Create Interactive Tour

Windows Analysis Report Vape V4.exe

Overview

General Information

Sample Name:	Vape V4.exe
Analysis ID:	446551
MD5:	919b60c62ed64aa128f5a73f4c1a4b4f
SHA1:	23178189e308ca9e814caa2cad4ddf472e726b3f
SHA256:	050e1b254473b7bbb2214fe09aa93f2dc01793331106edb7f03fc834ca0a6b17
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

May check the online IP address of the machine

Tries to harvest and steal browser information (history, passwords, etc)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

Vape V4.exe (PID: 3588 cmdline: 'C:\Users\user\Desktop\Vape V4.exe' MD5: 919B60C62ED64AA128F5A73F4C1A4B4F)

conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

• AV Detection
• Cryptography
• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Vape V4.exe

Virustotal: Detection: 52%

Perma Link

Machine Learning detection for sample

Show sources

Source: Vape V4.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\Vape V4.exe

Code function: 0_2_00007FFD03DB55FE CryptUnprotectData,

0_2_00007FFD03DB55FE

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Vape V4.exe

Unpacked PE file: 0.2.Vape V4.exe.920000.0.unpack

Source: Vape V4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.6:49712 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.6:49715 version: TLS 1.0

Source: Vape V4.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\a0f6e3585453700574fc42ba3653c021\System.Net.Http.ni.dll	Jump to behavior

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\Vape V4.exe

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET //json/185.189.150.70 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.6:49712 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.6:49715 version: TLS 1.0

Source: global traffic

HTTP traffic detected: GET //json/185.189.150.70 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Vape V4.exe, 00000000.00000002.340107974.0000000002D4D000.00000004.00000001.sdmp

String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java

Source: unknown

DNS traffic detected: queries for: ip4.seeip.org

Source: Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: Vape V4.exe, 00000000.00000002.342637238.000000001CE5C000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: Vape V4.exe, 00000000.00000002.342637238.000000001CE5C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: Vape V4.exe, 00000000.00000002.342637238.000000001CE5C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: Vape V4.exe, 00000000.00000002.342637238.000000001CE5C000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
Source: Vape V4.exe, 00000000.00000002.340016164.0000000002CCA000.00000004.00000001.sdmp	String found in binary or memory: http://discord.com
Source: Vape V4.exe, 00000000.00000002.340107974.0000000002D4D000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: Vape V4.exe, 00000000.00000002.340107974.0000000002D4D000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: Vape V4.exe, 00000000.00000002.340002387.0000000002CBD000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: Vape V4.exe	String found in binary or memory: http://ip-api.com//json/
Source: Vape V4.exe, 00000000.00000002.340002387.0000000002CBD000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com//json/185.189.150.70
Source: Vape V4.exe, 00000000.00000002.339941452.0000000002C8D000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.comx
Source: Vape V4.exe, 00000000.00000002.339941452.0000000002C8D000.00000004.00000001.sdmp	String found in binary or memory: http://ip4.seeip.org
Source: Vape V4.exe, 00000000.00000002.342637238.000000001CE5C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Vape V4.exe, 00000000.00000002.342637238.000000001CE5C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/05
Source: Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: Vape V4.exe, 00000000.00000002.339888213.0000000002C6D000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Vape V4.exe, 00000000.00000002.342637238.000000001CE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Vape V4.exe, 00000000.00000002.340413623.0000000002E1D000.00000004.00000001.sdmp, ConDrv.0.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/862767080863825960/863108516360224798/cookies.txt
Source: Vape V4.exe, 00000000.00000002.340488506.0000000002E3A000.00000004.00000001.sdmp, ConDrv.0.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/862767080863825960/863108517850644510/passwords.txt
Source: Vape V4.exe, 00000000.00000002.340532085.0000000002E5C000.00000004.00000001.sdmp, ConDrv.0.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/862767080863825960/863108523587010580/Capture.jpg
Source: Vape V4.exe	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: Vape V4.exe, 00000000.00000002.340016164.0000000002CCA000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com
Source: Vape V4.exe	String found in binary or memory: https://discord.com/api/webhooks/862771572149452831/hGF9A-X9hSG2aExNZSxudLpNfdOjsCsmApFTkce0kxTUQT30
Source: Vape V4.exe, 00000000.00000002.340413623.0000000002E1D000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com8
Source: Vape V4.exe, 00000000.00000002.340016164.0000000002CCA000.00000004.00000001.sdmp	String found in binary or memory: https://discord.comx
Source: Vape V4.exe	String found in binary or memory: https://discordapp.com/api/v8/users/
Source: Vape V4.exe	String found in binary or memory: https://i.imgur.com/vgxBhmx.png
Source: Vape V4.exe, 00000000.00000002.340413623.0000000002E1D000.00000004.00000001.sdmp	String found in binary or memory: https://i.imgur.com/vgxBhmx.pngultipart/form-data
Source: Vape V4.exe	String found in binary or memory: https://ip4.seeip.org
Source: Vape V4.exe, 00000000.00000002.339888213.0000000002C6D000.00000004.00000001.sdmp	String found in binary or memory: https://ip4.seeip.org/
Source: Vape V4.exe, 00000000.00000002.339888213.0000000002C6D000.00000004.00000001.sdmp	String found in binary or memory: https://ip4.seeip.orgx
Source: Vape V4.exe, 00000000.00000002.340413623.0000000002E1D000.00000004.00000001.sdmp, ConDrv.0.dr	String found in binary or memory: https://media.discordapp.net/attachments/862767080863825960/863108516360224798/cookies.txt
Source: Vape V4.exe, 00000000.00000002.340488506.0000000002E3A000.00000004.00000001.sdmp, ConDrv.0.dr	String found in binary or memory: https://media.discordapp.net/attachments/862767080863825960/863108517850644510/passwords.txt
Source: Vape V4.exe, 00000000.00000002.340532085.0000000002E5C000.00000004.00000001.sdmp, ConDrv.0.dr	String found in binary or memory: https://media.discordapp.net/attachments/862767080863825960/863108523587010580/Capture.jpg
Source: Vape V4.exe, 00000000.00000002.340094282.0000000002D43000.00000004.00000001.sdmp, Vape V4.exe, 00000000.00000002.339986089.0000000002CB4000.00000004.00000001.sdmp, Vape V4.exe, 00000000.00000002.339941452.0000000002C8D000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: Vape V4.exe, 00000000.00000002.340107974.0000000002D4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: Vape V4.exe, 00000000.00000002.340107974.0000000002D4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: Vape V4.exe, 00000000.00000002.340107974.0000000002D4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: Vape V4.exe, 00000000.00000002.340107974.0000000002D4D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: Vape V4.exe	String found in binary or memory: https://www.countryflags.io/
Source: Vape V4.exe, 00000000.00000002.340016164.0000000002CCA000.00000004.00000001.sdmp	String found in binary or memory: https://www.countryflags.io/CH/flat/48.png
Source: Vape V4.exe, 00000000.00000002.342637238.000000001CE5C000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: Vape V4.exe	Binary or memory string: OriginalFilename vs Vape V4.exe
Source: Vape V4.exe, 00000000.00000002.339156818.0000000000E40000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Vape V4.exe
Source: Vape V4.exe, 00000000.00000002.339478353.0000000001070000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Vape V4.exe
Source: Vape V4.exe, 00000000.00000002.339674477.0000000002AD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Vape V4.exe
Source: Vape V4.exe, 00000000.00000002.342763828.000000001D4A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Vape V4.exe

