revengerat | acd190c809175cd9bf218d8a748f497842c1de97631a0b83a89dca2af514d6a5

Analysis

max time kernel
300s
max time network
303s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
10/05/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape Launcher.exe
Size

60.0MB
MD5

ec5e97f0f1bae61fbe6f957d8f7a07a5
SHA1

72004698b16a8cc0edee3f4c726eafde096740dc
SHA256

acd190c809175cd9bf218d8a748f497842c1de97631a0b83a89dca2af514d6a5
SHA512

8e7352293615f4c0d27e496038930c548afecdd8ebc0b357c0ace22fb42c515d12c452253545a6313d1137f3f51c8049ea84a32264600326aed637a4d0be72ae
SSDEEP

1572864:6HNfIc/bDS7YL3iUqekIR681ttq+NDVK3ZiFx4mdSG:6Zzz+7stopJwCmIG

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000700000002a9cd-7.dat	revengerat

Executes dropped EXE 64 IoCs

pid	Process
3060	sv.exe
1456	sv.exe
2176	sv.exe
3636	sv.exe
2232	sv.exe
3920	sv.exe
980	sv.exe
492	sv.exe
3368	sv.exe
2968	sv.exe
1080	sv.exe
2868	sv.exe
4764	sv.exe
4596	sv.exe
1136	sv.exe
2700	sv.exe
4952	sv.exe
2736	sv.exe
388	sv.exe
1636	sv.exe
2896	sv.exe
564	sv.exe
2904	sv.exe
2412	sv.exe
4448	sv.exe
2108	sv.exe
4320	sv.exe
2592	sv.exe
2676	sv.exe
1644	sv.exe
3440	sv.exe
2916	sv.exe
2364	sv.exe
944	sv.exe
5052	sv.exe
4832	sv.exe
2312	sv.exe
3288	sv.exe
4008	sv.exe
1268	sv.exe
3488	sv.exe
2304	sv.exe
4388	sv.exe
1068	sv.exe
2504	sv.exe
3060	sv.exe
3232	sv.exe
2112	sv.exe
1208	sv.exe
1936	sv.exe
4196	sv.exe
1832	sv.exe
2712	sv.exe
2028	sv.exe
3596	sv.exe
4940	sv.exe
1228	sv.exe
3472	sv.exe
4864	sv.exe
2784	sv.exe
2664	sv.exe
5036	sv.exe
1584	sv.exe
3708	sv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	sv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	sv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	sv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sv.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings	sv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	sv.exe
Token: SeDebugPrivilege	1456	sv.exe
Token: SeDebugPrivilege	2176	sv.exe
Token: SeDebugPrivilege	3636	sv.exe
Token: SeDebugPrivilege	2232	sv.exe
Token: SeDebugPrivilege	3920	sv.exe
Token: SeDebugPrivilege	980	sv.exe
Token: SeDebugPrivilege	492	sv.exe
Token: SeDebugPrivilege	3368	sv.exe
Token: SeDebugPrivilege	2968	sv.exe
Token: SeDebugPrivilege	1080	sv.exe
Token: SeDebugPrivilege	2868	sv.exe
Token: SeDebugPrivilege	4764	sv.exe
Token: SeDebugPrivilege	4596	sv.exe
Token: SeDebugPrivilege	1136	sv.exe
Token: SeDebugPrivilege	2700	sv.exe
Token: SeDebugPrivilege	4952	sv.exe
Token: SeDebugPrivilege	2736	sv.exe
Token: SeDebugPrivilege	388	sv.exe
Token: SeDebugPrivilege	1636	sv.exe
Token: SeDebugPrivilege	2896	sv.exe
Token: SeDebugPrivilege	564	sv.exe
Token: SeDebugPrivilege	2904	sv.exe
Token: SeDebugPrivilege	2412	sv.exe
Token: SeDebugPrivilege	4448	sv.exe
Token: SeDebugPrivilege	2108	sv.exe
Token: SeDebugPrivilege	4320	sv.exe
Token: SeDebugPrivilege	2592	sv.exe
Token: SeDebugPrivilege	2676	sv.exe
Token: SeDebugPrivilege	1644	sv.exe
Token: SeDebugPrivilege	3440	sv.exe
Token: SeDebugPrivilege	2916	sv.exe
Token: SeDebugPrivilege	2364	sv.exe
Token: SeDebugPrivilege	944	sv.exe
Token: SeDebugPrivilege	5052	sv.exe
Token: SeDebugPrivilege	4832	sv.exe
Token: SeDebugPrivilege	2312	sv.exe
Token: SeDebugPrivilege	3288	sv.exe
Token: SeDebugPrivilege	4008	sv.exe
Token: SeDebugPrivilege	1268	sv.exe
Token: SeDebugPrivilege	3488	sv.exe
Token: SeDebugPrivilege	2304	sv.exe
Token: SeDebugPrivilege	4388	sv.exe
Token: SeDebugPrivilege	1068	sv.exe
Token: SeDebugPrivilege	2504	sv.exe
Token: SeDebugPrivilege	3060	sv.exe
Token: SeDebugPrivilege	3232	sv.exe
Token: SeDebugPrivilege	2112	sv.exe
Token: SeDebugPrivilege	1208	sv.exe
Token: SeDebugPrivilege	1936	sv.exe
Token: SeDebugPrivilege	4196	sv.exe
Token: SeDebugPrivilege	1832	sv.exe
Token: SeDebugPrivilege	2712	sv.exe
Token: SeDebugPrivilege	2028	sv.exe
Token: SeDebugPrivilege	3596	sv.exe
Token: SeDebugPrivilege	4940	sv.exe
Token: SeDebugPrivilege	1228	sv.exe
Token: SeDebugPrivilege	3472	sv.exe
Token: SeDebugPrivilege	4864	sv.exe
