hxxps://drive[.]google[.]com/file/d/1G3uEob7FIbbQO4DVN04hHJxWYNmJqPxn/view?pli=1

Analysis

max time kernel
287s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1G3uEob7FIbbQO4DVN04hHJxWYNmJqPxn/view?pli=1

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
2	drive.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3136	NOTEPAD.EXE

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE
4948	PING.EXE
980	PING.EXE
3116	PING.EXE
2536	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
4824	msedge.exe
4824	msedge.exe
1692	identity_helper.exe
1692	identity_helper.exe
2424	msedge.exe
2424	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2700	7zG.exe
Token: 35	2700	7zG.exe
Token: SeSecurityPrivilege	2700	7zG.exe
Token: SeSecurityPrivilege	2700	7zG.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
2700	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 1364	4824	msedge.exe	83
PID 4824 wrote to memory of 1364	4824	msedge.exe	83
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 4068	4824	msedge.exe	86
PID 4824 wrote to memory of 1224	4824	msedge.exe	87
PID 4824 wrote to memory of 1224	4824	msedge.exe	87
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88
PID 4824 wrote to memory of 2696	4824	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1G3uEob7FIbbQO4DVN04hHJxWYNmJqPxn/view?pli=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffac95846f8,0x7ffac9584708,0x7ffac9584718
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3836 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14204654499887179589,16725994173993346240,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\manthemomento\manthestupid\bapeclient.bat" "
1⤵
PID:2632
- C:\Windows\system32\mode.com
  mode 55, 9
  2⤵
  PID:1940
- C:\Windows\system32\PING.EXE
  ping localhost -n 5.5
  2⤵
  - Runs ping.exe
  PID:2912
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java --add-opens java.base/java.lang=ALL-UNNAMED -jar vape-loader.jar
  2⤵
  PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\manthemomento\manthestupid\bapeclient.bat" "
1⤵
PID:3516
- C:\Windows\system32\mode.com
  mode 55, 9
  2⤵
  PID:1536
- C:\Windows\system32\PING.EXE
  ping localhost -n 5.5
  2⤵
  - Runs ping.exe
  PID:4948
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java --add-opens java.base/java.lang=ALL-UNNAMED -jar vape-loader.jar
  2⤵
  PID:4424

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\manthemomento\manthestupid\vape-loader.jar"
1⤵
PID:4148

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\manthemomento\manthestupid\bapeclient.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\manthemomento\manthestupid\bapeclient.bat" "
1⤵
PID:5072
- C:\Windows\system32\mode.com
  mode 55, 9
  2⤵
  PID:2528
- C:\Windows\system32\PING.EXE
  ping localhost -n 5.5
  2⤵
  - Runs ping.exe
  PID:980
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java --add-opens java.base/java.lang=ALL-UNNAMED -jar vape-loader.jar
  2⤵
  PID:1388

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap16471:50:7zEvent12443 -t7z -sae -- "C:\Users\Admin\Pictures.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\manthemomento\manthestupid\bapeclient.bat" "
1⤵
PID:2544
- C:\Windows\system32\mode.com
  mode 55, 9
  2⤵
  PID:3144
- C:\Windows\system32\PING.EXE
  ping localhost -n 5.5
  2⤵
  - Runs ping.exe
  PID:3116
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java --add-opens java.base/java.lang=ALL-UNNAMED -jar vape-loader.jar
  2⤵
  PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\manthemomento\manthestupid\bapeclient.bat" "
1⤵
PID:3672
- C:\Windows\system32\mode.com
  mode 55, 9
  2⤵
  PID:4864
- C:\Windows\system32\PING.EXE
  ping localhost -n 5.5
  2⤵
  - Runs ping.exe
  PID:2536
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java --add-opens java.base/java.lang=ALL-UNNAMED -jar vape-loader.jar
  2⤵
  PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
abaa3372e0bc73b0627a168b74f2d758

SHA1
de49747cad035ecc5857ef26ed4d493b9ab457cd

SHA256
0ebe26ca2139c641f074a1097d2512636e05036b91ca849e73217b29054a2fa3

SHA512
7701d1702e8c770afe99a1c49e54a53d45916f81be56254b8a9b63812114189d55d9f4c26a811698d3a2961bb34e2b981baf1953f2a70de692f9a91115069150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
05a3ac659edcb781c57f8d7df275a50c

SHA1
e60f22ea10aee480f2a49800f9bf9af69272db60

SHA256
216db348aaf0f455d0db65aa8ac4b294ad7dd622057170e7300d327dd25fcd3d

SHA512
2bdb119746a69cd31dcd18a5720eba7d41dc1ff16a82557c8b6c71587e11ef93ce50cba88892af24d127552258f56d90e9d405aa66c97fd31d22ca508b6b61e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2cc47d6b33f85fe429551749627ed5db