Source: Vape V4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal68.troj.spyw.evad.winEXE@2/6@3/3

Source: C:\Users\user\Desktop\Vape V4.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Vape V4.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:772:120:WilError_01

Source: C:\Users\user\Desktop\Vape V4.exe

File created: C:\Users\user\AppData\Local\Temp\cookies.db

Jump to behavior

Source: Vape V4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Vape V4.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Vape V4.exe

Virustotal: Detection: 52%

Source: Vape V4.exe	String found in binary or memory: copy to : /\launcher_profiles.json5Minecraft Session Profiles-launcher_profiles.json'multipart/form-data
Source: Vape V4.exe	String found in binary or memory: #Minecraft SessionKUnable to find launcher_profiles.jsonE\.minecraft\launcher_accounts.json/\launcher_accounts.json-launcher_accounts.jsonKUnable to find launcher_accounts.json

Source: unknown	Process created: C:\Users\user\Desktop\Vape V4.exe 'C:\Users\user\Desktop\Vape V4.exe'
Source: C:\Users\user\Desktop\Vape V4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Vape V4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Vape V4.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Vape V4.exe

Unpacked PE file: 0.2.Vape V4.exe.920000.0.unpack

Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosInformation	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe	Window / User API: threadDelayed 1063			Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Window / User API: threadDelayed 1144			Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -99843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -99679s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -99557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -99451s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -99336s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -99223s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -99106s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -98988s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 2872	Thread sleep time: -99899s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 4780	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe TID: 5812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 99843	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 99679	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 99557	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 99451	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 99336	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 99223	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 99106	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 98988	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 99899	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\	Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\a0f6e3585453700574fc42ba3653c021\System.Net.Http.ni.dll	Jump to behavior