Token: SeDebugPrivilege	2784	sv.exe
Token: SeDebugPrivilege	2664	sv.exe
Token: SeDebugPrivilege	5036	sv.exe
Token: SeDebugPrivilege	1584	sv.exe
Token: SeDebugPrivilege	3708	sv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 3988	1228	Vape Launcher.exe	77
PID 1228 wrote to memory of 3988	1228	Vape Launcher.exe	77
PID 1228 wrote to memory of 3060	1228	Vape Launcher.exe	78
PID 1228 wrote to memory of 3060	1228	Vape Launcher.exe	78
PID 3988 wrote to memory of 1960	3988	Vape Launcher.exe	79
PID 3988 wrote to memory of 1960	3988	Vape Launcher.exe	79
PID 3988 wrote to memory of 1456	3988	Vape Launcher.exe	80
PID 3988 wrote to memory of 1456	3988	Vape Launcher.exe	80
PID 1960 wrote to memory of 4996	1960	Vape Launcher.exe	82
PID 1960 wrote to memory of 4996	1960	Vape Launcher.exe	82
PID 1960 wrote to memory of 2176	1960	Vape Launcher.exe	83
PID 1960 wrote to memory of 2176	1960	Vape Launcher.exe	83
PID 4996 wrote to memory of 1660	4996	Vape Launcher.exe	84
PID 4996 wrote to memory of 1660	4996	Vape Launcher.exe	84
PID 4996 wrote to memory of 3636	4996	Vape Launcher.exe	85
PID 4996 wrote to memory of 3636	4996	Vape Launcher.exe	85
PID 1660 wrote to memory of 3568	1660	Vape Launcher.exe	86
PID 1660 wrote to memory of 3568	1660	Vape Launcher.exe	86
PID 1660 wrote to memory of 2232	1660	Vape Launcher.exe	87
PID 1660 wrote to memory of 2232	1660	Vape Launcher.exe	87
PID 3568 wrote to memory of 3564	3568	Vape Launcher.exe	88
PID 3568 wrote to memory of 3564	3568	Vape Launcher.exe	88
PID 3568 wrote to memory of 3920	3568	Vape Launcher.exe	89
PID 3568 wrote to memory of 3920	3568	Vape Launcher.exe	89
PID 3564 wrote to memory of 2812	3564	Vape Launcher.exe	90
PID 3564 wrote to memory of 2812	3564	Vape Launcher.exe	90
PID 3564 wrote to memory of 980	3564	Vape Launcher.exe	91
PID 3564 wrote to memory of 980	3564	Vape Launcher.exe	91
PID 2812 wrote to memory of 2392	2812	Vape Launcher.exe	92
PID 2812 wrote to memory of 2392	2812	Vape Launcher.exe	92
PID 2812 wrote to memory of 492	2812	Vape Launcher.exe	93
PID 2812 wrote to memory of 492	2812	Vape Launcher.exe	93
PID 2392 wrote to memory of 3084	2392	Vape Launcher.exe	94
PID 2392 wrote to memory of 3084	2392	Vape Launcher.exe	94
PID 2392 wrote to memory of 3368	2392	Vape Launcher.exe	95
PID 2392 wrote to memory of 3368	2392	Vape Launcher.exe	95
PID 3084 wrote to memory of 3064	3084	Vape Launcher.exe	96
PID 3084 wrote to memory of 3064	3084	Vape Launcher.exe	96
PID 3084 wrote to memory of 2968	3084	Vape Launcher.exe	97
PID 3084 wrote to memory of 2968	3084	Vape Launcher.exe	97
PID 3064 wrote to memory of 1268	3064	Vape Launcher.exe	98
PID 3064 wrote to memory of 1268	3064	Vape Launcher.exe	98
PID 3064 wrote to memory of 1080	3064	Vape Launcher.exe	99
PID 3064 wrote to memory of 1080	3064	Vape Launcher.exe	99
PID 1268 wrote to memory of 3488	1268	Vape Launcher.exe	100
PID 1268 wrote to memory of 3488	1268	Vape Launcher.exe	100
PID 1268 wrote to memory of 2868	1268	Vape Launcher.exe	101
PID 1268 wrote to memory of 2868	1268	Vape Launcher.exe	101
PID 3488 wrote to memory of 1984	3488	Vape Launcher.exe	102
PID 3488 wrote to memory of 1984	3488	Vape Launcher.exe	102
PID 3488 wrote to memory of 4764	3488	Vape Launcher.exe	103
PID 3488 wrote to memory of 4764	3488	Vape Launcher.exe	103
PID 1984 wrote to memory of 4708	1984	Vape Launcher.exe	104
PID 1984 wrote to memory of 4708	1984	Vape Launcher.exe	104
PID 1984 wrote to memory of 4596	1984	Vape Launcher.exe	105
PID 1984 wrote to memory of 4596	1984	Vape Launcher.exe	105
PID 4708 wrote to memory of 2268	4708	Vape Launcher.exe	106
PID 4708 wrote to memory of 2268	4708	Vape Launcher.exe	106
PID 4708 wrote to memory of 1136	4708	Vape Launcher.exe	107
PID 4708 wrote to memory of 1136	4708	Vape Launcher.exe	107
PID 2268 wrote to memory of 4728	2268	Vape Launcher.exe	108
PID 2268 wrote to memory of 4728	2268	Vape Launcher.exe	108
PID 2268 wrote to memory of 2700	2268	Vape Launcher.exe	109
PID 2268 wrote to memory of 2700	2268	Vape Launcher.exe	109

