcb40fa340fde43da503d3a4443d03aeddf28832e4
SHA512e7f2aec7ef1cb35c37c8fd0d3d012a66c8aaaefc92c7975fb5597760730c9909dac76961aea6b19844863e90f992b9936efd6cf519fbc971668a86f34c1d0744
-
Filesize
227KB
MD5d44a9b5d00eacfcba7fe044612e54200
SHA158f1aa0e81b20d554da64153dcdc98358c9267c1
SHA256861212e4344c1b2380b5ae1a431a0b5bb97797bc4e83f11c93adcea87e6bce12
SHA5120e02f8e7a0de05f66446f3880f836a7304c3ed51be0f8b68293761e8abaea388206d8e786b16f25d15625490b55b89bdc4edeae96cd3a54796d048d16d7b4ff9
-
Filesize
11.8MB
MD54c015c3972db24a77316c56cd01c5468
SHA138a0ac1bb0cae3db263ea1212fe90165de2d726b
SHA256320e63d3a2f70fdf24db8e00c4811fe4b78e896946d99df6aeca1756bb986f99
SHA5124aba6313bd4634306024f2e0510efd14facfa8224ba835ead5f42f69a6af62a0c4f734a3a4a9362b0e5cfc76f512fd1ab4a2a1bc4c83c9abc2f1e5124072992e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
9.4MB
MD58f595faff0637bebf700d5da2c87f733
SHA1d55ed72bdc723ace2b3822e31877bd5e83cafc04
SHA256fe63b60aba71f6effea1029b2b46423c666170e1ab947c11a9f2c60c037d1f46
SHA512c7898ab2cbf4043537c938b96e5f75c7fbf1984cad6e5f2dab94bbfdfef2ef010a2a5e06cd625683b19747c5c4668fb26c35d8b2dfdef427c4642e7120ae5133
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b