Source: Vape V4.exe	Binary or memory string: SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
Source: Vape V4.exe, 00000000.00000002.339717200.0000000002BF1000.00000004.00000001.sdmp	Binary or memory string: ISYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
Source: Vape V4.exe, 00000000.00000002.339717200.0000000002BF1000.00000004.00000001.sdmp	Binary or memory string: KSYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
Source: Vape V4.exe, 00000000.00000002.342763828.000000001D4A0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Vape V4.exe	Binary or memory string: vmware
Source: Vape V4.exe	Binary or memory string: virtualboxvboxqemu
Source: Vape V4.exe	Binary or memory string: SOFTWARE\VMWare, Inc.\VMWare Tools
Source: Vape V4.exe	Binary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
Source: Vape V4.exe, 00000000.00000002.342763828.000000001D4A0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Vape V4.exe, 00000000.00000002.342763828.000000001D4A0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Vape V4.exe, 00000000.00000002.339717200.0000000002BF1000.00000004.00000001.sdmp	Binary or memory string: "SOFTWARE\VMWare, Inc.\VMWare Tools
Source: Vape V4.exe, 00000000.00000002.342495108.000000001CDD0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll..-E
Source: Vape V4.exe	Binary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdevkSYSTEM\CurrentControlSet\Control\VirtualDeviceDriversESOFTWARE\VMWare, Inc.\VMWare ToolsUSOFTWARE\Oracle\VirtualBox Guest Additions1HARDWARE\ACPI\DSDT\VBOX_SSYSTEM\ControlSet001\Services\Disk\Enum\0cHARDWARE\Description\System\SystemBiosInformationYHARDWARE\Description\System\VideoBiosVersion]HARDWARE\Description\System\SystemManufacturer[HARDWARE\Description\System\SystemProductName[HARDWARE\Description\System\Logical Unit Id 0
Source: Vape V4.exe, 00000000.00000002.342763828.000000001D4A0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Vape V4.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe	Queries volume information: C:\Users\user\Desktop\Vape V4.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Vape V4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\Vape V4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\Login Data			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Application Window Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Vape V4.exe	52%	Virustotal		Browse
Vape V4.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
discord.com	1%	Virustotal		Browse
ip4.seeip.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://ip4.seeip.org/	2%	Virustotal		Browse
https://ip4.seeip.org/	0%	Avira URL Cloud	safe
https://discord.com	1%	Virustotal		Browse
https://discord.com	0%	Avira URL Cloud	safe
https://www.countryflags.io/CH/flat/48.png	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://ip4.seeip.org	0%	Avira URL Cloud	safe
http://discord.com	0%	Avira URL Cloud	safe
https://ip4.seeip.orgx	0%	Avira URL Cloud	safe
https://www.countryflags.io/	0%	Avira URL Cloud	safe
http://ip-api.comx	0%	Avira URL Cloud	safe
https://discord.com8	0%	Avira URL Cloud	safe
https://discord.comx	0%	Avira URL Cloud	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/05	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://discord.com/api/webhooks/862771572149452831/hGF9A-X9hSG2aExNZSxudLpNfdOjsCsmApFTkce0kxTUQT30	0%	Avira URL Cloud	safe
http://ip4.seeip.org	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
discord.com	162.159.128.233	true	false	1%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	false		high
ip4.seeip.org	23.128.64.141	true	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com//json/185.189.150.70	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://discordapp.com/api/v8/users/	Vape V4.exe	false		high
https://ip4.seeip.org/	Vape V4.exe, 00000000.00000002.339888213.0000000002C6D000.00000004.00000001.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://discord.com	Vape V4.exe, 00000000.00000002.340016164.0000000002CCA000.00000004.00000001.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://i.imgur.com/vgxBhmx.pngultipart/form-data	Vape V4.exe, 00000000.00000002.340413623.0000000002E1D000.00000004.00000001.sdmp	false		high
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	Vape V4.exe, 00000000.00000002.340107974.0000000002D4D000.00000004.00000001.sdmp	false		high
https://www.countryflags.io/CH/flat/48.png	Vape V4.exe, 00000000.00000002.340016164.0000000002CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.letsencrypt.org0	Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cdn.discordapp.com/attachments/862767080863825960/863108516360224798/cookies.txt	Vape V4.exe, 00000000.00000002.340413623.0000000002E1D000.00000004.00000001.sdmp, ConDrv.0.dr	false		high
https://media.discordapp.net/attachments/862767080863825960/863108517850644510/passwords.txt	Vape V4.exe, 00000000.00000002.340488506.0000000002E3A000.00000004.00000001.sdmp, ConDrv.0.dr	false		high
https://ip4.seeip.org	Vape V4.exe	false	Avira URL Cloud: safe	unknown
http://discord.com	Vape V4.exe, 00000000.00000002.340016164.0000000002CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ip4.seeip.orgx	Vape V4.exe, 00000000.00000002.339888213.0000000002C6D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.countryflags.io/	Vape V4.exe	false	Avira URL Cloud: safe	unknown
http://ip-api.comx	Vape V4.exe, 00000000.00000002.339941452.0000000002C8D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/862767080863825960/863108523587010580/Capture.jpg	Vape V4.exe, 00000000.00000002.340532085.0000000002E5C000.00000004.00000001.sdmp, ConDrv.0.dr	false		high
https://media.discordapp.net/attachments/862767080863825960/863108523587010580/Capture.jpg	Vape V4.exe, 00000000.00000002.340532085.0000000002E5C000.00000004.00000001.sdmp, ConDrv.0.dr	false		high
http://ip-api.com//json/	Vape V4.exe	false		high
https://cdn.discordapp.com/attachments/862767080863825960/863108517850644510/passwords.txt	Vape V4.exe, 00000000.00000002.340488506.0000000002E3A000.00000004.00000001.sdmp, ConDrv.0.dr	false		high
https://discord.com8	Vape V4.exe, 00000000.00000002.340413623.0000000002E1D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.comx	Vape V4.exe, 00000000.00000002.340016164.0000000002CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://x1.i.lencr.org/0	Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://media.discordapp.net/attachments/862767080863825960/863108516360224798/cookies.txt	Vape V4.exe, 00000000.00000002.340413623.0000000002E1D000.00000004.00000001.sdmp, ConDrv.0.dr	false		high
http://r3.i.lencr.org/05	Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com	Vape V4.exe, 00000000.00000002.340002387.0000000002CBD000.00000004.00000001.sdmp	false		high
http://r3.o.lencr.org0	Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	Vape V4.exe, 00000000.00000002.340107974.0000000002D4D000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/avatars/	Vape V4.exe	false		high
https://discord.com/api/webhooks/862771572149452831/hGF9A-X9hSG2aExNZSxudLpNfdOjsCsmApFTkce0kxTUQT30	Vape V4.exe	false	Avira URL Cloud: safe	unknown
https://i.imgur.com/vgxBhmx.png	Vape V4.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Vape V4.exe, 00000000.00000002.339888213.0000000002C6D000.00000004.00000001.sdmp	false		high
http://ip4.seeip.org	Vape V4.exe, 00000000.00000002.339941452.0000000002C8D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	Vape V4.exe, 00000000.00000002.342598455.000000001CE36000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
162.159.128.233	discord.com	United States	13335	CLOUDFLARENETUS	false
23.128.64.141	ip4.seeip.org	United States	19969	JOESDATACENTERUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	446551
Start date:	09.07.2021
Start time:	19:24:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Vape V4.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.spyw.evad.winEXE@2/6@3/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 1 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 168.61.161.212, 52.255.188.83, 20.82.209.183, 23.0.174.185, 23.0.174.200, 20.82.210.154, 23.10.249.43, 23.10.249.26, 95.100.54.203, 40.112.88.60, 23.54.113.53 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:25:01	API Interceptor	11x Sleep call for process: Vape V4.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.95.112.1	zvM7vF0gd6.exe	Get hash	malicious	Browse	ip-api.com/json/
	EG6kkR6RPW.exe	Get hash	malicious	Browse	ip-api.com/json/
	9Tct4fRkpW.exe	Get hash	malicious	Browse	ip-api.com/json/
	SYGQZeQUTb.exe	Get hash	malicious	Browse	ip-api.com/line/?fields=hosting
	BIFL5JNPPt.exe	Get hash	malicious	Browse	ip-api.com/json
	2oxhsHaX3D.exe	Get hash	malicious	Browse	ip-api.com/json/
	iKcDLx5Wxc.exe	Get hash	malicious	Browse	ip-api.com/json/
	x7WwJ7u9u9.exe	Get hash	malicious	Browse	ip-api.com/json
	znbrr2k9QV.exe	Get hash	malicious	Browse	ip-api.com/json/
	Scan#1076 EFFICIENCY-EM.xlsx	Get hash	malicious	Browse	ip-api.com/json/
	BUw7Xd1D38.exe	Get hash	malicious	Browse	ip-api.com/json
	d4AbLPvG5R.exe	Get hash	malicious	Browse	ip-api.com/json
	TFfv4hD2jx.exe	Get hash	malicious	Browse	ip-api.com/json/
	1BhmQQkiR5BrTs5yBLUVwWjLMfQhv4xjUX.jar	Get hash	malicious	Browse	ip-api.com/json/
	fG9WW97ssF.exe	Get hash	malicious	Browse	ip-api.com/json/
	BcpljzRiWJ.exe	Get hash	malicious	Browse	ip-api.com/json/
	Mh2FzBrd3m.exe	Get hash	malicious	Browse	ip-api.com/json/
	3MIvJieGXT.exe	Get hash	malicious	Browse	ip-api.com/json/
	XqsSqSatDk.exe	Get hash	malicious	Browse	ip-api.com/line/
	oxlesp2DxT.exe	Get hash	malicious	Browse	ip-api.com/line/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ip-api.com	zvM7vF0gd6.exe	Get hash	malicious	Browse	208.95.112.1
	EG6kkR6RPW.exe	Get hash	malicious	Browse	208.95.112.1
	9Tct4fRkpW.exe	Get hash	malicious	Browse	208.95.112.1
	SYGQZeQUTb.exe	Get hash	malicious	Browse	208.95.112.1
	BIFL5JNPPt.exe	Get hash	malicious	Browse	208.95.112.1
	2oxhsHaX3D.exe	Get hash	malicious	Browse	208.95.112.1
	iKcDLx5Wxc.exe	Get hash	malicious	Browse	208.95.112.1
	x7WwJ7u9u9.exe	Get hash	malicious	Browse	208.95.112.1
	znbrr2k9QV.exe	Get hash	malicious	Browse	208.95.112.1
	Scan#1076 EFFICIENCY-EM.xlsx	Get hash	malicious	Browse	208.95.112.1
	BUw7Xd1D38.exe	Get hash	malicious	Browse	208.95.112.1
	d4AbLPvG5R.exe	Get hash	malicious	Browse	208.95.112.1
	TFfv4hD2jx.exe	Get hash	malicious	Browse	208.95.112.1
	1BhmQQkiR5BrTs5yBLUVwWjLMfQhv4xjUX.jar	Get hash	malicious	Browse	208.95.112.1
	fG9WW97ssF.exe	Get hash	malicious	Browse	208.95.112.1
	BcpljzRiWJ.exe	Get hash	malicious	Browse	208.95.112.1
	Mh2FzBrd3m.exe	Get hash	malicious	Browse	208.95.112.1
	3MIvJieGXT.exe	Get hash	malicious	Browse	208.95.112.1
	XqsSqSatDk.exe	Get hash	malicious	Browse	208.95.112.1
	oxlesp2DxT.exe	Get hash	malicious	Browse	208.95.112.1
discord.com	9Tct4fRkpW.exe	Get hash	malicious	Browse	162.159.135.232
	His4jRklYe.exe	Get hash	malicious	Browse	162.159.135.232
	pip install.yp.exe	Get hash	malicious	Browse	162.159.135.232
	1KpzPKGTTi.exe	Get hash	malicious	Browse	162.159.138.232
	ONIu4vsKdI.exe	Get hash	malicious	Browse	162.159.136.232
	xxxxxxxxxxxxxxxxxxx.exe	Get hash	malicious	Browse	162.159.138.232
	iJ4x3AKRUx.exe	Get hash	malicious	Browse	162.159.137.232
	SynapseXKeylessByPyroduo.exe	Get hash	malicious	Browse	162.159.136.232
	a8nAtkkusE.exe	Get hash	malicious	Browse	162.159.137.232
	meB11z1G06.exe	Get hash	malicious	Browse	162.159.135.232
	TOTOTOTO.exe	Get hash	malicious	Browse	162.159.128.233
	final(1).exe	Get hash	malicious	Browse	162.159.128.233
	AWKqBCVqZr.exe	Get hash	malicious	Browse	162.159.137.232
	r0Kqo0SlWF.exe	Get hash	malicious	Browse	162.159.138.232
	b4NByUUZ52.exe	Get hash	malicious	Browse	162.159.138.232
	bbbbbbbbbbbbbbbbbbbbbbbbb.exe	Get hash	malicious	Browse	162.159.135.232
	TrueKey.exe	Get hash	malicious	Browse	162.159.137.232
	N7ECQG6IZu.exe	Get hash	malicious	Browse	162.159.137.232
	Nitro_Gen.exe	Get hash	malicious	Browse	162.159.136.232
	HexenmeisterTSC.exe	Get hash	malicious	Browse	162.159.135.232