C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        17⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        18⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        19⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        20⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        21⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        22⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        23⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        24⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        25⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        26⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        27⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        28⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        29⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        30⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        31⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        32⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        33⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        34⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        35⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        36⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        37⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        38⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        39⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        40⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        41⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        42⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        43⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        44⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        45⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        46⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        47⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        48⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        49⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        50⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        51⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        52⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        53⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        54⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        55⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        56⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        57⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        58⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        59⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        60⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        61⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        62⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        63⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        64⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        65⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        66⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        67⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        68⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        69⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        70⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        71⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        72⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        73⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        74⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        75⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        76⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        77⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        78⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        79⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        80⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        81⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        82⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        83⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        84⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        85⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        86⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        87⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        88⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        89⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        90⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        91⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        92⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        93⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        94⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        95⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        96⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        97⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        98⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        99⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        100⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        101⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        102⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        103⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        104⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
        105⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        105⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        104⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        103⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        102⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        101⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        100⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        99⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        98⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        97⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        96⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        95⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        94⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        93⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        92⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        91⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        90⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        89⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        88⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        87⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        86⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        85⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        84⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        83⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        82⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        81⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        80⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        79⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        78⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        77⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        76⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        75⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        74⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        73⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        72⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        71⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        70⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        69⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        68⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        67⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        66⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        24⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        17⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lSvTTgZ.vbs"
        18⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
      - C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\sv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\sv.exe
      "C:\Users\Admin\AppData\Local\Temp\sv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2176
- - C:\Users\Admin\AppData\Local\Temp\sv.exe
    "C:\Users\Admin\AppData\Local\Temp\sv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- C:\Users\Admin\AppData\Local\Temp\sv.exe
  "C:\Users\Admin\AppData\Local\Temp\sv.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\sv.exe.log