SHA1
a4f2d7380a3290490c1f769f801d54014a103d14

SHA256
fb305da506e85b9b5675fdde97193aeba9e589fc7839195182685535496482bd

SHA512
004792c3af4d5187565b42f82d75b1ee7df5b961ddacdfdee30834134c02cd3ef98284ecf46ff726972096ee51a1bd282d5acf3d59fa8962d51fb779da8cc38f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
aa83901ada8f3dbf760023b9f5732776

SHA1
99a154cd724d64ce2972683f87b2af57a058587f

SHA256
23df23e10ff7786074b138ef8f848f0a712ab0e47433a969f74327bc0150c3f3

SHA512
5cbcdaa0af5ada0a489f301fad396e7ae7463b2606b8fde9087270045004715b00547a52367d2b55da781a1aeef503aa9ea5296dee64232c04bd18055a748739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1a9495a24bfdce61c69604436fa6ba03

SHA1
eb5b68fad11619f1a39fed903e1a6776ad363d57

SHA256
6fa558e1ca33f551eec27d9e93d22fef86c74a5dde0c8ec822479cff408e7f2c

SHA512
e2f794e4fd3a51717cadaea5605f0740de2e3c9c460f1d281c22f4a63c075d8afd88bb01355e666b6200889c68e1739d4fc56bf056ade30db58fb8eb6580e037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7532857c1364c66c75ab1a09f1a55c2c

SHA1
db1668c1658580cf72842f9466d4f38fd8bc669c

SHA256
0412793f49f3e1c8fdca6c0b702e1d1109f8c298ebdf3c6cb3d9f166562f19d8

SHA512
3b7a9316300af43d72a24378fde8c7075d1389cb50e30734314e0a9bf7190f266a7bb8d46c592c28f5b189533d0403db22790759c871e24c902fb5b2dba1edf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
eceb920d744fd7965b11e92ac2c4adde

SHA1
bfc01e968d85ea38fd9e8430dc095d0f763c517f

SHA256
380fae3646ffd8a175138170b2934b58514dfd43469f4a68749422d15fa08e48

SHA512
46e82e3483268c4cff991a23d270862e0cfd1f1e851e79f8c283ca21384167ef4285093f17e82c6e7b68a9e8cc84152ec228fa15812b06e30ee4c26437db9cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e60dbc6bbe96931d199813418345093d

SHA1
4a7e90f84b4be20b21f9ad55e457fffe9a8cc1b2

SHA256
29d74a0c2facee6a5acd8b8ed88cb2dee9b2919c57fae638c9d17840fa4debc4

SHA512
8096b91d182923a15a8f27b854ac3717c2f6890ab7d12ebf37645d182542311b9ad6bb38e5e4ba451852fec7bf728dcc2ced45df1a4a97f591ebb2d06ce7ba81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7a03619256799889fc3578e6d48f8e9a

SHA1
e37b306f1518b18dd2d599c09eace413476336ab

SHA256
bf568a7c38b1d11fdaf4a5ba81ce09638069a68709492f5e03dc8d80b5dab664

SHA512
17c5f2a87fa4746418d4e6277787ee31b9df09377288f85f96952be61b547e59038815c3b1815e3e429f534b1bc43939285297cfe80e77631d73eacda5c55ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0e3b8d3fc399dd6be3ffeb956957f3d7

SHA1
1c5cedf43259f603fb1d2e798a4d7b067e7b8ccc

SHA256
4176c9f8b40513536f50847ae3038c964852714e2738bac55c766d5fbbf31f70

SHA512
1735eb99d3cbbff022eb65163eee81e6e7d7b639c129b0a6016252133f7bc5f64a0c30c588dc7b6632b265d49ac1aa33a316b29cc7191d1cd16e369fbdbbce5d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 881799.crdownload

Filesize
18.1MB

MD5
42148da5ee1b09841d6a6d6da5f6aa3e

SHA1
e11c285c08bc6e3632872ddc42db72366ac95131

SHA256
3ac382ea73d8e1c8f64fcb151e293fb86d937fe1caf06cd9b7335e587b1f9c1b

SHA512
78b85340ba7b65112d7ba158e626470ff2e06ebbf72ad1baf1b7355803a77cdb90982dbb50e05f00f226dde033ff3d92343eb7740cc5da20c1da5177dd8cecb0

Download Submit
C:\Users\Admin\Downloads\manthemomento\manthestupid\bapeclient.bat

Filesize
211B

MD5
fd5063488d911d36e5e4474a1d2907ec

SHA1
dfd6411105b4fab83f8b6453c0c1e8af0cbc1dc7

SHA256
e789829406e29f95b8908c6b52991792f7e15c72d4c8a0b718d078a11a0c395f

SHA512
24874af56dcd7558c5826e3bc26692d11017aa1d4b44d54d758790d49fa7052a9a37ddb0ae5d80e3e4dd38351ffd3414841345a5cdbddbbb92817c5c946216fc

Download Submit
memory/4148-205-0x000001CD6C960000-0x000001CD6C961000-memory.dmp

Filesize
4KB

Download
memory/4148-207-0x000001CD6C960000-0x000001CD6C961000-memory.dmp

Filesize
4KB

Download