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TUT-ASUS	zvM7vF0gd6.exe	Get hash	malicious	Browse	208.95.112.1
	EG6kkR6RPW.exe	Get hash	malicious	Browse	208.95.112.1
	9Tct4fRkpW.exe	Get hash	malicious	Browse	208.95.112.1
	SYGQZeQUTb.exe	Get hash	malicious	Browse	208.95.112.1
	sVNlda4j6a.exe	Get hash	malicious	Browse	208.95.112.1
	BIFL5JNPPt.exe	Get hash	malicious	Browse	208.95.112.1
	2oxhsHaX3D.exe	Get hash	malicious	Browse	208.95.112.1
	iKcDLx5Wxc.exe	Get hash	malicious	Browse	208.95.112.1
	x7WwJ7u9u9.exe	Get hash	malicious	Browse	208.95.112.1
	znbrr2k9QV.exe	Get hash	malicious	Browse	208.95.112.1
	Scan#1076 EFFICIENCY-EM.xlsx	Get hash	malicious	Browse	208.95.112.1
	BUw7Xd1D38.exe	Get hash	malicious	Browse	208.95.112.1
	d4AbLPvG5R.exe	Get hash	malicious	Browse	208.95.112.1
	TFfv4hD2jx.exe	Get hash	malicious	Browse	208.95.112.1
	1BhmQQkiR5BrTs5yBLUVwWjLMfQhv4xjUX.jar	Get hash	malicious	Browse	208.95.112.1
	fG9WW97ssF.exe	Get hash	malicious	Browse	208.95.112.1
	BcpljzRiWJ.exe	Get hash	malicious	Browse	208.95.112.1
	Mh2FzBrd3m.exe	Get hash	malicious	Browse	208.95.112.1
	cUoZ2F2qac.exe	Get hash	malicious	Browse	208.95.112.1
	3MIvJieGXT.exe	Get hash	malicious	Browse	208.95.112.1
CLOUDFLARENETUS	6VDnJQYcuY.exe	Get hash	malicious	Browse	172.67.168.51
	CYBER-HUNTER_117726950.exe	Get hash	malicious	Browse	104.21.22.57
	SecuriteInfo.com.Trojan.PackedNET.904.30285.exe	Get hash	malicious	Browse	172.67.188.154
	0aSH9KLHMG.dll	Get hash	malicious	Browse	172.67.70.134
	0aSH9KLHMG.dll	Get hash	malicious	Browse	104.20.185.68
	Doc-67789845678765670987655.exe	Get hash	malicious	Browse	104.21.19.200
	Doc-67789845678765670987654.exe	Get hash	malicious	Browse	104.21.19.200
	zvM7vF0gd6.exe	Get hash	malicious	Browse	104.21.51.99
	EG6kkR6RPW.exe	Get hash	malicious	Browse	104.21.51.99
	#Ud83d#UdcccAxactor PayStub For Vibeke.ly DATE July 09, 2021.html	Get hash	malicious	Browse	104.16.19.94
	OD4mSunyeX.exe	Get hash	malicious	Browse	172.67.188.154
	ySBEWsGsWH.exe	Get hash	malicious	Browse	172.67.188.154
	6171557.docm	Get hash	malicious	Browse	172.67.157.219
	6171557.docm	Get hash	malicious	Browse	172.67.157.219
	6171557.docm	Get hash	malicious	Browse	104.21.14.53
	ZCI8lXL6ev.exe	Get hash	malicious	Browse	162.159.134.233
	nwb3cLgAGP.exe	Get hash	malicious	Browse	172.67.188.154
	ZCI8lXL6ev.exe	Get hash	malicious	Browse	162.159.130.233
	Beneficiary_Details.exe	Get hash	malicious	Browse	162.159.135.233
	OUTSTANDING SOA.xlsx	Get hash	malicious	Browse	172.67.168.51