Filesize
506B

MD5
abf97361b20fc7cecc5de4205d22e043

SHA1
01a7f39e21269316d200b113c49fa09b9d87876f

SHA256
86862fcccd9c25089a6f0cec23b80d8449f18719ab21670b50fd0f344dc0e498

SHA512
7b8e85a68530d88ee6d8c86393bc22811b3da36db2b33470aa6772c5ee82c5f435a841f955582b258f044a34b92543b3f30d47411512129f1311768aee8b2e27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Vape Launcher.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSvTTgZ.vbs

Filesize
139B

MD5
c19921eac3b7b5d17ce20c094fb42be9

SHA1
30f5ebb901f08389237db821be8b1ed3348ad4af

SHA256
dfb67cb2ebd7fba8a269be2a068b09a514e74ce239aa51e7f4e7b06a6bcefd73

SHA512
06eac2a9278ac3d539c3b3beb3885197d0ab572e0aed89b1d00f9415a0d42fa7395ec4d76e1fca621459518be341d8a05d9f35d9cb205a92814c8313cc8b1490

Download Submit
C:\Users\Admin\AppData\Local\Temp\sv.exe

Filesize
18KB

MD5
7e6352c2f7cc93e93e330c120b82bb79

SHA1
c942c108f43423252fe9c00dc4419aae6a66dc62

SHA256
b029aa8cd18490c8de27db80f834046208cf4369f661ac08da8228f04d7bc7af

SHA512
9f7d9d3c3860c8a4fb511993dfc0270b9839d240f2f8ab8b64f6a1228bda4d9f4aeb69d6e8534df6e499c7fbb1c51cea2a0ea115771499d60c58ce9c797af140

Download Submit
memory/1228-0-0x00007FFE180D3000-0x00007FFE180D5000-memory.dmp

Filesize
8KB

Download
memory/1228-1-0x0000000000660000-0x000000000426A000-memory.dmp

Filesize
60.0MB

Download
memory/1228-2-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

Filesize
10.8MB

Download
memory/1228-17-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

Filesize
10.8MB

Download
memory/3060-21-0x00007FFE14A20000-0x00007FFE153C1000-memory.dmp

Filesize
9.6MB

Download
memory/3060-20-0x000000001B870000-0x000000001B916000-memory.dmp

Filesize
664KB

Download
memory/3060-19-0x000000001BE90000-0x000000001C35E000-memory.dmp

Filesize
4.8MB

Download
memory/3060-22-0x000000001C3D0000-0x000000001C432000-memory.dmp

Filesize
392KB

Download
memory/3060-18-0x00007FFE14A20000-0x00007FFE153C1000-memory.dmp

Filesize
9.6MB

Download
memory/3060-16-0x00007FFE14CD5000-0x00007FFE14CD6000-memory.dmp

Filesize
4KB

Download
memory/3060-35-0x00007FFE14CD5000-0x00007FFE14CD6000-memory.dmp

Filesize
4KB

Download
memory/3060-36-0x00007FFE14A20000-0x00007FFE153C1000-memory.dmp

Filesize
9.6MB

Download
memory/3060-43-0x000000001CBC0000-0x000000001CBCC000-memory.dmp

Filesize
48KB

Download
memory/3060-44-0x00007FFE14A20000-0x00007FFE153C1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-25-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

Filesize
10.8MB

Download
memory/3988-15-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

Filesize
10.8MB

Download