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	SecuriteInfo.com.Trojan.PackedNET.904.30285.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	Doc-67789845678765670987655.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	Doc-67789845678765670987654.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	zvM7vF0gd6.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	EG6kkR6RPW.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	OD4mSunyeX.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	ySBEWsGsWH.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	ET2BY1pvkJ.ppam	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	nwb3cLgAGP.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	02_extracted.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	01_extracted.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	NjlfrEwsvN.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	MnqyIt1ujX.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	Zj9KGWVwFu.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	xUcF2jpqd2.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	l9N3oZgLk0.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	IPHfCcKmDU.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	scqrIIv3pq.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	2oxhsHaX3D.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233
	iKcDLx5Wxc.exe	Get hash	malicious	Browse	23.128.64.141 162.159.128.233

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Vape V4.exe.log Download File
Process:	C:\Users\user\Desktop\Vape V4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1582
Entropy (8bit):	5.369752020370825
Encrypted:	false
SSDEEP:	48:MxHKEYHKGD8AowHiX1qHGiD0HKeGitHTG1hAHKKPzJHj:iqEYqGgAow2wmI0qertzG1eqKPFD
MD5:	9FFF7B43DB1DC3B5D9903CB9FBFF04CE
SHA1:	18EF5B056BB1CCF7159FE353D9C170F546022ED0
SHA-256:	869546CAE1F50F3681056EAD4883DFB72CA86FFFFAC46CF33A60A6DEF3CD8D7F
SHA-512:	260B1A10D6439E70401601E1D1BAC12D25068C17BA6DED8A68C21C6B165C4058B945B35D37336AE221AB795C02D59C2D3034282C2A0A62450A33FECEBB91044A
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\a0f6e3585453700574fc42ba3653c021\System.Net.Http.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.F

C:\Users\user\AppData\Local\Temp\Capture.jpg Download File
Process:	C:\Users\user\Desktop\Vape V4.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	212111
Entropy (8bit):	7.956172027984521
Encrypted:	false
SSDEEP:	3072:h/Y7kJs5+8hRmT15miXMG3O2LrNs3W0Id/XhwkFajTw9l148dnt0vwAegk/UQD6R:NYQs9hGqGt+I9Xdb9zzdt4wA2bD4
MD5:	AB8A7C22169DAFCD569AA21B0654762C
SHA1:	F8053C222A1F8C084172088FABF8B3773EBF276E
SHA-256:	5665C4B888B03436E321C0AA067ADDAE86AE591BB8B49D5C85B3C9512A87D329
SHA-512:	1FA7D3AB62106D265D19002798A1C21A353EFE1E49C369A7BFFC6EDCE5C4D0B9CDAFF3C5486DA9741F2E3E4C627E6A64C3BFD08C955D499B520CB89C21F5014B
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(..Y.)....\..._.\|.'..wy.....h..S'.8.gc.k...S~.............?.M....?.7?...Y.x.{&\|.E{....B.......~..

C:\Users\user\AppData\Local\Temp\cookies.db Download File
Process:	C:\Users\user\Desktop\Vape V4.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cookies.txt Download File
Process:	C:\Users\user\Desktop\Vape V4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	431
Entropy (8bit):	5.465936932010724
Encrypted:	false
SSDEEP:	6:LGdfLYMoX51TbDgivd4YMrd71DLE7XGsTQ4DKNgj+YJYcXzzUa+IEXdfE9AxSVte:LbMop1Tt4YYd7JL8h3UYW8+IEWicten
MD5:	AFA44A5AE8CBCD85869E13D18260F745
SHA1:	194C260EE38FF9A9E90409CD8FBF8D52B41A1C1F
SHA-256:	5C565CF222CB52159F0D3EBDC84D965AF1A1C88BD6E7917AA4D4720A99E9C212
SHA-512:	22748932DFF21B9059AFC0667D6C51F98F1611670FB22C866200F6E8E10DEB3820C7745A67A76DD77266936235FD68CA55EF93C940E4C8361EA47265C088629E
Malicious:	false
Reputation:	low
Preview:	---------------- mercurial grabber ----------------..value: 204=XlJ-cT9Xg8DDNcFChe-nUGbxxEez8DRPGzgzUdZjP1JdN2YiNhfyRKFYdvFacUiguPGJxNZQxNzSiNVBcKqtq4ja7gbbvS3qQExvrcATH8SyD8dfy7IhIXh65vwy9wvzcYGB8MPR2c8HHGKEWDbc9DczP4qY4Ggc7D8ZFucZfEc..hostKey: .google.com..name: NID..expires: 4/1/2021 8:22:32 AM..---------------- mercurial grabber ----------------..value: Error in deryption..hostKey: ..name: ..expires: 12/31/1600 4:00:00 PM..

C:\Users\user\AppData\Local\Temp\login.db Download File
Process:	C:\Users\user\Desktop\Vape V4.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Users\user\Desktop\Vape V4.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	3337
Entropy (8bit):	5.244635250774858
Encrypted:	false
SSDEEP:	96:IYcbaTYb6SALS33tQ5TYP6lLW3SGOTYe6eLcG:IY3Yb4O3IYP6a3mYehwG
MD5:	21CAF02DB06DBFA7F1A98EFA3064BAC6
SHA1:	1D6BF079668FB96F98F97967A0CC32580BE04C7A
SHA-256:	9BC3F4969DC9D01BC122BD2C05EC33AA53B1D6079DD6A08AB16FBCE2A58AE935
SHA-512:	0CDB67B77FEF20CF3D30CEC22841CC6A11597DB2361B372BE6596B2BD337362497ED033A8593C33360C7C7024F4BCD96BDA59CD4CA15BD93D75585835441142C
Malicious:	false
Reputation:	low
Preview:	{"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8000","lat":47.3878,"lon":8.52029,"timezone":"Europe/Zurich","isp":"Datasource AG","org":"Cyberghost","as":"AS51395 Datasource AG","query":"185.189.150.70"}..Located: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\Cookies..Response: {"id": "863108516511875082", "type": 0, "content": "", "channel_id": "862767080863825960", "author": {"bot": true, "id": "862771572149452831", "username": "Mercurial Grabber", "avatar": "7f65ce71f79129b3931cdf30d0e43798", "discriminator": "0000"}, "attachments": [{"id": "863108516360224798", "filename": "cookies.txt", "size": 431, "url": "https://cdn.discordapp.com/attachments/862767080863825960/863108516360224798/cookies.txt", "proxy_url": "https://media.discordapp.net/attachments/862767080863825960/863108516360224798/cookies.txt", "content_type": "text/plain; charset=utf-8"}], "embeds": [], "mentions": [], "mention_rol

Static File Info

General
File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.3542774696171405
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Vape V4.exe
File size:	43008
MD5:	919b60c62ed64aa128f5a73f4c1a4b4f
SHA1:	23178189e308ca9e814caa2cad4ddf472e726b3f
SHA256:	050e1b254473b7bbb2214fe09aa93f2dc01793331106edb7f03fc834ca0a6b17
SHA512:	37941898baa7353e63b0934d80a931746bdfe5219e2972eec6dc6c05057ec420489331cf8313be21df69bb8e0f3f8a58279c27d458d241ba225e169e027d0817
SSDEEP:	384:vny5zjRKd2HeCw+1E0KQxsHER/OKPmNGTf2s/XZxIh/9oJEFq5nmrTTAs6KQsLdW:4LYERmKeNGSuZbLmTTj6KZKfgm3EhG3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..`................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40bc2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60E80C2A [Fri Jul 9 08:43:22 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbbd8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9c34	0x9e00	False	0.444892207278	data	5.46359604342	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4d8	0x600	False	0.372395833333	data	3.70920124326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc0a0	0x244	data
RT_MANIFEST	0xc2e8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	0.0.0.0
InternalName	Vape V4.exe
FileVersion	0.0.0.0
ProductVersion	0.0.0.0
FileDescription
OriginalFilename	Vape V4.exe

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 133
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 9, 2021 19:25:02.561052084 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:02.684261084 CEST	443	49712	23.128.64.141	192.168.2.6
Jul 9, 2021 19:25:02.684377909 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:02.740008116 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:02.863811970 CEST	443	49712	23.128.64.141	192.168.2.6
Jul 9, 2021 19:25:02.863851070 CEST	443	49712	23.128.64.141	192.168.2.6
Jul 9, 2021 19:25:02.863873959 CEST	443	49712	23.128.64.141	192.168.2.6
Jul 9, 2021 19:25:02.863894939 CEST	443	49712	23.128.64.141	192.168.2.6
Jul 9, 2021 19:25:02.863909960 CEST	443	49712	23.128.64.141	192.168.2.6
Jul 9, 2021 19:25:02.863934994 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:02.864114046 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:02.865175009 CEST	443	49712	23.128.64.141	192.168.2.6
Jul 9, 2021 19:25:02.871491909 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:02.995518923 CEST	443	49712	23.128.64.141	192.168.2.6
Jul 9, 2021 19:25:03.039762974 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:03.050333023 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:03.176127911 CEST	443	49712	23.128.64.141	192.168.2.6
Jul 9, 2021 19:25:03.219772100 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:03.227499962 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:03.351440907 CEST	443	49712	23.128.64.141	192.168.2.6
Jul 9, 2021 19:25:03.352446079 CEST	49712	443	192.168.2.6	23.128.64.141
Jul 9, 2021 19:25:03.368433952 CEST	49714	80	192.168.2.6	208.95.112.1
Jul 9, 2021 19:25:03.396014929 CEST	80	49714	208.95.112.1	192.168.2.6
Jul 9, 2021 19:25:03.396274090 CEST	49714	80	192.168.2.6	208.95.112.1
Jul 9, 2021 19:25:03.396841049 CEST	49714	80	192.168.2.6	208.95.112.1
Jul 9, 2021 19:25:03.423532963 CEST	80	49714	208.95.112.1	192.168.2.6
Jul 9, 2021 19:25:03.460674047 CEST	49714	80	192.168.2.6	208.95.112.1
Jul 9, 2021 19:25:03.487591982 CEST	80	49714	208.95.112.1	192.168.2.6
Jul 9, 2021 19:25:03.489665985 CEST	49714	80	192.168.2.6	208.95.112.1
Jul 9, 2021 19:25:03.539310932 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:03.556210995 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.559416056 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:03.566281080 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:03.583726883 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.585350037 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.585386992 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.585400105 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.585486889 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:03.593669891 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:03.610531092 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.610562086 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.626197100 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:03.642477036 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.643213987 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.649705887 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:03.706007957 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.825871944 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:03.879676104 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:05.951941013 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:05.967780113 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:05.968844891 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:05.971251011 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:05.989128113 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.203313112 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.203330994 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.203341007 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.203347921 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.203568935 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:06.289083004 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:06.305310011 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.306015015 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.309376955 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:06.325458050 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.599318027 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.599354029 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.599519968 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.599541903 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.599642992 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:06.599728107 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:06.628320932 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:06.645924091 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.646296024 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.646780014 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:06.706065893 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.838421106 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.840531111 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:06.858418941 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.858825922 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:06.859658003 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:06.877651930 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.060638905 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.105449915 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.205230951 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.224030972 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.226008892 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.226644993 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.226751089 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.245843887 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.245887995 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.245913982 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.245937109 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.245961905 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246021032 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246037006 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246412039 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.246447086 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.246474981 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.246484041 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246498108 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.246514082 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246524096 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.246535063 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246556997 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246587038 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246634007 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.246659994 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.246694088 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.246695995 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246721983 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.246726990 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246745110 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.246758938 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246786118 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.246824980 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.265095949 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.265217066 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.265254021 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.265352011 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.265371084 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.265388966 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.265408039 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.265427113 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.265444994 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.265516043 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.265542030 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.265557051 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.265568972 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.265579939 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.265805006 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266005039 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.266098022 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266114950 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266129971 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266148090 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266170979 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266191959 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266210079 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266230106 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266248941 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266354084 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.266376972 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.266397953 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.266410112 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.266418934 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.266762972 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266841888 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.266891003 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.267004967 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.267024994 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.267031908 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.267180920 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.267199993 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.267215967 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.267237902 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.267256975 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.267275095 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.267433882 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.267467022 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.267484903 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.267497063 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.267505884 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283143997 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283193111 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283216000 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283247948 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283256054 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283281088 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283308983 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283341885 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283343077 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283370972 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283394098 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283396006 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283415079 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283443928 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283453941 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283463955 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283472061 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283483982 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283492088 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283632040 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283747911 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283762932 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283792973 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283816099 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283843994 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283849955 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283854961 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283883095 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.283886909 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283921957 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.283956051 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284069061 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284100056 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284126997 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284157991 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284169912 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284184933 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284267902 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284436941 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284466028 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284490108 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284509897 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284532070 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284537077 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284564972 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284568071 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284595966 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284596920 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284637928 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284662008 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284668922 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284693003 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284698963 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284702063 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284725904 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284729958 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284735918 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284766912 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284809113 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.284908056 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284936905 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284961939 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.284996033 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.285053015 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285082102 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285099030 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:07.285106897 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285128117 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285147905 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285168886 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285187960 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285207987 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285449982 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285471916 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285490990 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285517931 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285541058 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285598993 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285667896 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285689116 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285707951 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.285969973 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.286065102 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.286094904 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.299856901 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.303967953 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304697037 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304747105 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304776907 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304805040 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304815054 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304828882 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304842949 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304856062 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304866076 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304879904 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304893970 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304907084 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304920912 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304935932 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304953098 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304966927 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304980040 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.304994106 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305007935 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305021048 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305035114 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305047989 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305064917 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305078983 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305092096 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305104971 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305119038 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305131912 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305145979 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305159092 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305176020 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305191040 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305203915 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305217028 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305231094 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305243969 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305269003 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305278063 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305291891 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305305958 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305319071 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305332899 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305346012 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305362940 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305377960 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305389881 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305403948 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305417061 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305429935 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305444002 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305457115 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305474043 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305489063 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305501938 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305515051 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305527925 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305541039 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305551052 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305563927 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305573940 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305587053 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305603981 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305618048 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:07.305630922 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:08.027250051 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:08.027285099 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:08.027313948 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:08.027338028 CEST	443	49715	162.159.128.233	192.168.2.6
Jul 9, 2021 19:25:08.027390957 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:08.027437925 CEST	49715	443	192.168.2.6	162.159.128.233
Jul 9, 2021 19:25:08.280359983 CEST	49715	443	192.168.2.6	162.159.128.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 9, 2021 19:24:52.936220884 CEST	63791	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:24:52.949930906 CEST	53	63791	8.8.8.8	192.168.2.6
Jul 9, 2021 19:24:53.727891922 CEST	64267	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:24:53.741708994 CEST	53	64267	8.8.8.8	192.168.2.6
Jul 9, 2021 19:24:54.489764929 CEST	49448	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:24:54.502562046 CEST	53	49448	8.8.8.8	192.168.2.6
Jul 9, 2021 19:24:55.232995033 CEST	60342	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:24:55.247448921 CEST	53	60342	8.8.8.8	192.168.2.6
Jul 9, 2021 19:24:55.886100054 CEST	61346	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:24:55.901616096 CEST	53	61346	8.8.8.8	192.168.2.6
Jul 9, 2021 19:24:56.688746929 CEST	51774	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:24:56.702425003 CEST	53	51774	8.8.8.8	192.168.2.6
Jul 9, 2021 19:24:57.484091043 CEST	56023	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:24:57.497948885 CEST	53	56023	8.8.8.8	192.168.2.6
Jul 9, 2021 19:24:58.307097912 CEST	58384	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:24:58.320617914 CEST	53	58384	8.8.8.8	192.168.2.6
Jul 9, 2021 19:24:59.303148031 CEST	60261	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:24:59.317183018 CEST	53	60261	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:00.078450918 CEST	56061	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:00.092591047 CEST	53	56061	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:00.986610889 CEST	58336	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:01.000437975 CEST	53	58336	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:02.509704113 CEST	53781	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:02.524072886 CEST	53	53781	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:02.796020031 CEST	54064	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:02.811594009 CEST	53	54064	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:03.351845980 CEST	52811	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:03.366581917 CEST	53	52811	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:03.524832964 CEST	55299	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:03.537906885 CEST	53	55299	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:03.684902906 CEST	63745	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:03.697699070 CEST	53	63745	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:04.843640089 CEST	50055	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:04.857059002 CEST	53	50055	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:05.659910917 CEST	61374	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:05.673516989 CEST	53	61374	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:07.248693943 CEST	50339	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:07.265064001 CEST	53	50339	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:07.881084919 CEST	63307	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:07.896157026 CEST	53	63307	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:20.420176983 CEST	49694	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:20.449729919 CEST	53	49694	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:47.134210110 CEST	54982	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:47.155143976 CEST	53	54982	8.8.8.8	192.168.2.6
Jul 9, 2021 19:25:55.815299034 CEST	50010	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:25:55.842422009 CEST	53	50010	8.8.8.8	192.168.2.6
Jul 9, 2021 19:26:00.112988949 CEST	63718	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:26:00.134358883 CEST	53	63718	8.8.8.8	192.168.2.6
Jul 9, 2021 19:26:31.856575012 CEST	62116	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:26:31.886666059 CEST	53	62116	8.8.8.8	192.168.2.6
Jul 9, 2021 19:26:33.929318905 CEST	63816	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:26:33.953511000 CEST	53	63816	8.8.8.8	192.168.2.6
Jul 9, 2021 19:26:38.721499920 CEST	55014	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:26:38.755532980 CEST	53	55014	8.8.8.8	192.168.2.6
Jul 9, 2021 19:26:41.494452953 CEST	62208	53	192.168.2.6	8.8.8.8
Jul 9, 2021 19:26:41.512568951 CEST	53	62208	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 9, 2021 19:25:02.509704113 CEST	192.168.2.6	8.8.8.8	0x5356	Standard query (0)	ip4.seeip.org	A (IP address)	IN (0x0001)
Jul 9, 2021 19:25:03.351845980 CEST	192.168.2.6	8.8.8.8	0x2494	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)
Jul 9, 2021 19:25:03.524832964 CEST	192.168.2.6	8.8.8.8	0xb464	Standard query (0)	discord.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 9, 2021 19:25:02.524072886 CEST	8.8.8.8	192.168.2.6	0x5356	No error (0)	ip4.seeip.org	23.128.64.141	A (IP address)	IN (0x0001)
Jul 9, 2021 19:25:03.366581917 CEST	8.8.8.8	192.168.2.6	0x2494	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)
Jul 9, 2021 19:25:03.537906885 CEST	8.8.8.8	192.168.2.6	0xb464	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)
Jul 9, 2021 19:25:03.537906885 CEST	8.8.8.8	192.168.2.6	0xb464	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)
Jul 9, 2021 19:25:03.537906885 CEST	8.8.8.8	192.168.2.6	0xb464	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)
Jul 9, 2021 19:25:03.537906885 CEST	8.8.8.8	192.168.2.6	0xb464	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)
Jul 9, 2021 19:25:03.537906885 CEST	8.8.8.8	192.168.2.6	0xb464	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49714	208.95.112.1	80	C:\Users\user\Desktop\Vape V4.exe

Timestamp	kBytes transferred	Direction	Data
Jul 9, 2021 19:25:03.396841049 CEST	173	OUT	GET //json/185.189.150.70 HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 9, 2021 19:25:03.423532963 CEST	177	IN	HTTP/1.1 200 OK Date: Fri, 09 Jul 2021 17:25:03 GMT Content-Type: application/json; charset=utf-8 Content-Length: 278 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 30 30 22 2c 22 6c 61 74 22 3a 34 37 2e 33 38 37 38 2c 22 6c 6f 6e 22 3a 38 2e 35 32 30 32 39 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 73 6f 75 72 63 65 20 41 47 22 2c 22 6f 72 67 22 3a 22 43 79 62 65 72 67 68 6f 73 74 22 2c 22 61 73 22 3a 22 41 53 35 31 33 39 35 20 44 61 74 61 73 6f 75 72 63 65 20 41 47 22 2c 22 71 75 65 72 79 22 3a 22 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 22 7d Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8000","lat":47.3878,"lon":8.52029,"timezone":"Europe/Zurich","isp":"Datasource AG","org":"Cyberghost","as":"AS51395 Datasource AG","query":"185.189.150.70"}

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 9, 2021 19:25:02.865175009 CEST	23.128.64.141	443	192.168.2.6	49712	CN=ip.seeip.org CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jun 30 13:06:31 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Tue Sep 28 13:06:30 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024
Jul 9, 2021 19:25:03.585400105 CEST	162.159.128.233	443	192.168.2.6	49715	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:46:39 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Jul 9, 2021 19:25:03.585400105 CEST	162.159.128.233	443	192.168.2.6	49715	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

CPU Usage

• Vape V4.exe
• conhost.exe

Click to jump to process

Memory Usage

• Vape V4.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• Vape V4.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: Vape V4.exe PID: 3588 Parent PID: 5948

Function Logs

General

Start time:	19:25:00
Start date:	09/07/2021
Path:	C:\Users\user\Desktop\Vape V4.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\Vape V4.exe'
Imagebase:	0x920000
File size:	43008 bytes
MD5 hash:	919B60C62ED64AA128F5A73F4C1A4B4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Network Activities

Socket bound

Socket connected

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 772 Parent PID: 3588

Function Logs

General

Start time:	19:25:00
Start date:	09/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Memory Activities

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Vape V4.exe PID: 3588 Parent PID: 5948 Vape V4.exeCOMMON

Executed Functions

Function 00007FFD03DB55FE, Relevance: 1.7, APIs: 1, Instructions: 228encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 00007FFD03DB5783

Memory Dump Source

Source File: 00000000.00000002.343473859.00007FFD03DB0000.00000040.00000001.sdmp, Offset: 00007FFD03DB0000, based on PE: false

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: cf0beccd49902b36fb9a26a4185e88992ad2102ae2cdb366b436c3ee54633f7e
Instruction ID: be70596a6580161cc83236386a6c9a0e3841307f3a4a74e2916c98deba814c5e
Opcode Fuzzy Hash: cf0beccd49902b36fb9a26a4185e88992ad2102ae2cdb366b436c3ee54633f7e
Instruction Fuzzy Hash: EE512C71A1CA489FEB54EB5C98156B97BE1EF5A311F00017EE44DD3293DE24AC418792

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Vape V4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage